Category Archives: mvp

01Nov/17

PowerShell + DevOps Global Summit 2018 Tickets Are On Sale

Registration for the PowerShell + DevOps Global Summit just opened today. This thing sells out every year so now is the time to start getting approval to attend if you need it, and buy a ticket.

Check out the event brochure for info about the conference. You can use it as leverage to convince whoever needs convincing that you should go. The PowerShell + DevOps Global Summit speaker line up and session schedule is also up right now, and as you’ll see, it’s absolutely stacked. This is also a great chance to meet people who work at Microsoft on the PowerShell (and other) teams, as well as a bunch of MVPs at the top of this field. Make no mistake, this is a crazy good networking opportunity.

There are limited hotel discount codes available, and plane tickets will probably only rise in price as you wait, so get on it if you’re going to come!

Some of the sessions I’m most excited for are Kirk Munro’s Become a PowerShell Debugging Ninja, Warren Frame’s Connecting the Dots with PowerShell, Eli Hess’ PowerShell IoT, Ryan Coates Build Release Pipeline Model For Mere Mortals, Will Anderson’s Automate Problem Solving with PowerShell, Azure Automation and OMS, and of course the session that I’m presenting, A Crash Course in Writing Your Own PSScriptAnalyzer Rules.

It’s going to be really hard to go to a “bad” session, though. With this line up, it’s going to be impossible not to learn something valuable no matter which sessions you attend.

Hope to see you there!

21Nov/16

PowerShell 10 Year Anniversary Code Golf Winners

For the PowerShell 10 Year Anniversary, Will Anderson (@GamerLivingWill on Twitter) and I (@MrThomasRayner on Twitter) ran a three-hole code golf competition on code-golf.com, a site developed by fellow MVP Adam Driscoll.

Here is the link to all the background info on the competition: https://github.com/ThmsRynr/PS10YearCodeGolf . Check this page out for links to the individual holes, too.

So, without further delay, let’s announce the winners!

Hole 1

The challenge was to get all the security updates installed on the local computer in the last 30 days and return the results in the form of a [Microsoft.Management.Infrastructure.CimInstance] object (or an array of them).

The winner of this hole is Simon Wåhlin. Here is their 46 character submission.

gcls *ix* gets the CimClass win32_quickfixengineering and % *mC*e gets the CimClassName property. gcim is an alias for Get-CimInstance which, as per the previous section, is getting the win32_quickfixengineering class. The results are piped into the where-object cmdlet where the property matching the pattern I*n (which happens to be InstalledOn) is greater than the current date, minus 30 days.

Hole 2

The challenge was to get the top ten file extensions in c:\windows\system32, only return 10 items and group results by extension.

The winner of this hole is Simon Wåhlin again. Here is their 42 character submission.

ls c:\*\s*2\*.* means Get-ChildItem where the path is c:\<any directory>\<a directory matching s*2>\<files, not directories> and this pattern only matches the path c:\windows\system32\<files>. This is piped into the foreach-object cmdlet to retrieve the property that matches the pattern E*n, which is the Extension property. The extensions are piped into the sort-object cmdlet, sorted by the property that matches the pattern c*, which is count, and returned in descending order. This is an array, and the items in positions 0-9 are returned.

There were shorter submissions for this hole that didn’t explicitly target c:\windows\system32 and therefore missed the challenge. You could not assume we were already on c: or running as admin, etc. Some solutions included folders in the results which also missed the challenge.

Hole 3

The challenge was to get all the active aliases that are fewer than three characters long and do not resolve to a Get- command. For this hole, even though it wasn’t in the Pester test, you had to assume that non-standard aliases might be on the system. That’s why we specifically mentioned that we didn’t want you to return aliases that resolve to Get-*, and the Pester test checked the ResolvedCommand.Name property of the aliases you returned.

To break some submissions that didn’t check what the aliases resolved to, you could just run New-Alias x Get-ChildItem to create a new alias of ‘x’ that resolves to Get-ChildItem.

The winner of this hole is EdijsPerkums. Here is their 24 character submission.

Get-Alias is passed an array of regex patterns, ?,?? which corresponds to one and two characters. The results are piped into the where-object cmdlet to isolate aliases whose property that matches the pattern Di* (DisplayName) doesn’t match Get.

Congratulations to all the winners! We will be in touch to get you your prizes. We hope you all had fun with this mini-competition. Don’t forget to check out all the terrific material from the PowerShell 10 Year Anniversary on Channel 9!

