Category Archives: PowerShell for Admins

Microsoft Publishes DSC Resource Kit in GitHub

When Microsoft first released the DSC Resource Kit (in Wave 10 as of this writing), they opened the door to community contributions. Our own GitHub repo consists partly of DSC resource that used Microsoft’s code as a baseline, and then corrected problems or expanded capabilities.

What we never had was a way for Microsoft to circle back, pick up those enhancements, and include them as part of an official future Resource Kit Wave. Now, we do.

Continue reading

NJ PowerShell Users Group Meet: Presenter Jeffrey Hicks – Microsoft MVP

The NJ PowerShell User Group is having a meetup on Tuesday, April 28th from 6:00 – 8:00 PM.  The first half hour will be for socializing, pizza, and playing pool at our coffee bar. 

                6:00 – 6:30: Pizza and socializing
                6:30 – 7:30: Presentation
                7:30 – 8:00: Q & A

Please note that the Webex meeting will start at 6:00 PM, but the actual presentation won’t start until 6:30. In-Person a ttendees must register, print out their EventBrite ticket, and present it at the door.  Walk-ins will not be permitted.

Eventbrite Eventbrite Registration Page  A Webex meeting link will be emailed to Eventbrite on-line registrants prior to the event. 

Presenter: Jeffrey Hicks (in-person)

Presentation: On the Job: Putting PowerShell Scheduled Jobs to Work for You. So you know how to use PowerShell and how it can make your job easier to do. But why should you have to be sitting at your desk to run a PowerShell script or command? Why not combine the simplicity of a PowerShell script with the ease of use of a scheduled task! PowerShell MVP and author Jeff Hicks will guide you through the process of setting up and using PowerShell scheduled jobs, including a few potential gotchas. By the end of the session you should know enough to be able to schedule the boring right out of your job.

Bio: Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at (, and a frequent speaker at technology conferences and user groups. His latest book is PowerShell In Depth: An Administrator’s Guide 2nd Ed.

Twitter: @JeffHicks

Jeff Hicks   PowerShell In Depth 2nd Ed.

Coffee Bar, Pool Table, and XBox

Coffee Bar

Conference Room

Conference Room



Home Labs for the IT pro

Every IT pro needs a lab. It’s not just the fact that we all have a little mad scientist in us, it’s a playground for experimentation and learning. By “lab” I do not mean a formal test or dev environment, but a much more informal setting that typically goes before the “dev” part gets started. This lab need not be expensive. A little creative repurposing and virtualization will go a long way towards getting started with a home lab.

  1. Hardware- Obviously you have to have a computer.
    • The least expensive is the system you already have. When you bought it did you buy a high end Core i7 with lots of ram for gaming or just future proofing? If so then you’re done! Windows 8.1 or Windows 10 preview do a great job of Hyper-V hosting. Of course you may need more hard drive space, but then again drives are relatively cheap these days. The system I use is a 3 year old Dell XPS with a Core i7 and 6GB of Ram and an added 1TB SATA drive. Hardware cost = zero. Of course, I want to add more ram and disk but for now it gets along. I run 3-4 windows core servers at a time, but more than 4 causes the system to go into disk thrash mode pretty seriously due to RAM overuse.
    • The next best option takes up more space but can potentially be even cheaper in a strictly monetary sense. How does your company dispose of old outdated equipment? Can you score 5-10 laptops or a server or two? What about old Ethernet switches? That plus $50 at Walmart for some shelving and you have your own network in the basement to play with.
    • Finally if you have an extra $600 -800 you can get a dedicated PC bare-bones kit with a Core i7, 16+ GB of ram and a 2-3 TB hard drive.
  1. Software- If you are learning Linux then you’re in luck here as the cost is pretty much free. However in the Windows PowerShell lab, we need Windows! The approach to this is pretty much dependent on the cash you want to spend and the approach you took to solve the hardware problem. If you are using option a) then you don’t need a ‘host’ OS as you already have an OS. Microsoft offers free demo versions for download, and although they are time locked, these VMs aren’t going to usually live long enough to expire. If you already have a MSDN subscription from work, then you already have access to server OS downloads.
  1. Networking- Obviously you have an internet connection. Beyond that, if your home is like mine, there are a dozen or so devices connected to the home LAN. Gaming consoles, televisions, DVRs, etc. that anyone else in the house may want to use while you are using your lab equipment. I strongly recommend that you keep the “lab” separate from your home network. If you are going the basement shelves of equipment route, you’ll certainly need some Ethernet switches and perhaps a router or firewall to keep the “lab” network separate. If you are going the more virtual route, you can do as I did and install a Linux router on a VM to act as firewall/gateway from the “virtual” subnet to the “real” LAN. I used VyOS (, which is nice since you can simply follow the directions on their site to do a basic setup. This keeps lab services in the virtual space where they belong.
  1. Time- I know we are all busy, but seriously make the time. Getting this set up takes literally a couple of hours depending on your internet connection. Once it’s set, then you can squeeze in a little here and there and make surprising strides in your learning. Get up an hour earlier and play in the lab a bit while drinking coffee. Stay up an hour later and work on the lab after the family is in bed. Dedicate two or three lunch hours a week. You’ll be amazed how much faster you can learn things when you can just “try it and see what happens” with no fear of breaking something important. After all you built it- you can rebuild it!

