I used DSACLS inside powershell (I used powershell V4)
I read from this blog post https://vbzine.wordpress.com/2011/05/14/dsacls-command-to-grant-domain-groups-password-reset-and-unlock-account-rights-to-specific-org-unit-ou/#comment-768
how to grant reset password rights for some specific OU using DSACLS but the syntax is wrong as the Write Property and Read Property are case sensitive and must be capitalized and the last quote need to be placed after the ;user and not before. Here is the correct syntax:
dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:CA;Reset Password;user”
dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:RPWP;PwdlastSet;user”
dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:RPWP;lockoutTime;user”
Aucun message portant le libellé powershell. Afficher tous les messages
Aucun message portant le libellé powershell. Afficher tous les messages
05 février 2018
18 octobre 2017
strong private key protection for code signing certificate
When working with powershell script it is a good idea to sign your script if you plan on using them in your production environment. You can easily get a code signing script from your enterprise ca (active directory certificate service) or generate a self sign. There are multiple place explaining that and I got my basic stuff from here:
https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
What is not mentioned is that you should protect your code signing certificate with "strong private key protection". To do that you have to export your current code signing certificate in PFX with the private key and then import it back (it can be done on the same computer) using the "strong private key protection" check box in the import option as shown in the picture below. At the end of the import process you will have an additionnal prompt to enter the password used to protect your private key. Obviously if you plan on protecting your private key with a password it's a good idea to NOT mark it as exportable...
https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
What is not mentioned is that you should protect your code signing certificate with "strong private key protection". To do that you have to export your current code signing certificate in PFX with the private key and then import it back (it can be done on the same computer) using the "strong private key protection" check box in the import option as shown in the picture below. At the end of the import process you will have an additionnal prompt to enter the password used to protect your private key. Obviously if you plan on protecting your private key with a password it's a good idea to NOT mark it as exportable...
Here is the password prompt for the private key protection.
Now each time you will try to use this certificate you will be prompted to enter this password.
13 septembre 2017
My first Powershell funciton... Sign-Script
I'm starting to play more with powershell and for some need that we have I had to start signing script. I found many place on the internet that explain how to get the code signing certificate from our corporate CA and then sign the script using timestamp so that script still works when the certificate expire as the timestamp certify that the certificate was valid at the time it was signed. This generates a pretty long command so I wrote my first powershell function... Sign-Script to leverage this, you can place this in your powershell profile (profile.ps1) to have it available each time you run powershell
profile.ps1
Powershell profile ref: https://technet.microsoft.com/en-us/library/2008.10.windowspowershell.aspx
Code signing ref: https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
So without further delay here it comes...
#Begin copy after this line
#----------------------------------------------------------------------------------------------------
#---------------------------------------------------------------------------------
#End copy above this line
profile.ps1
Powershell profile ref: https://technet.microsoft.com/en-us/library/2008.10.windowspowershell.aspx
Code signing ref: https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
So without further delay here it comes...
#Begin copy after this line
#----------------------------------------------------------------------------------------------------
<#
.Synopsis
Sign the specified script with the first code signing certificate of the current user
and with a default TimeStamping URL.
.DESCRIPTION
This function allow you so sign a script with a timestamp so that your script will be
valid even when the signing certificate expire. It also allow you to not have to type
the full path to the signing certificate since it will use the first
"Code Signing Certificate" available in the local User certificate store. This funciton
also use a default "time stamping URL" so that you don't need to
.PARAMETER scriptname
The script name including the full path that you want to sign
.PARAMETER cert
A path to a code signing certificate. The default is the first code signing script of
the local user.
.PARAMETER TimeStampingServer
URL to a time stamping server. The default is "http://timestamp.comodoca.com/authenticode".
.EXAMPLE
Sign-cert c:\script\test.ps1
.EXAMPLE
Sign-cert -scriptname c:\script\test.ps1 -cert gci cert:\CurrentUser\My -codesigning | where -Filter {$_.FriendlyName -eq "Thawte Code Signing"} -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"
#>
function Sign-Script
{
[CmdletBinding()]
[Alias("Sign")]
Param
(
# Description d’aide param1
[Parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromRemainingArguments=$false,
Position=0,
ParameterSetName='Script name')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[Alias()]
$scriptname,
# Description d’aide param2
$cert=(GCI cert:currentuser\my\ -CodeSigningCert)[0],
# Description d’aide param3
$TimeStampingServer="http://timestamp.comodoca.com/authenticode"
)
Process
{
Set-AuthenticodeSignature $scriptname $cert -TimestampServer $TimeStampingServer
}
}
#---------------------------------------------------------------------------------
#End copy above this line
17 mars 2016
Vmware PowerCLI 6 scheduled task
We just upgraded our VmWare environment to vSphere 6 with the vCenter installed on Windows 2012r2 using SQL server. The only problem we faced when we migrated the Windows scheduled task that run powercli command from the old 5.5 vCenter to the new one. Keep in mind that my powershell knowledge is very limited...
The task run weekly to return all the running VMs and also VMs with snapshot that are older than 7 days. After hours of investigation I finally found out that the script were running fine when ran directly from whitin powercli so the problem had to come from task scheduler. I found some blog page that suggested to test the scheduled task command with the parameter from the command prompt to see where things goes wrong. That proved to be the best troubleshooting option as I quickly realised that the script was running fine but all the vmware command were returning "invalid command name". This lead me to diagnose further and understand that the vim.psc1file is just a simple text file (powershell console file) instructing powershell to load specific module and/or snapin. I also discovered that you can create new powershell console file by using the export-console command, so I exported the console loaded from the powercli shortcut on the desktop and oh surprise the console file is different than the vim.psc1 created automatically from Vmware. I tested running my script with this powershell console file and tadam! The scripts all works again. The problem is that the default vim.psc1 file miss this line:
<PSSnapIn Name="VMware.VimAutomation.Core" />
This SnapIn is the one used for the get-vm command and was the one causing the problem.
The task run weekly to return all the running VMs and also VMs with snapshot that are older than 7 days. After hours of investigation I finally found out that the script were running fine when ran directly from whitin powercli so the problem had to come from task scheduler. I found some blog page that suggested to test the scheduled task command with the parameter from the command prompt to see where things goes wrong. That proved to be the best troubleshooting option as I quickly realised that the script was running fine but all the vmware command were returning "invalid command name". This lead me to diagnose further and understand that the vim.psc1file is just a simple text file (powershell console file) instructing powershell to load specific module and/or snapin. I also discovered that you can create new powershell console file by using the export-console command, so I exported the console loaded from the powercli shortcut on the desktop and oh surprise the console file is different than the vim.psc1 created automatically from Vmware. I tested running my script with this powershell console file and tadam! The scripts all works again. The problem is that the default vim.psc1 file miss this line:
<PSSnapIn Name="VMware.VimAutomation.Core" />
This SnapIn is the one used for the get-vm command and was the one causing the problem.
S'abonner à :
Messages (Atom)