19Nov/15

Just Enough Administration (JEA) First Look

If you’re reading this, it means that Windows Server 2016 Technical Preview 4 is released (currently available on MSDN) and one of the new features that’s available is Just Enough Administration (JEA)! Until now, you could use DSC to play with JEA but now it’s baked into Windows Server 2016.

If you’re not sure what JEA is or does, check out this page published by Microsoft.

So how do you get started?

JEA gets put together like a module. There are a bunch of different ways to dive in, but for convenience, I’m just covering this one example. Build on it and learn for yourself how JEA can work for you specifically!

First things first, make a new directory in your modules folder and navigate to it.

So far, so easy. Now, we’re going to use the brand new JEA cmdlets to configure what is basically our constrained endpoint.

This PSSC is the first of two files we’re going to make. It’s a session config file that specifies the role mappings (we’ll get to roles in a second) and some other general config settings. A PSSC file looks like this.

If you’ve ever authored a PowerShell module before, this should look familiar. There’s only a few things you need to do here. The first is change the value for SessionType to RemoteRestrictedServer. You need to make it this in order to actually restrict the user connections.

You can enable RunAsVirtualAccount if you’re on an Active Directory Domain. I won’t get too deep into what virtual accounts do because my example is just on a standalone server.

The other important task to do is define the RoleDefinitions line. This is a hashtable where you set a group (in my case, local to my server) assigned to a “RoleCapability”. In this case, the role I’m assigning is just named “testers” and the local group on my server is named “test users”.

Save that and now it’s time to make a new directory. Roles must be in a “RoleCapabilities” folder within your module.

Now we are going to continue using our awesome new JEA cmdlets to create a PowerShell Role Capabilities file.

It’s very important to note here that the name of my PSRC file is the same as the RoleCapability that I assigned in the PSSC file above.

PSRC files look like this. Let’s point out some of the key areas in this file and some of the tools you now have at your disposal.

Think of a PSRC as a giant white list. If you don’t explicitly allow something, it’s not going to happen. Because PSRCs all act as white lists, if you have users who are eligible for more than one PSRC (through more than one group membership/role assignment in a PSSC), the access a user gets is everything that’s white listed by any role the user is eligible for. That is to say, PSRCs merge if users have more than one that apply.

Let’s skip ahead to line 25. What I’m doing here is white listing any cmdlet that starts with Get- or Measure- as well as Select-Object. Inherently, any of the parameters and values for the parameters are whitelisted, too. I can hear you worrying, though. “What if a Get- command contains a method that allows you to write or set data? I don’t want that!” Well, rest assured. JEA runs in No Language mode which prevents users from doing any of those shenanigans.

Also in line 25, I’m doing something more specific. I’m including a hashtable. Why? Because I want to allow the New-Item cmdlet but only certain parameters and values. I’m allowing the ItemType parameter but only if the user sets it to Directory. I’m allowing Force, which doesn’t take a value. I’m also allowing the Path attribute, but, only a specific path. If a user tries to use the New-Item cmdlet but violates these rules, the user will get an error.

On line 19, I can import specific modules without opening up the Import-Module cmdlet. These modules are automatically imported when the session starts.

On line 28, we can make specific functions available to connecting users.

Line 31 is interesting. Here I’m making an individual script available to the connecting user. The script contains a bunch of commands that I haven’t white listed, so, is the user going to be able to run it? Yes. Yes they are. The user can run that script and the script will run correctly (assuming other permissions are in place) without having the individual cmdlets white listed. It is a bad idea to allow your restricted users to write over scripts you make available to them this way. 

On line 37, you can basically configure a login script. Line 40 lets you define custom aliases and line 43 lets you define custom functions that only exist in these sessions. Line 46 is for defining custom variables (like “$myorg = ‘ThmsRynr Co.”) which can be static or dynamic.

With these tools at your disposal, you can configure absolutely anything about a user’s session and experience. Sometimes, you might have to use a little creativity, but anything is possible here.

Lastly, you need to set up the JEA endpoint. You can also overwrite the default endpoint so every connection hits your JEA config but you may want to set up another unconstrained endpoint just for admins… just in case.

That’s it. You’re done. Holy, that was way too easy for how powerful it is. Now when a user wants to connect, they just run a command like this and they’re in a session limited like you want.

If they are in my local “Test Users” group, they’ll have the “testers” role applied and their session will be constrained like I described above. You’ll need to make sure your test users have permissions to remotely connect at all, though, otherwise the connection will be rejected before a JEA config is applied.