So now that we have all the parts together, what specifically do we need to build?  Since in most instances, we’ll be building this in a virtual space, let’s focus on that one. Those of you building a lab physically may have to fill in some blanks to match up with your physical setup but the concepts are the same.

I start off with the most basic: the network. Servers are much more interesting when they can talk to each other some right? In Hyper-V Manager make two virtual switches, one is linked to your host machine’s NIC and therefore to the rest of your LAN and presumably the internet. The second one is an Internal Only type. These should be on separate subnets to keep the routing simple. I like to use a 10.x.x.x/24 network so that I have lots of room to play around with subnets and software based networking.

Once we have those two networks, we need a router. As I mentioned before, I use VyOS installed on a VM with two NICS, one on the internal LabNet switch and on the external “HomeLan” switch.

Next it’s time to start standing up servers. This can be done one of two ways; manually or via Desired State Configuration.   If you are like me, and just getting started with DSC, I recommend a mixed approach. Get your Domain Controller going and a Windows 8.1 or later client installed on your LabNet.  Now you have a stable network and can start playing around with DSC. I have a standard build of a configured router, DC, Windows 10 client, and a DSC server saved to a 1 TB USB drive as a backup. That way no matter how badly I hose up the lab, I can get back to a minimum stable configuration quickly and easily.  On the DSC server I keep a couple of copies of configurations for web servers, video servers, Windows 10 desktops, whatever it is that I’m playing with that week.

The only thing I haven’t been able to really introduce test wise is Apple products since I’m running in a PC environment and there is no legal way to virtualize a Mac on hardware that isn’t Apple. Of course with a little twiddling of the router configuration and by introducing a VLAN on my wireless router I’m sure I could incorporate external wireless devices like a MacBook. However, that violates the premise of keeping the “Mad Scientist Stuff” in an isolated virtual space.

Obviously there wasn’t much PowerShell in this discussion, and equally obviously, much of this you can do from a PowerShell prompt or with DSC. Unfortunately in order to get your skills to that level, the lab has to come first.

The fastest Powershell #2 : Count all users in Active Directory domain

Dear readers,

This is the second post of “The Fastest Series” on,

If you would like to read the first post of this serie please go to:

The fastest Powershell #1 : Remove carriage return and replace with a comma

Question: What is the fastest solution to count all the users in Active Directory domain?

Answer: To answer this question, I will compare 11 different commands:

  1. Get-ADUser -Filter
  2. Get-ADUser -LDAPFilter
  3. Get-ADObject -Filter
  4. Get-ADObject -LDAPFilter
  5. Get-QADUser (Quest)
  6. [adsiSearcher]
  7. Find-LdapObject
  8. Find-LdapObject -PropertiesToLoad
  9. dsquery *
  10. dsquery user
  11. adfind -c

First, I just confirm that all these commands return the same result before measuring that.


We can start to measure as results have the same values (28297).

I added all the queries into a hashtable and I rounded the results of the measures to 2 decimals for better reading.


The result is shown here, sorted by minutes.


Conclusion: In this scenario, the fastest was:.

Note : ADFind is a tool writen in C++ by Joe Richards.

The switch “-b” stands for the basedn and the output option “-c” returns objects only.


Since the version 1.06.00, the option “-c” does not return values.


Links :

Download AdFind

Download System.DirectoryServices.Protocols module (S.DS.P.psm1)

Download QAD cmdlets

Object Class and Object Category

Real-world example:

Couting the total numbers of users in Active Directory can be useful in some cases.

