returning and referencing remote powershell variable results - powershell

I'm very new to powershell so looking some assistance. I am trying to run remote powershell script to check health of or VDI enviroment using Citrix Commandlets. (I am implementing the script on Microsoft orchestrator .Net Activity). So I have the following code:
#2012 VDI Desktop check
$vdims = "MyCitrixPowershellSDKServer"
function vdidesktopcheck
{
asnp Citrix*
$result = Get-BrokerDesktop -InMaintenanceMode $True -DesktopGroupName Unidesk
$result
}
$output = invoke-command -computer $vdims -scriptblock ${function:vdidesktopcheck}
$machinename = $output.machinename
$machinename
$state = $output.RegistrationState
$state
So when I use orchestrator to expose the variables $machinename, $state - I get the 'last' result from the involked Get-BrokerDesktop query. However Get-Brokerdesktop query may have multiple machines returned so I am hoping to be able to reference each of the machines that match the query output. Thats the basic requirement - what I am hoping to be able to do is further refine the basic Get-BrokerDesktop query to be able to count the number on machines output to say > 3 (ie more than 3 machines in MaintMode is unacceptable) and also check that the MachineName property is not equal to a particular value, ie the 3 test machine names in the environment which may be expected to be in MaintenanceMode.
Hope this makes sense, if not I'll try and elaborate. Any help much appreciated!!

One of the limitations of Orchestrator is that you can only pass strings across the data bus, and you need to pass an array of objects. You need to serialize the object array to a string. One way to do that is to convert the array to json, then use convertfrom-json when you get it back to get an object array to work with.
Don't have a SCORCH server handy to test with, so this isn't tested at all.
$vdims = "MyCitrixPowershellSDKServer"
function vdidesktopcheck
{
asnp Citrix*
$result = Get-BrokerDesktop -InMaintenanceMode $True -DesktopGroupName Unidesk
$result
}
$output = invoke-command -computer $vdims -scriptblock ${function:vdidesktopcheck} |
select machinename,RegistrationState | ConvertTo-Json
$Output

Related

Use Connect-PnPOnline in a workflow

Good morning, everyone,
I have a problem in retrieving information from SharePoint groups. I do it in a workflow, first I get the list of all groups and then I use it in a foreach-parallel to list the members of these groups.
The problem is that the connection doesn't seem to be maintaining and my query doesn't recover all the groups.
Here is a piece of the code:
workflow GetGroup {
param(
[Parameter(Mandatory)]
[String]$SPOSite,
[System.Management.Automation.PSCredential]$SPOCreds
)
$KeepAlive = Connect-PnPOnline -Url $SPOSite -Credentials $SPOCreds -ReturnConnection
$GetGroups = Get-PnPGroup
ForEach -Parallel -ThrottleLimit 512 ($Group in $GetGroups)
{
$GroupName = $Group.LoginName
$Users = Get-PnPGroupMembers -Identity $groupName -Connection $workFlow:KeepAlive
}
}
GetGroup -SPOSite "https://xxx.sharepoint.com/sites/xx -SPOCreds (Get-Credential)
The expected result would be an array initialized at the beginning of the workflow with a PSCustomObject object that is added to our array. This table is made up of 3 things: The name of the group, the names of the people in that group, the emails of the people.
Unfortunately the table is only partially generated because a workflow here is the error I find nothing on the subject:
Impossible to link the "Connection" parameter. Impossible to convert the value "SharePointPnP.PowerShell.Commands.Base.SPOnlineConnection" of the type "SharePointPnP.PowerShell.Commands.
Deserialized.SharePointPnPnP.PowerShell.Commands.Base.SPOnlineConnection"
Thank you for your help.
I ran into the same error in a similar scenario, and this article helped me. Workflow is converting the Connection object ($KeepAlive in your case) to a deserialized format, and so the other cmdlet doesn't accept it. You will just have to wrap those cmdlets with InlineScript, or use a PowerShell script runbook instead of a PowerShell workflow runbook.

How to use Remove-LocalGroupMember to remove from a server?