I can think of a bunch of use cases for JEA. For instance…

1. Network Admins
I’d like my network admins to be able to administer DHCP and DNS on our Windows servers which hold these roles without having carte blanche admin rights to everything else. I think this would involve limiting the cmdlets available to those including *DHCP* or *DNS*.
2. Certificate Management
We use the PSPKI module for interacting with our Enterprise PKI environment. For this role, I’d deploy the module and give users permissions to use only the PSPKI cmdlets. I’d use the Windows CA permissions/virtual groups to allow or disallow users manage CA, manage certificates, or just request certificates.
3. Code Promotion
Allowing people connecting via JEA to read/write only certain areas of a filesystem isn’t practical. The way I’d get around this is to allow access to run only one script which performed the copy commands or prompted for additional info as required. You could mix this in with PowerShell Direct and promote code to a server in a DMZ without opening network holes or allowing admin access to a DMZ server.
4. Service Account for Patching
We have a series of scripts that apply a set of rules and logic to determine if a server needs to be patched or not. All it needs to do is perform some WMI queries, communicate with SCCM (which has the service installed to actually do the patching) and reboot the server. Instead, right now, that service account has full admin rights on the server.
5. Help Desk
Everybody’s help desk is different but one job I’d like to send to my help desk is some limited Active Directory management. I’d auto-load the AD module and then give them access to very restricted cmdlets and some parameters. For instance, Get-ADUser and allow -Properties but only allow the memberof, lockedout, enabled and passwordlastset values. I might also allow them to add users to groups but only if the group was in a certain OU or matched a certain string (ie: if the group ends in “distribution list”).
6. Print Operators
We have a group of staff on-site 24/7 that service a giant high speed print device. There are a number of servers that send it jobs and many are sensitive. I’d like to give the print operators group permissions to reach out and touch these servers only for the purposes of managing print jobs.
7. Hyper-V Admins/Host Management
These guys need the Hyper-V module and commands within it as well as some limited rights on the host, like Get WMI/CIM objects but not the ability to set WMI/CIM objects.

Get playing!

The possibilities of what you can do with JEA are endless. While the DevOps mentality is flourishing, the need to enable access to different systems is growing. With JEA, you can enable whatever kind of access you need, without enabling a whole bunch of access you don’t. That’s probably why it’s called “Just Enough Administration”.

28Sep/15

Sharing: MVPDays YEG Presentation Material

Last week, I had the distinct pleasure of speaking twice at MVPDays in Edmonton. I did two sessions. The first was titled “PowerShell 5.0 – A Brave New World” where Sean Kearney and I introduced the tip of the iceberg that is all the new stuff in PowerShell 5.0. The other session I did was on my own, titled “Going From PowerShell Newbie to PowerShell Ninja”. In the latter session, I promised to share some things today, and I’m here to deliver.

OPML File of Blogs I Follow – This is a file that you can import into any modern RSS reader. I follow 40+ blogs on PowerShell, technology and related topics. Feel free to take a look through the blogs I’ve endorsed here and follow all of them, or just the ones that make sense to you. Among these blogs are the premier resources I mentioned in my session: Hey, Scripting Guy! and PowerShell.org.

My PowerShell People Twitter List – If you’re looking to find people on Twitter who are knowledgeable about PowerShell, take a look at this list I curate. You can follow the whole list or take a look at these people I personally follow and recommend. Remember, Twitter is a great way to get introduced to new resources and connect with like-minded people. Follow the #PowerShell hashtag and join in for #MVPHour every other Monday.

Subscribe to the EMUG Mailing List – If you live in the Edmonton area and enjoyed MVPDays, you should consider signing up for the Edmonton Microsoft User Group mailing list, if you aren’t signed up already. This is the best way to stay informed about when similar events will be occurring. In fact, EMUG hosts several events throughout the year just for our members. Check out PowerShellGroup.org to find other regional PowerShell user groups who share their content, or join the virtual group.

And, of course, you can find me on Twitter (best way to reach me) and LinkedIn.

Good luck on your journey from PowerShell Newbie to PowerShell Ninja, and happy scripting!

04Aug/15

My August 2015 Scripting Puzzle Solution

If you haven’t heard, PowerShell.org is taking the lead on organizing the PowerShell Scripting Games. There’s a new format that involves monthly puzzles. Here’s their post on August’s puzzle: http://powershell.org/wp/2015/08/01/august-2015-scripting-games-puzzle/

Here is my solution. The instructions are to get information back from a JSON endpoint (read more about it in the link above).

First things first, here’s how I did the one-liner part.

This brings back exactly what Mr. Don Jones has asked for. I’m using the Invoke-WebRequest cmdlet to make a web request to that IP and converting what’s returned using ConvertFrom-Json. Then it’s just a matter of formatting the output and selecting only the items we care about for this puzzle.