You could need this information to generate statistics or reports, or maybe you just want to monitor the number of accounts created / removed on regular basis.

Updated: March 07, 2015


Follow me on Twitter

My FAQ Powershell

The fastest Powershell #1 : Remove carriage return and replace with a comma

Dear readers,

This is my first post of “The Fastest Series” on,

The goal is to measure different techniques to perform a specific task and returns the fastest. All these measures are performed with the same task, under the same conditions, in the same environment and with the same criteria, it’s just about pure SPEED.

Like a Formula 1 race, we just need to know which one is the fastest to win. If the winner saved more gas than other players, it’s better, but it’s not the main goal. That’s why I called it “The Fastest” and not “The Cheapest”. For example, here are some of the tests I will be publishing (the list is not exhaustive at all, a lot more is coming):

  • The fastest Powershell #1: Remove carriage return and replace with a comma
  • The fastest Powershell #2: Count all users in an Active Directory domain
  • The fastest Powershell #3: Count all files in a large network share
  • The fastest Powershell #4: Count all files in a NTFS Hard Disk
  • The fastest Powershell #5: Read a text file

It’s really important to underline that the “Fastest Series” is not a “static” one, we are working in an environment where there are always new updates, releases and technologies. Some commands can be deprecated, others can be updated, or faster techniques can be found. For all these reasons, I invite you to often come here to check the latest results, I will keep that updated (you can look at the bottom of this article to check the latest updates).

To improve the reading, I will keep the same syntax and style in all my posts. Besides, I always apply the same methodology to determine the fastest, I call them the “3E“:

1) Equals
2) Execute
3) Evaluate

1) Equals

The result returned by these commands has to be equal, otherwise I consider it’s not relevant enough. For example, if I compare several commands, I have to double check that the number of items is the same and that I do not forget some filters or parameters that could return less (or more) items.


I am going to measure which one is the fastest between these 2 queries, and if I forget to set the “PageSize” property, what will happen? Well, the query02 will be definitely faster than the query01, but it’s not relevant because the query02 does not contain all the items: there are less items returned. In this case, with PageSize=1000 there are 28281 items returned and without there are less items (limit of records).

When setting the property PageSize to the maximum value of 1000, we will get the first 1000 items, there will be a pause, then the next 1,000 items, and so on.


To be sure, I am used to counting the total number of items before starting the measure, if one result is different from the others, I do not start the comparaison before investigating the root cause. For one of my tests (I will post about that in the future), I compared 11 queries and I ensured that all these queries contained the same number of items.


2) Execute

While the script runs, I am not performing some additional activities or tasks on the computer, that’s very important. If the script is running and in the same time I am running a lot of applications which will use a lot of resources, the computer will probably slow down and it could have an impact on the measure, especially when there is not much time between the tasks. That’s why I check that there is no overload task while the script (to measure) is running: I run, I wait and I compare.

Usually, I start Process Explorer into the System Information (Physical Memory) from the beginning to the end. For your information, most of my tests are performed with my personal laptop (Windows 8.1, CPU Intel i7 and 16 GB DDR3 RAM).


3) Evaluate

The measure unit is selected based on the task. If it’s about a very short task, I would probably use (milli)seconds, otherwise if the task needs more time to run I will use minutes (or hours eventually). Then, all the results are added to a hashtable in ascending order. I think it’s more readable to display only the unit we need from the Measure-Command. The Key contains the method’s name and the Value contains the execution time.

Using static .NET methods tend to be faster than cmdlets, and I consider that in some heavy tasks it could be very useful to use .NET methods. However, cmdlets are also great because by using .NET methods we are losing some benefits such as pipelining, WhatIf/Confirm, Get-Help native documentation, etc.

That’s why I really want to expose all the possible techniques (cmdlets, .NET, executables), and not only the fastest. Besides, it’s also interesting to know that such commands exist, and sometimes you spend less time to write “gc .\test.txt” than “[System.IO.File]::ReadAllText(“C:\scripts\test.txt”)” to read a small text file, speed concept is relative. As for me, I use cmdlets and .NET methods, it depends on the situation, the context and the environment.

Question: What is the fastest solution to remove newline / carriage return and replace with a delimiter (comma) from a TXT file?

Answer: To answer this question, I will compare 4 different commands:

  1. -join
  2. [string]::Join
  3. -replace
  4. [regex]::replace

I am using a TXT wordlist (1 GB with 120 947 450 lines).

