|
I'm trying to improve the way we're doing some things with Powershell on a project I'm working on, particularly working with credentials. I've been doing some experimentation with the PSCredential object type, more or less using the method described here. Everything seems to work pretty well. The script I want to use this in gets executed from a variety of machines, but always as the same domain user. I copied the encrypted password file I created to a different server, but when I executed code:
|
# ¿ Feb 14, 2012 22:23 |
|
|
# ¿ Apr 24, 2024 04:11 |
|
adaz posted:Correct, the key it generates is machine specific. If you need to run the script on multiple machines this is a decent enough workaround (to be honest, I've forgotten how I have worked around this in the past): http://powertoe.wordpress.com/2011/06/05/storing-passwords-to-disk-in-powershell-with-machine-based-encryption/ Thanks for the link, that's an interesting approach. I only have a few different servers to work with, so having to create a separate password file is more annoying than anything else. I think I'll just do it that way, I was really just wanting done confirmation before I wasted any more time trying to figure out why it wasn't working.
|
# ¿ Feb 14, 2012 23:40 |
|
Wicaeed posted:What's the easiest way to break out of a scriptblock in Powershell? I have a script that will generate quite a few errors if a variable is not set, which can happen if it is a certain date. It's purely a matter of style, but I find it cleaner to do something like code:
|
# ¿ Mar 1, 2012 10:28 |
|
RICHUNCLEPENNYBAGS posted:So does Powershell just lack shortcuts to jump around text, or do I just not know them, or what? Like in bash you have a ton of shortcuts like ^a for the beginning of the line, alt-f to go forward one word, ^w to delete a word, etc, but apparently you just have to hold down the arrow button forever to do this kind of stuff with Powershell which is annoying. Try home and end. Ctrl -> and ctrl <- will go one word at a time. That's not just powershell though, that's standard Windows behavior.
|
# ¿ Mar 6, 2012 03:24 |
|
GPF posted:And, Phone, Import-CSV and Get-Content were brought to us by $deity itself. Yeah, the ease of reading from and writing to files is really nice. The more I use it, the more I like it to be honest. A project I'm working on is using a shitton of legacy VBScript, and I wish they would rework this poo poo to use PS instead for a variety of reasons. The biggest one being that the cscript/wscript engine has a totally sexy bug where it may not always return the exit code you specify in your script to the calling process.
|
# ¿ Mar 7, 2012 16:56 |
|
Getting an unexpected error with a script I've used successfully on other servers without any problems:code:
Anyway, I get the following error: ConvertFrom-SecureString: The system cannot find the file specified Some googling implies that this might be a UAC thing, can anyone confirm? I don't think it's related to c:\passwordfile.txt, since I would expect an error to be thrown on Set-Content in that case.
|
# ¿ Mar 15, 2012 18:09 |
|
I'm sorry, I was a little extreme in my script sanitizing. I'm writing my file to a directory, not the the root. The path definitely exists, but regardless if it were an issue creating that file wouldn't the error get thrown on Set-Content? I have some additional error text too that will probably be helpful, but I had to jump back on a vpn which blocks sa. I'll try to remember to post later. e: Just realized I can ssh to home and get to the forums that way. Here's the full output: code:
stubblyhead fucked around with this message at 18:39 on Mar 15, 2012 |
# ¿ Mar 15, 2012 18:34 |
|
adaz posted:SecureString and convert-SecureString requires you to use the same user account to decrypt the password as you used to encrypt it. Are you encrypting the save file with another user account then running it on the server under a different account? This is the script which is going to create that encrypted file to be used later; there's no decryption happening at all in this script. The very same script has worked without error on other servers, but I have limited visibility to see what kind of settings might be different on this one compared to those.