Alright, that wasn’t so bad. How about the next challenge? I wrote the following function.They asked for an advanced function, but I skipped the comment based help and the begin/process blocks. I could clean up how I work with the $IP parameter a bit, but, this is easier to look at and explain.

I’ve declared two parameters, $Attributes and $IP. $Attributes are the attributes we want to return. In our puzzle instructions, we’re asked for Longitude, Latitude, Continent_Code and Timezone but you could use this function to get any of them. By default, the function will return all attributes. $IP is another IP address that we can get data for. If you don’t specify one, the function will retrieve data for the client’s IP. Otherwise, we can get data for an IP that isn’t the one we’re making our request from.

Here are a couple examples of the function in action.

Here, I’m just running the script with no parameters set. It gets all the data back from my IP. I’ve sanitized a lot of the data returned for the purpose of publishing this post but it was all returned correctly.

Here, I asked for the attributes from the puzzle and specified the IP address for PowerShell.org. You can see that it returned exactly what we’d expect.

Finally, the challenge asks us to hit another public JSON endpoint. I don’t have a favorite but found one that shows you your HTTP request information. Here is what it looks like in action.

Interesting user agent.

01Jun/15

How’s your Windows Server 2003 migration going? Does that question scare you?

Remember 2003? 2003 was a good year. Camera phones got popular, XBox took off, and I was a 14 year old in 9th grade. 2003 was also, obviously, the year that Microsoft released Windows Server 2003. Are you still running it? You shouldn’t be, but I bet lots of you are. That should scare you because in less than six weeks from the time of this post, on July 14, 2015, Microsoft is ending support for Windows Server 2003. If you’re not done your Windows Server 2003 migration to newer operating systems (Windows Server 2012 R2 is an excellent choice), or worse – not even started, you could face some very serious consequences. Let’s answer a few questions you might have about that.

What does it mean to be unsupported?

In case “end of support” isn’t clear, here’s some of the highlights from the long list of concerns outlined in this IDC white paper on why you should upgrade (pdf). There’s tons of reasons but these were the ones that resonated with me.

  • Elimination of security fixes.

Holy smokes. No more patches? For a second that almost sounds like a good thing, right? You’re probably tired of patching servers. But, think of the consequences and implications of that. No more patches is a terrible, scary, awful thing. If I need to tell you why, you may consider a different career than the one that brought you to my blog. If you ever want to pass another audit, you better be receiving and applying security fixes for all your products, especially ones as fundamental as your Windows OSes.

  • Lack of support.

Do you ever call Premier Support? Read Technet blogs or forums? Microsoft is shutting down support for Windows Server 2003 once it hits end of life. If you want help upgrading, you better get it now because after the end of life date, it might be a challenge to get.

Saying “I can put this off, I’m just going to buy extended support!” is the wrong attitude to have. First, you could buy an Egyptian pyramid for the amount of money that extended support is going to cost. Second, all you’re doing is delaying the inevitable. You have to do this. Do it now. It’s going to hurt more to put it off and do it later.

Okay, so there are some good reasons to get off Windows Server 2003 BUT are there any good reasons to get on Windows Server 2012 R2?

There’s tons. Windows Server 2012 R2 came out Q4 2013 and is the result of decades of learning, improvement, technological landscape shifting, development and a bunch of other buzz-verbs that all mean that it’s better. It’s better. Windows Server 2012 R2 is better than Windows Server 2003. Here’s just a few articles that support that statement.

If you look at all, you’ll find thousands more articles, slides, posts, tweets, talks and more on the benefits and features of Windows Server 2012 R2 over its predecessors.

Upgrading is so intimidating. I need help! Where can I get some?

Microsoft has your back on upgrading and migrating. There are lots of guides and articles on these topics but Microsoft has assembled, in my opinion, the best resource hub out there. Did you click that link? It takes you to the page with all the resources. Click one of these links to go to that page. I can’t overstate how important I think it is that you go to this page and read about the resources to help you migrate away from Windows Server 2003. All the links in this paragraph go to the same page. This is the page: https://www.microsoft.com/en-ca/server-cloud/products/windows-server-2003/default.aspx . It’s in your very best interest to go there and check out what’s there. Need the link one more time? Here.

Does it feel like I’m using this subsection of this post to direct you to Microsoft’s page with tons of resources you can use to make your migration possible, if not easy? It’s because I am. There’s tons of other resources out there, too, and they are a simple search away.