First, I just confirm that all these commands return the same output before measuring that. I created a temporary test file and assigned the wordlist variable, then I ran these 4 commands one by one.



We can start to measure as results have the same values (a,b,c) delimited by comma.

I added all the queries into a hashtable and I rounded the results of the measures to 2 decimals for better reading.

I decided to use a hashtable because I prefer to have an automatic sort instead of a manual one. In a future post here, I will compare 11 commands so it makes no sense to sort myself the results. Moreover, hashtables are “cleaner” and are especially designed for that: key/value pairs.



This is the history graph for the memory usage (from the start to the end of the script). We can see at the beginning that the memory is increasing when parsing the content of the wordlist and loading it into memory.


Conclusion: In this scenario, the fastest was:

String.Join Method

Real-world example:

The file size in question is 60 GB (don’t ask why). I need to replace the windows carraige return rather quickly.

How to replace windows carriage return with a space in a ginormous text file

Note : In my post, I chose a comma as a delimiter but it could be something else (space, for example). The above example is  rare and extreme, but using a faster method over a slower method would significantly reduce the time execution in this case. Although the question is UNIX related, the concept is the same : Optimisation can increase the productivity.

Updated: March 04, 2015


Follow me on Twitter

My FAQ Powershell

February 2015 NoVa PSUG Meeting Notes

Matt had to cancel so we had a mini-scripting games. Bellow are the challenges.


Challenge 1

Generate a list of US Presidents sorted by last name alphabetically.


Challenge 2

Create a DSC Configuration that verifies the w32time service is set to Automatic startup and is in a Running state.


Some links of note from our discussions:

The next meeting will be on March 25th at the Reston Microsoft Office.

NJ PowerShell UG Meeting March 5th: Presenter Adam Bertram

The NJ PowerShell User Group is having a meetup on Thursday, March 6th from 6:00 – 8:00 PM.  The first half hour will be for socializing, pizza, and playing pool at our coffee bar. 

Registration: EventBrite  You must register to attend in person.

                6:00 – 6:30: Pizza and socializing
                6:30 – 7:30: Presentation
                7:30 – 8:00: Q & A

Please note that the Webex meeting will start at 6:00 PM, but the actual presentation won’t start until 6:30In-Person attendees must register, print out their EventBrite ticket, and present it at the door.  Walk-ins will not be permitted.  

Presenter: Adam Bertram

Bio: Adam has been in the IT industry since 1998 and has mostly focused his career on Microsoft technologies.  He’s a child of autoexec.bat and batch menus, graduated to VBscript 10 years ago and made his way to Powershell 3 years ago.  Adam’s passion is breaking complicated problems down and developing creative solutions using Powershell.  Due to his experience with Microsoft’s Configuration Manager he’s been known to write a lot of scripts around software management.

Presentation Description:

Managing Software Installs with Powershell

If you’ve ever tried to script a software install or uninstall to a lot of different applications you’ll know how hard it can be. Every piece of software seems to work in a different manner. This talk will go over a Powershell module I’ve created that allows me to easily find, install and uninstall MSIs, InstallShield and other EXE installers. It also has the ability to perform various cleanup routines and perform many other functions necessary for the software to work as you would expect.

Twitter: @adbertram


Coffee Bar, Pool Table, and XBox

Coffee Bar

Conference Room

Conference Room













NJ PowerShell Users Group Meeting: Presenter Doug Finke – Microsoft MVP

The NJ PowerShell User Group is having a meetup on Thursday, January 8th from 6:00 – 8:00 PM. If interested, please register through the Eventbrite website to track attendance for ordering pizza.  For those attending online (Webex) we will send a follow-up email with the meeting link based on Eventbrite online registrants. 

6:00 – 6:30: Pizza and socializing
6:30 – 7:30: Presentation
7:30 – 8:00: Q & A

Please note that the Webex meeting will start at 6:00 PM, but the actual presentation won’t start until 6:30
In-Person attendees must register, print out their EventBrite ticket, and present it at the door. Walk-ins will not be permitted.