I have the following script that is supposed to remove members from a server:
$ssasInstance = ""
$accountName= ""
Import-Module SqlServer
[Microsoft.AnalysisServices.Server]$SSASserver = New-Object ([Microsoft.AnalysisServices.Server])
$SSASserver.Connect($ssasInstance)
$role= $SSASserver.Roles["Administrators"]
$role.Members.Remove($accountName)
$role.Update()
The problem is for some reason Remove() is not really working, no errors generated, but it doesnt remove the user.
I tested the script by instead adding a user, $role.Members.Add($accountName) and this works great! so i know that it must be a bug with the remove() method, and the only option I have is to use Remove-LocalGroupMember
I tried just using it like this:
$ssasInstance = ""
$accountName= ""
Import-Module SqlServer
[Microsoft.AnalysisServices.Server]$SSASserver = New-Object ([Microsoft.AnalysisServices.Server])
$SSASserver.Connect($ssasInstance)
$role= $SSASserver.Roles["Administrators"]
Remove-LocalGroupMember -Group "Administrators" -Member "$accountName"
$role.Update()
but that doesnt work either...although i think its because it doesnt know exactly where its removing from...
I tried this too, but to no avail:
Remove-LocalGroupMember -Group "$role" -Member "$accountName"
So how can i integrate this module into my script?
This is an unfortunate confluence of circumstances: when you do
$role.Members.Add("member")
This works because, under water, the string "member" is implicitly converted by PowerShell to a RoleMember with a Name of member and an empty Sid. All fine. However, if you then do
$role.Members.Remove("member")
Nothing happens, because you will create a new RoleMember instance, and since RoleMember has no implementation of .Equals() (a fairly bizarre oversight), different instances will never be considered the same.
This means you can only remove members by getting the actual instance in the collection (or by index, I suppose):
$member = $role.Members.Where{$_.Name -eq "member"} | Select -First 1
$role.Members.Remove($member)
Note that you will not get an error if there is no such member (because Remove allows $null, again in a rather bizarre oversight), so you may want to check for $member -eq $null if you want to verify that.
Definitely do not use Remove-LocalGroupMember -- that cmdlet is part of a completely different module and removes members from local Windows groups, not SSAS roles.

NIC Order in PowerShell

I have a script where it will provide the NIC binding order like below. But is there anyway so that I can write a condition if binding order is vEthernet*,storage then
Add-Content $report "<td bgcolor= 'Aquamarine' height='25' align=center><B>$ServicesResult1</B></td>"
else
Add-Content $report "<td bgcolor= 'Yellow' height='25' align=center><B>$ServicesResult1</B></td>"
$result1 = Invoke-Command -ComputerName slcae212 -ScriptBlock {
Function Get-BindOrder {
$Binding = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage").Bind
$Return = New-Object PSobject
$BindingOrder = #()
foreach ($Bind in $Binding) {
$DeviceId = $Bind.Split("\")[2]
$Adapter = (Get-WmiObject Win32_Networkadapter | Where {$_.GUID -eq $DeviceId }).NetConnectionId
$BindingOrder += $Adapter
}
$BindingOrder
} #EndFunction
CLS
Get-BindOrder
}
$adapteresult1= $result1 -join ","
Output:
vEthernet (10.211.21.0_20),,storage,Ethernet 5,Ethernet 4,Ethernet 2,Ethernet 6,,
Im not sure where in your you need it but you can use a regex to check that:
vEthernet[^,]+?,storage
Now you can use that in an if statement using the -match operator:
if ($yourBinding -match 'vEthernet[^,]+?,,storage')
{
# do something
}
else
{
# do something else
}
With all respect, I don't think that you are on the correct way with programming this. I presume that you eventually want to reorder the "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage").Bind and put that back in the registry. (Years ago I have had similar request and at created a VBScript for that.)
In your script, your currently trying to deal with the adapter names to redefine the order of the original bindingorder but the relation between the $DeviceID and the $Adapter name is completely lost in you current approach.
Instead of doing string manipulation it is better, faster and more native to PowerShell to work with objects in the form of an array or in this case even a HashTable or 'PSCustomObject' where you keep a related between the $DeviceID and the $Adapter name. I would like to point out here that you could possible have multiple vEthernet adpaters and that some $adapter names are apparently empty (there is nothing between two commas ...,,...), but AFAIK that doesn't imply that you just can drop the $DeviceID (without adapter name) from the binding order...
I think there is a good example for your request written here:
https://seawin.org/2016/06/04/setting-binding-and-route-registry-entries/
Notes:
Your binding order could potential change on the fly e.g. if a user create a VPN connection or starts a VM, this probably means that you can not just run your fix at startup or logon but depending on the actual problem, you might have to fix it as it happens by setting a NotificationQuery event on the specific HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage registry key.
Changing the binding order (on the fly) has a significant impact on the Operating System processes, besides that you CPU will raise, network connection are being reset and could be unavailable for a while. Therefor I advice you to check/flag whether the binding order really changed (where required) and only rewrite it when necessarily.
I doubt whether the known issues related to the binding order are the same for every Operating Systems. Meaning, if you are going to deploy this to multiple OS versions, I would investigate the actual problem you dealing which, also applies to the concerned Operating System.