I get it. I want to upgrade. I’ve been pushing my organization to upgrade but I can’t seem to get permission. What can I do?

Surely I’ve convinced you of the many great reasons to migrate away from Windows Server 2003 to Windows Server 2012 R2. These arguments make sense for an IT Pro but maybe not for an executive, business people, or sometimes even to a developer. Here are a few of the common ways I see resistance and my suggestions to overcoming them. Of course, every organization’s politics are different and you may need to figure it out yourself.

  • We have App XYZ that only runs on Windows Server 2003. It’s crucial to our business. There’s no new version.

Respectfully, if this is the honest to goodness truth for your organization, you might be on the Blockbuster/Kodak path of sustainability. Read this Wikipedia article on the theory of Diffusion of Innovations. Take special note of chart that describes the different stages: Innovators, Early Adopters, Early Majority, Late Majority, and Laggards. You don’t have to adopt every new innovation that comes across your desk, but if your entire business is dependent on a technology or product that is about to reach end of life, you’re in trouble. You’re already in the laggard stage of the adoption process if you’re still not off Windows Server 2003. Just don’t fall off the chart completely – get migrating!

There comes a point where you’re not upgrading to gain an advantage, but to catch up to competitors who have already surpassed you.

  • App XYZ is crucial to our business. There’s a new version but we can’t afford the down time to upgrade.

This one is easier to work with than the last one. Attack this resistance from two sides. First, reiterate the importance of upgrading and all the bad things that will happen if you don’t. Second, and most importantly, find business reasons that make migrating to Windows Server 2012 R2 or the new version of App XYZ desirable to your specific stakeholders. Often with executives and business groups, it’s even more important to PULL them towards something new as it is to PUSH them away from something old.

To address the downtime concerns, put effort into making a plan that makes the downtime as short and painless as possible. Do a side-by-side migration. Do the cut over at 3 in the morning when your customers are all asleep. Find a way to make the downtime as tolerable as possible.

  • We don’t need new features. We accept the risk of running in an unsupported fashion. It’s just not worth our time to migrate.

This is a naive attitude, in my opinion. If you can’t find a creative way to improve anything within your organization with even one new feature in Windows Server 2012 R2, you’re not looking. A willingness to accept the risk of running unsupported demonstrates a lack of complete understanding of the risk involved with doing so. What would your customers say if you told them that your systems don’t receive security updates any more? If you get resistance like this, you need to find a reason to pull your stakeholders towards the newer technologies and make sure they’re clear on the risks of maintaining status quo.

Alright, I’m ready to take this on! Now how about a summary of some kind?

Glad you asked. If you take anything out of this post, make it these few things.

  1. Being unsupported is bad. Really bad. You don’t want to be unsupported for a lot of reasons including no more security patches.
  2. Windows Server 2012 R2 has a ton of new features that make it a great OS to migrate to.
  3. Microsoft has a lot of resources available to help you upgrade.
  4. Getting stakeholder permission for an upgrade is as much about selling the benefits of moving to a new system as much as it is about the disadvantages of staying on the old one.

Good luck and happy migrating!

22Apr/15

Invitation: MVP Virtual Conference

This is a canned post provided by the Microsoft MVP program. I’m sharing it because I think it’s going to be a valuable event that readers of this blog could get a lot out of. I’m definitely going to be there and I’m really looking forward to it. Take a look and see if it’s something you’re interested in.


 

MVP15_MicrosoftMVP_VC_WebBanner_920x400px

Register to attend the Microsoft MVP Virtual Conference

I wanted to let you know about a great free event that Microsoft and the MVPs are putting on, May 14th & 15th.  Join Microsoft MVPs from the Americas’ region as they share their knowledge and real-world expertise during a free event, the MVP Virtual Conference.

The MVP Virtual Conference will showcase 95 sessions of content for IT Pros, Developers and Consumer experts designed to help you navigate life in a mobile-first, cloud-first world.  Microsoft’s Corporate Vice President of Developer Platform, Steve Guggenheimer, will be on hand to deliver the opening Key Note Address.

Why attend MVP V-Conf?  The conference will have 5 tracks, IT Pro English, Dev English, Consumer English, Portuguese mixed sessions & Spanish mixed sessions, there is something for everyone!  Learn from the best and brightest MVPs in the tech world today and develop some great skills!

Be sure to register quickly to hold your spot and tell your friends & colleagues.

The conference will be widely covered on social media, you can join the conversation by following @MVPAward and using the hashtag #MVPvConf.

Register now and feel the power of community!

MVP15_MicrosoftMVP_VC_WebTile_RegisterNow_160x160px