Presenter: Doug Finke

Bio: Doug Finke, author of “PowerShell for Developers”, a Microsoft Most Valuable Professional (MVP) for PowerShell and works at Start-Automating, a company specializing in all aspects of PowerShell development, including consulting, training and tool building. Doug has been a developer and author working with numerous technologies. You can catch up with Doug at his blog Development in a Blink at

Microsoft Most Valuable Professional (MVP) Doug Finke takes us through PowerShell from a developer’s point of view. Doug shows techniques for integrating/debugging PowerShell from
and to C# code as well as using PowerShell with a Windows Presentation Foundation (WPF) application. He also addresses using reflection at the command line, object pipelining, and
PowerShell’s REPL. Plus, time permitting, Doug will highlight some of the new features in the PowerShell v5 November Preview.


Doug Finke    Windows PowerShell for Developers

NJ PowerShell Meetup Coffee Bar and Conference room at Mathematica Policy Research

Conference Room

Coffee Bar

Shortly – announcing the NA 2015 Summit speakers and agenda

We’ve been working feverishly to go through all the great presentation abstracts and make our selections. Everyone submitted really good abstracts, so if don;t receive an email by the end of the week, please understand that we only had so much room available.  This has been a difficult process, but we think we have built an excellent show for the NA 2015 PowerShell Summit.

We will be sending emails to the accepted speakers for confirmation by the end of the week.  WE will then post the agenda after we have had confirmation.


The current and future state of the Windows Management Framework

At the 2nd of October, Lee Holmes gave a presentation about the current and future state of the Windows Management Framework (WMF) during the Dutch PowerShell User Group (DuPSUG) at the Microsoft headquarters in The Netherlands.

The slide decks and recorded videos will be made available soon, but this is what was discussed:

The release cycle of the Windows Management Framework (WMF)

Faster incremental releases of preview versions are being released. This rapid development means that companies that need specific new functionalities to tackle current problems they’re having, don’t have to wait as long as they had to in the past.

Everyone should keep in mind that documentation for preview versions can be more limited, but should still read the release notes carefully. They contain descriptions of some of the improvements that are discussed in this blog post, but also cover other things that aren’t discussed here. Also be sure to take a look at What’s New in Windows PowerShell at TechNet.

A request from the audience was to include more helpful real-life examples until documentation is fully up-to-date.


Desired State Configuration (DSC) partial/split configurations

With DSC partial/split configuration it is possible to combine multiple separate DSC configurations to a single desired state. This could be useful when a company has different people or departments that are responsible for a specific part of the configuration (by example Windows, database, applications).



OneGet is a Package Manager Manager (it manages package managers). It enables companies to find, get, install and uninstall packages from both internal and public sources. Public repositories can contain harmful files and should be treated accordingly.

Besides the OneGet module included in the Windows Management Framework Preview, updated versions are continuously being uploaded to by Microsoft. These can include bug fixes and new functionality like support for more provider types.

While in the past it seemed that Nuget was required, during the PowerShell Summit it was demonstrated that a file share can be used as well.

From the audience a question was raised whether BITS (Background Intelligent Transfer Service) could be used. This is currently not the case and there were also no plans yet to implement it.



PowerShellGet is a module manager which should make it easier to find the many great modules that are already available, but are not very discoverable because they’re fragmented on numerous websites across the Internet.

Microsoft is currently hosting a gallery of modules. The modules that are available in there are currently being controlled by Microsoft, but this might change in the future.

It is possible to create an internal module source and the save location for modules can be specified as well.



PSReadLine is a bash inspired readline implementation for PowerShell to improve the command line editing experience in the PowerShell.exe console. It includes syntax coloring and CTRL+C and CTRL+V support, for more information about other improvements, view their website.

PSReadLine is one of the modules that can be installed using PowerShellGet:
Find-Module PsReadLine | Install-Module



  • Always be careful when running scripts that include Invoke-Expression or its alias iex because it might run harmful code.
    • For a non harmful example, take a look at this blog post by Lee Holmes.
  • Many people in the security community are adopting PowerShell.
  • PowerShell is done in memory and is therefore volatile. To improve security the following enhancements were introduced:
    • Transcript improvements
      • Transcript support was added to the engine so it can used everywhere, also in the Integrated Scripting Environment (ISE).
      • A transcript file name automatically includes the computer name.
      • Transcript logging can be enforced to be redirected to another system.
      • Transcription can be enforced by default.
  • Group Policy
    • An ADMX file is currently not available to configure it on all platforms, but it can be found in the technical preview versions of Windows 10 and Windows Server under: Administrative Templates -> Windows Components -> Windows PowerShell
  • More advanced Scriptblock logging
    • Enable ScriptBlockLogging through GPO (in later Windows versions) or by registry by setting EnableScriptBlockLogging to 1 (REG_DWORD) in: HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
    • The additional logging will show you what code was run and can be found in event viewer under Applications and Services Logs\Microsoft\Windows\PowerShell\Operational.
    • Scriptblocks can be split across multiple event log entries due to size limitations.
    • Using Get-WinEvent -FilterHashTable it is possible to get related events, extract the information and combine it.
    • Since attackers would want to remove these registry settings and clear event logs, consider using Windows Event Forwarding/SCOM ACS to store this information on another server. Also consider enabling cmdlet logging.
  • Just Enough Admin (JEA)
    • JEA enables organizations to provide operators with only the amount of access required to perform their tasks.