retrieve computer names admin account logged on through AD

How would retrieve computer names and their IP addresses in Active Directory which are logged into by an admin account?
I can retrieve local admin accounts with my script below:
function get-localadministrators {
param ([string]$computername=$env:computername)
$computername = $computername.toupper()
$ADMINS = get-wmiobject -computername $computername -query "select * from win32_groupuser where GroupComponent=""Win32_Group.Domain='$computername',Name='administrators'""" | % {$_.partcomponent}
foreach ($ADMIN in $ADMINS) {
$admin = $admin.replace("$computernamerootcimv2:Win32_UserAccount.Domain=","") # trims the results for a user
$admin = $admin.replace("$computernamerootcimv2:Win32_Group.Domain=","") # trims the results for a group
$admin = $admin.replace('",Name="',"")
$admin = $admin.REPLACE("""","")#strips the last "
$objOutput = New-Object PSObject -Property #{
Machinename = $computername
Fullname = ($admin)
DomainName =$admin.split("")[0]
UserName = $admin.split("")[1]
}#end object
$objreport+=#($objoutput)
}#end for
return $objreport
}#end function
but what I want is to return all instances of Administrator logged on to Computers. Is this possible or is there anything that would return similar results?
You are not going to be able to do this with AD alone.
How many computers are we talking here? Nevertheless, i would make use of the eventlog. Each logon-event is stored and has the SID of the user that logs on (or triggers the event). Event 7001 (logon) is what you are looking for.
You could retrieve these events in een XML format. This XML contains the SID of the user that has triggered the event. You can either use a .NET translation function to convert it into a SamAccountName OR you can just retrieve all SID's from AD and compare them that way (so maybe make use of a hasbtable).
I have written a script some time ago that uses a lot of these techniques.
It was meant to see when a user has logged on and off AND locked and unlocked their computer. You can find a blog-post about it here:
https://cookiecrumbles.github.io/GetLogonEventViewer/
That blogpost also references the github where you can find the script i made.
With some tweaking, you could make it into a tool that you need.

Setting a DateTime to $null/empty using PowerShell and the SCSM cmdlets

I'm currently trying to sync additional attributes from the AD (Active Directory) for user objects in SCSM (System Center Service Manager) using a PowerShell script.
The extension I wrote for this, includes an attribute for the expiration date of a AD user account (DateTime value, named DateTimeAttribute in the example) if the user account doesn't expire it should be empty/null.
Using Import-SCSMInstance, which should be similar to a CSV import, it kind of works by passing "null" for the field. The problem is that Import-SCSMInstance seems to be quite unreliable and it doesn't offer any kind of information of why it works or doesn't work. Using Update-SCSMClassInstance seems to work a lot better but I can't figure out a way to clear the field using this and even using [DateTime]::MinValue will result in an error, stating that it's an invalid value.
So would anyone have an idea on how to clear the value using Update-SCSMClassInstance or figure out why Import-SCSMInstance might or might not work?
A simple example for this could look like the following:
$server = "<ServerName>"
$extensionGuid = "<GUID>"
Import-Module 'C:\Program Files\System Center 2012 R2\Service Manager\Powershell\System.Center.Service.Manager.psd1'
New-SCManagementGroupConnection -ComputerName $server
$extensionClass = Get-SCSMClass -Id $extensionGuid
$scsmUserObject = Get-SCSMClassInstance -Class $extensionClass -Filter 'UserName -eq "<User>"'
# Error
$scsmUserObject.DateTimeAttribute = ""
# Works but fails on Update-SCSMClassInstance
$scsmUserObject.DateTimeAttribute = $null
$scsmUserObject.DateTimeAttribute = [DateTime]::MinValue
# Works
$scsmUserObject.DateTimeAttribute = "01-01-1970"
Update-SCSMClassInstance -Instance $scsmUserObject
It seems that you can't clear a date once it's filled. When you write $null, it sets the date to 1-1-0001 01:00:00, which is an invalid date causing the update-scsmclassinstance to fail.
What we have set as a user's AD property when we don't want something to expire, is 2999-12-31 (yyyy-MM-dd). Perhaps this could help, although it's not directly what you asked for...
Also, you can use the pipeline to update a property in SCSM:
Get-SCSMClassInstance -Class $extensionClass -Filter 'UserName -eq "<User>"' | % {$_.DateTimeAttribute = <date>; $_} | update-scsmclassinstance
It doesn't look like it's currently possible to clear custom date attributes using the PowerShell cmdlets.