|
# ¿ Mar 15, 2012 19:01 |
|
adaz posted:If that's the case I'm guessing it is going to be something more esoteric, perhaps a different version of .NET? Are the servers you're having the issue on older/newer/have anything at all in common? Does your account not have admin permissions on those servers? I'm going to go with 'esoteric' as well. The account I'm using is an enterprise admin, so it should be able to do anything it wants on that server. That's one of the reasons I can't do this interactively actually--I'm not permitted to log in to the remote server with my personal account, and I can only use that admin account in automation scripts and crap like that. So basically I have the whole thing wrapped up into a process that runs powershell on the remote server (authenticating as the admin user) and executes the script. It's a moot point anyway though. I finally just asked one of my colleagues with greater access to do it for me. Same script worked perfectly logged into the server as that user, so I don't know what the gently caress. Hopefully I'll be able to actually read it as a secure string later on.
|
# ¿ Mar 15, 2012 23:40 |
|
adaz posted:Is your account actually blocked from logging into the server via GPO or something not just like a IT policy? If that's the case that would explain it. The secure cmdlets actually require a profile to be created and for the given user to "log onto" the machine before they will work. I ran into it before when doing scheduled tasks with cmdlets and secure strings, since the profile wasn't loaded I got a generic cryptographic error. Hmm, interesting... my personal account is not in the remote users for that machine, but the service account is--I'm just barred from using it that way by IT policy. I'm spawning that powershell process in such a way that the target server doesn't even know my personal account exists, but it's entirely possible that the service account didn't have a profile on this server. I was able to decrypt that file and use it in a credentials object though. My friend remoted in using the service account, so if it was a matter of the profile not existing that would have fixed it.
|
# ¿ Mar 16, 2012 00:42 |
|
Thrawn200 posted:I get an error saying that "The term 'C:\whatever\$path\is' is not recognized as the name of a cmdlet, function, script file, or operable program." Is this a typo on your part, or is that actually in the error message? adaz posted:Also the equivalents to most of that stuff you're talking about in batch files can be found by doing a cd ENV: and then a dir, just as a quick and easy reference although there are plenty more. So ENV:SystemDrive is the system dir. Neat, I didn't know you could do this. Have a technet link or something for some further reading?
|
# ¿ Mar 27, 2012 01:28 |
|
adaz posted:To get started what I'd use is a function I wrote long ago and my normal method of avoiding export-CSV's... eccentricities. Yes it would be a glorious world where we could just pipe the DataSet to export-csv and it'd handle it gracefully... unfortunately that world doesn't exist. Sorry to quote from so far back, but good lord you are not kidding about this cmdlet. I have a multi-line comma-delimited string, you stupid piece of poo poo! Why won't you let me just pipe it straight in!
|
# ¿ Mar 31, 2012 04:40 |
|
Jelmylicious posted:If it is already comma delimited, just pipe it to a text file with .csv as its extension. welp guess that would have worked too. I figured out a lot of poo poo in the process of getting this to work though, so it wasn't a total wash.
|
# ¿ Mar 31, 2012 09:22 |
|
adaz posted:This might or might not work depending on the encoding parameters and the parser, I've had issues with it before. IN general I find it easier to use the creating your own object approach. Yeah the comments in your code from a few pages back were really helpful. I was using a script one of my colleagues wrote as a template, and he did it in basically the same way. He didn't comment his code though, so I had no idea what he was doing and subsequently left out some pretty important stuff in my own script.
|
# ¿ Apr 1, 2012 02:06 |
|
adaz posted:As a note, and I missed this last week, but the beta of powershell 3.0 is out: http://www.microsoft.com/download/en/details.aspx?id=28998 Has the public beta for Powershell 3 been discontinued? This link is dead now. e: n/m, found a new link http://www.microsoft.com/en-us/download/details.aspx?id=29939 stubblyhead fucked around with this message at 04:25 on Jun 9, 2012 |
# ¿ Jun 9, 2012 04:18 |
|
adaz posted:Negatives: It also inserts spaces instead of tab characters, which bothers me to no end. I really don't want to bring back the Great Indent Wars though, so I'll say no more about it.