New and improved functionality and cmdlets


Manage .zip files using Expand-Archive and Compress-Archive

.zip files can be managed using Compress-Archive and Expand-Archive. Other archive types like .rar are not currently supported, but this might be added in future versions.



It is now not necessary anymore to specify the item type. To create a new item, simply run
New-Item foo.txt



This makes it easier to get the value of a file or registry:

  • Get-ItemPropertyValue $Env:windir\system32\calc.exe -name versioninfo
  • Get-ItemPropertyValue-PathHKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics -Name ExecutionPolicy


Symbolic links support for New-Item, Remove-Item and Get-ChildItem

Symbolic link files and directories can now be created using:

  • New-Item -ItemType SymbolicLink -Path C:\Temp\MySymLinkFile.txt -Value $pshome\profile.ps1
  • New-Item -ItemType SymbolicLink -Path C:\Temp\MySymLinkDir -Value $pshome

Junctions cannot currently be created, but this might also be added in a later version.


Debugging using Enter-PSHostProcess and Exit-PSHostProcess

Let you debug Windows PowerShell scripts in processes separate from the current process that is running in the Windows PowerShell console (by example long running or looping code). Run Enter-PSHostProcess to enter, or attach to, a specific process ID, and then run Get-Runspace to return the active runspaces within the process. Run Exit-PSHostProcess to detach from the process when you are finished debugging the script within the process.


Use Psedit to edit files in a remote session directly in ISE

Simply open a new PSSession to a remote computer and type PSEdit <path to a file>.


Classes and other user-defined types

    • The goal is to enable a wider range of use cases, simplify development of Windows PowerShell artifacts (such as DSC resources), and accelerate coverage of management surfaces.
    • Classes are useful for structured data. Think by example about custom objects that you need to change afterwards.
    • Name of the class and the constructor must be the same.
    • Code is case insensitive.
    • In classes, variables are lexically scoped (matching braces) instead of dynamically scoped.
    • Every return must be explicit.
    • Sample code:

Class MyClass
  MyClass($int1, $int2)
        “In the constructor”
       return 42








Announcing – PowerShell Hyper-V CookBook – Free!

Fellow PowerShell MVP and author Jeff Hicks has released a free ebook on PowerShell and Hyper-V which was sponsored by Altaro. The ebook is a cookbook style of recipes for managing a Hyper-V infrastructure and virtual machines. The eBook briefly discusses how to you use each recipe. All scripts and functions are included in a separate zip file.

Visit to learn more and download your free copy.


PowerShell v5: Misc Goodness (including Auditing)

Aside from classes and new DSC features, which I’ve already written about, there are a number of less-headline, but still-very-awesome, new capabilities.

This article is based on the September 2014 preview release of WMF 5.0. Information is highly subject to change.

First up is the ability to automatically create PowerShell cmdlets from an OData endpoint. Huh? OData is a kind of web service (basically); PowerShell gains the ability to look at the endpoint and construct a set of proxy cmdlets that let you interact with the endpoint more naturally. This is spiritually similar to what PowerShell can already do for a SOAP web service endpoint.

Next are some 7-years-overdue cmdlets for managing ZIP files: Compress-Archive and Expand-Archive. Finally. These use underlying .NET Framework ZIP functionality (I think), which has had some compatibility problems in the past, so we’ll see how these hold up. But they should be the missing link to letting you do everything DSC-related right in PowerShell, since you can now ZIP up your custom resources for deployment via pull server.

Auditing gets a huge win, and this is really more of a headline feature than people think. For one, the ISE now supports transcript creation. Yay! You can also “nest” transcripts, meaning you can have one running, and then start a second one to cover only a portion of time. Closing the second one lets the first remain running. You can also specify a central transcript directory, which is useful when you want to collect these things into a central folder for reporting. For example, you should now be able to set up Remoting endpoints that automatically kick off a transcript when someone connects, and saves them to that central location.

More auditing comes in the form of Group Policy settings. You’ve always been able to log the fact that certain commands were run (did you know that?), but now you can enable detailed script tracing that logs a crapload of detail to the PowerShell operational log (which can, like any other event log, be forwarded to another server). You get the complete details of every script block executed, even if it creates another script block. Again, this is set up in Group Policy – check out the WMF 5.0 release notes for the location.

Ed Snowden gets a face slap with new Cryptographic Message Syntax (CMS) cmdlets, including Get-CmsMessage, Protect-CmsMessage, and Unprotect-CmsMessage. These use PKI to encrypt data. By the way, if your organization doesn’t already have an internal PKI, WTF are you waiting for, you’re ten years behind the curve, man. PKI becomes more important to Windows environments every single day, and you need to get with the program.

There’s also a new fun feature for extracting content from strings. This system uses some Microsoft Research functionality called FlashExtract. Essentially, you give it examples of what your data looks like, and then point it to a big string (like a text file) full of data. It can extract all the data pieces based on your example. It’s early days for this technology, but it’s kind of awesome to see the PowerShell team giving us an easy way to play with it.

Because WMF 5.0 introduces PowerShellGet, it now includes commands to add PowerShellGet repositories. That means you can stand up your own repo, host your modules there, and install modules by simply running Install-Module (or find them using Find-Module). Tres awesome! We don’t yet have technical details on what the heck a PowerShellGet repository actually looks like, but I’m sure that’ll crop up.

ARE YOU PLAYING WITH WMF 5.0 ON A NON-PRODUCTION VM YET? YOU SHOULD BE. Times are changing and you gotta keep up!

PowerShell v5: What’s New in DSC

When Desired State Configuration (DSC) came out – gosh, just about a year ago – I kept telling people that there was more to come. And a lot of it is now just around the corner in PowerShell v5.

This article is written to the September 2014 preview release – things may change for the final release.

A major set of changes in DSC is a much more detailed and granular configuration of the Local Configuration Manager (LCM), the local “agent” that makes DSC work on the target node. This new level of configuration really shows you where Microsoft’s thinking is.

For example, a single target node can be configured to pull configurations from multiple pull servers. That doesn’t necessarily mean separate machines, as a single IIS instance can host multiple websites, but it means you’re no longer limited to one MOF per computer.

Yes, I said that. The LCM can now pull (but not have pushed to it) partial configurations. Each partial configuration is a MOF, but the understanding is that there can be more than one. There’s still no dynamic evaluation of which MOFs will be pulled; you have to specify them all in the LCM configuration, but now you can break a machine’s total configuration into multiple bits. Each partial configuration is given a source, which is a pull server.

Each partial configuration can be given exclusivity over certain resources. This helps avoid overlap. For example, you might decided that Partial Config A has exclusive control over all xIPAddress settings, meaning those settings from any other partial config wouldn’t work. Partial configurations can also depend on each other, so that (for example), Partial Config B won’t even run until Partial Config A is complete.

The LCM can also have a separate server configured for web- or file-based resource repositories, meaning those can be separated from the pull server endpoint.

What used to be called the “compliance server” is now simply the reporting server – we mentioned in “The DSC Book” that the name of this would likely change. It’s now a distinct configuration item, meaning even a node in Push mode can report its status to the reporting server!

New global synchronization capabilities also exist. A node’s configuration can be made dependent on a configuration item from another node. Meaning, Node “A” won’t try to configure until Node “B” completes certain items first. Communications is all via WS-MAN and CIM.

A new Get-DscConfigurationStatus returns a high-level status for a node – similar to what the reporting server would collect – and an amazing new Compare-DscConfiguration can now accept a configuration and tell you where a given node differs. This is a big deal, and something a lot of folks wanted in PowerShell v4. There’s also an Update-DscConfiguration, which forces a node to evaluate its DSC stuff right away.

DSC is quickly coming of age. In less than a year, we’ve seen (so far) 6 releases of additional resources, and now with PowerShell v5 we’re seeing a number of important enhancements and evolutions in the core technology. Many of the things that frustrated folks initially are now taken care of.

PowerShell v5: Class Support

This post is based on the September 2014 preview release of WMF 5.0. This is pre-release software, so this information may change.