|
# ¿ Jun 14, 2012 07:23 |
|
kampy posted:Yeah, kind of. Usedefaultcredentials is false by default, so you'll need to set it to true. Correct, see here. To be clear, this will use the same credentials as whatever user is running the script, so make sure whatever is running it (scheduled task, background service, whatever) has the authorization to do what's necessary.
|
# ¿ Aug 7, 2012 18:09 |
|
Drumstick posted:Im not as familiar with using powershell in that way kampy. It seems like every so often a problem comes up and I know powershell is capable of handling it in a much easier fashion. I have a hard time distinguishing when to use that form(?) over the one I posted. As an object lesson, let's look at the example kampy used. Look at the online help for Get-ADUser (Get-Help Get-ADUser -full). Just before the list of examples, it says its output type is Microsoft.ActiveDirectory.Management.ADUser. If there's a lot of these, it'll just be an array of ADUser objects instead of only one. Now look at the help for Add-ADPrincipalGroupMembership. Under the -Identity parameter, ADUser is listed as a valid input type. It also says that it accepts pipeline input, which means we can run the first command, pipe it into the second, and it will automatically act on each object one at a time. Functionally there's no difference between doing code:
|
# ¿ Aug 9, 2012 02:30 |
|
kampy posted:Both ways work identically when adding users from an OU to a group as long as none of the users is a member of said group. However if one of the users fetched by Get-ADUser is already a member of the group, none of the users will get added when passing the user objects through a pipeline. Are you sure that is correct? The way I understand it, only one object gets passed from the pipeline at a time, so the cmdlet wouldn't have any notion that there were other objects, much less that some were already in the security group. It doesn't look like -Identity even accepts an array as input.
|
# ¿ Aug 9, 2012 16:13 |
|
stubblyhead posted:Are you sure that is correct? The way I understand it, only one object gets passed from the pipeline at a time, so the cmdlet wouldn't have any notion that there were other objects, much less that some were already in the security group. It doesn't look like -Identity even accepts an array as input. OK, a little more detail now that I've had a chance to experiment and refresh my memory a bit. Passing an array in by pipeline will hit the function all at once, but it will run the PROCESS block once for each object instead of only a single time if it were passed as a parameter. Take the following: code:
begin block process block a process block b process block c end block Trying to do Do-Stuff -things "a","b","c" would throw an error because it can't take an array of strings in that parameter. If we did allow that, our output would be begin block process block a b c end block I guess it is possible that the cmdlet has some functionality in the BEGIN block that would halt if any of the users were already in the target group, but that would be a really bizarre thing to do IMO.
|
# ¿ Aug 9, 2012 19:17 |
|
FISHMANPET posted:I'll see if I can give it a try, as long as I don't need to put it into DNS, because AD doesn't control DNS, we have to go to the dark overlords to get SRV records put in. It can be installed on 2008 also, so if you have a sandbox environment already you could just put it on there.
|
# ¿ Aug 16, 2012 06:22 |
|
Am I going about things in entirely the wrong way, or is handling HTTP requests a very cumbersome process in Powershell? For instance, if I wanted to get google's homepage, I could do something like this:code:
|
# ¿ Sep 19, 2012 01:24 |
|
kampy posted:That's pretty much the way it goes in PowerShell v2, in v3 you can use Invoke-WebRequest http://www.google.com Good thing I'm using PS 3.0! This is about 1000% simpler, thanks for the tip!
|
# ¿ Sep 19, 2012 17:12 |
|
Swink posted:Anyone else getting a shitload of yellow warning errors with 3.0? I'm getting them with every command. Although it might be the exchange2010 snapin I'm using. I haven't had any problems with warnings myself. I have had some issues with Get-Help though, mostly that it wants to download updates to it frequently. It hasn't done it for a while though, but when I first installed it it would try the first time I'd use it in a session.
|
# ¿ Sep 21, 2012 16:27 |
|
kampy posted:I don't have the exchange cmdlets installed, but you might want to consider using select and Export-Csv there instead of format-table, something like this should work: Yeah, Import-csv is a POS, but export works pretty well. You don't need to do that sort of redirection in powershell.
|
# ¿ Sep 30, 2012 07:18 |
|
Wicaeed posted:So this is kind of a stupid question: I'm pretty sure dropping things like that is equivalent to running code:
|
# ¿ Nov 29, 2012 02:33 |
|
A question about error handling for you guys. I'm working with the vmWare powerCLI, but the concepts I'm wondering about should be universal. So I have some try-catch blocks kind of like this:code:
I was planning to just add something like this to the try block: code:
|
# ¿ Dec 18, 2012 20:48 |
|
-Dethstryk- posted:Does anyone know the optimal (if any) way I could store date/time information in Excel's date-time code, so that when I write out CSV's that for log script utilities I can just open them up and Excel can easily know what they are? If I didn't need the time I could just import the data pretty easily, but I can't figure out a way to import the time part of it. If you have it as a DateTime object you can use the ToOADDate() method to convert it. code:
|
# ¿ Jan 11, 2013 02:30 |
|
How would you guys handle this kind of situation? I want to randomly arrange a collection. I can do it like this:code:
|
# ¿ Feb 5, 2013 23:21 |
|
Thanks, will try this out tomorrow.
|
# ¿ Feb 6, 2013 08:07 |
|
What you want to do use are Get-ACL and Set-ACL. Take some directory that has permissions the way you want them, and do something likecode:
code:
|
# ¿ May 10, 2013 19:14 |
|
I need to do some remote admin on an AWS instance using powershell, but the machine I need to do it from can only access the web through a proxy server. Assuming the AWS server is configured correctly am I correct in thinking that all I need to do is specify the proxy details with New-PSSessionOption and feed that into New-PSSession?
|
# ¿ Jun 30, 2015 22:59 |
|
Are you using an elevated prompt?
|
# ¿ Jul 1, 2015 15:14 |
|
Briantist posted:I've never tried it before, but yeah that's how it should work. You could also use the PSSessionOption object in Invoke-Command or Enter-PSSession, and you can set the $PSSessionOption variable to set the default options going forward. I'm not sure if I'm doing the session settings wrong or if it's AWS fuckery getting in my way. If I'm reading it right winrm is only listening on its private IP addresses, and indeed the public IP isn't even listed for any of the adapters. I'm guessing Amazon NATs that out or something, but regardless the winrm service doesn't seem to be accessible from the internet at large.
|
# ¿ Jul 1, 2015 21:13 |
|
It wasn't the Windows firewall, but you're on the right tack. When you start AWS instances you assign security groups that specify what kind of traffic you want to allow, and the group I used for my test server didn't have the right ports open. A couple quick changes and I can get in. e: Actually I spoke too soon. I am able to connect directly to the instance, but going through a proxy appears to require https. A certificate is required to start an https listener, and I'm not sure a self-signed one will pass muster with my client (no CA in AWS we can use, and setting one up will probably get shot down as well). I think this is becoming more of an AWS question than a PS question, so I think I'll bow out at this point. stubblyhead fucked around with this message at 23:00 on Jul 1, 2015 |
# ¿ Jul 1, 2015 22:39 |
|
|
# ¿ Apr 24, 2024 04:11 |
|
stubblyhead posted:e: Actually I spoke too soon. I am able to connect directly to the instance, but going through a proxy appears to require https. A certificate is required to start an https listener, and I'm not sure a self-signed one will pass muster with my client (no CA in AWS we can use, and setting one up will probably get shot down as well). I think this is becoming more of an AWS question than a PS question, so I think I'll bow out at this point. In the unlikely event anyone cares, the client didn't give a poo poo about self-signed certificates since these are short-lived servers by design. I actually just copied the Remote Desktop cert into Personal and skipped CA and CN checks. I hit a minor roadblock due to their proxy being a butthead, but switching the WinRM service to listen on 443 instead of 5986 took care of that. The powershell part to this was actually really simple, it was all the other layers that caused problems.
|
# ¿ Jul 6, 2015 22:36 |