One of the banner new features in PowerShell v5 is support for real live .NET Framework class creation in Windows PowerShell. The WMF 5.0 download’s release notes has some good examples of what classes look  like, but I wanted to briefly set some expectations for the feature, based on my own early experiences.

The primary use case for classes, at this point, is for DSC resources. Rather than creating a special PowerShell module that has specially named functions, live in a specially named folder, and work in a special way – that’s a lot of special, which means a lot of room for error – classes provide a more declarative way of creating DSC resources.

But we’re a bit ahead of ourselves. What’s a class?

In object-oriented programming, a class is a hunk of code that provides a specific interface. Everything in the .NET Framework is a class. When you run Get-Process in PowerShell, for example, you are returning objects of the type System.Diagnostics.Process – or, in other languages, objects of the class System.Diagnostics.Process. Each process is an instance of the class. The class describes all the standardized things that a process can show you (like its name or ID), or that it can do (like terminate). Programmers build the functionality into the class itself.

Classes can have static properties and methods – these are hunks of code that don’t require an actual instance of a process. For example, you can start a process without having a process in the first place. The System.Math class in .NET has lots of static members – the static property Pi, for example, contains the numeric value of pi to a certain number of decimal places. The static Abs() method returns the absolute value of a number.

PowerShell classes are designed to provide similar functionality. The trick with PowerShell classes, at least at this stage of their development, is that they don’t add their type name to any kind of global namespace. That is, let’s say you write a class named My.Cool.Thing, and you save it into a script module named MyCoolThing.psm1. You can’t just go into the shell and run New-Object -TypeName My.Cool.Thing to create an instance of the class, because there’s nothing in PowerShell (yet) that knows to go look for your script module to find the class. That’ll likely change in a future release, but for right now it means classes are kind of limited.

The basic rule is that you can only use a class within the same module that contains the class. That is, the class can only be “seen” from within the module. So, your MyCoolThing.psm1 module might define a class, and then might also define several commands (functions) that use the class – that’s legal, and it will work. You still can’t use New-Object; instead, you’d instantiate your class by using something like ClassName::new(), calling the static New() method of the class to instantiate it. I expect New-Object will get “hooked up” at some point, but it might not be until some future version of PowerShell.

Anyway, back to DSC.

DSC is a bit unique, because normally you don’t load resource modules; the Local Configuration Manager loads them. When you build a DSC resource class, you’re forced to provide three methods: Get(), Set(), and Test(). The LCM loads your module, instantiates the class, and then calls the three methods as needed. DSC resources built in this fashion can live in a plain old module .PSM1 file – there’s no need to create a DSCResources subfolder, no need to have an empty “root” module, or any of that. So it’s a more elegant solution all around. Aside from some structural differences, you code them the same as you always have. v5 still supports the old-style resources, for backward compatibility, but class-based resources are the “way forward.” I expect Microsoft will eventually refactor the DSC Resource Kit to be class-based resources, as soon as they get a minute and as soon as v5 is widely adopted.

So most of the “wiring” behind classes has, to this point, been designed to support that DSC use case. In other words, of all the things a PowerShell class will need to do, the team has so far focused mainly on those things that impact DSC. The rest will come later – the release notes use the phrase, “…in this release” a lot, meaning the team understands where the current weaknesses are. “This release” in some cases may simply mean this current preview release, meaning they’re targeting more features for v5’s final release; in other cases, more features will have to wait for v6 (or whatever) or a later version of PowerShell.

So there’s a little rambling on classes and what’s presently in PowerShell v5. If you haven’t already downloaded the preview and started playing with it, you should; not in production, though. Keep it in a test VM for the time being.

Last Call for speaker submissions for the 2015 NA PowerShell Summit

This is the last call for speaker submissions to the 2015 NA PowerShell Summit due on September 15th.

We haven’t received the amount of submissions we would have expected, so if we don’t get enough submissions, then we’ll run a single-track event or… perhaps none at all. This is a venue for the community, and if there’s no participation, we may need to skip 2015 and try again in 2016. This is a labor of love (read unpaid) for the people that organize the event but we need your support by sending in submissions that you are willing to present. We have a strong attendee community and we need to give them a reason to come to the best PowerShell event in the world!

If you have already submitted your abstracts – THANK YOU!

If you have not presented before and have an interesting tale to tell about using PowerShell, then jump at the opportunity!

For detail, see this –