Episode 274 - PowerScripting Podcast - Microsoft Distinguished Engineer Jeffrey Snover on JEA

A Podcast about Windows PowerShell. Listen:

In This Episode

Tonight on the PowerScripting Podcast, we talk to Distinguished Engineer Jeffrey Snover



Guest - Jeffrey Snover



  • JEA premises
    • reduce the # of admin privs users
    • credentials persist and can be used to spider
    • limit actions
  • New toolkit based on powershell remoting
  • JEA endpoint = powershell configuration
    • provisions user w/set of toolkits (and only those)
    • runs as an account with local admin privs
    • JEA endpoint account has only local admin privs
  • “security that isn’t deployed, isn’t security”
  • How can we take advanced features and reduce to a simple set of features to deploy
  • Implemented as DSC
  • PowerShell v5 is required
    • Why: any time that WinRM changes are made, WinRM service must be restarted, and v4 has a bug in WinRM
  • Very similar to sudo from *nix, but more fine-grained, e.g. limit which process can be stopped by stop-process
  • Build CSV as input to a toolkit spec
    • module
    • command(s)
    • parameters
  • Logging is sent to ETW/PowerShell, and is broken down by module
  • Will ship as a set of toolkits
  • OMI runs on 41 Linux distros
  • “CTP next month” (meaning July?)
  • “yes, moving back towards developers and new .net features”

Chatroom Highlights:

[21:37:02] <sepeck> ## when is the next one [MVA]?

[21:38:07] <AlexTeachesTech> ## Will there be a DSC video series on MVA?

[21:45:05] <Ver_Anderson> ## What kind f pats do yu wear

[21:45:15] <psCookieMonster> just to get it out of the way - ## are classes coming to PS5, anything to share on the implementation?  Is a new PowerShell MVA on the way, what might be covered?  when will we get the PowerShell source code? : )  Maybe too early for the last one!

[21:45:18] <jcotton> ## is JEA based on PowerShell remoting?

[21:48:48] <BartekB> ## DSC for Linux is based on OMI. Can we expect easy OMI-to-DSC implementations? Like DSC for Cisco/ Arista/ Huawei?

[21:49:05] <MattHitchcock> ## Whats the approach for using JEA on Domain Controllers? I guess you'd be forced to use a Domain Account for RunAs

[21:51:17] <Zackbmiller> ## Can JEA be ran on all version of powershell?

[21:58:43] <BartekB> ## Why New-Object in JEA?

[21:59:26] <BartekB> halr9000: When I was watching Jeffrey presentation: he defined (exposed) new-object in endpoint.

[21:59:11] <PowerSchill> ## How do you handle the "chain of evidence" for the actions performed?

[22:03:18] <DonJ-MVP> ##### Payette "outed" classes in v5 on Twitter yesterday. Inquiring minds wanna confirmation.

[22:13:54] <psCookieMonster> ## will the slides from the Monad Manifesto update be made available?  Might be helpful for those that missed it

[22:18:24] <Darkoperator> wish OMI was packaged and available in most distros

[22:20:17] <randal_hicks> ## @jsnover With a project as huge as Powershell, how have you gone about managing it (other than check marks off the Monad Manifesto)?

[22:22:11] <randal_hicks> ## @jsnover How do you 'unplug' -- to clear your head -- before diving back into the work?

[22:42:26] <psCookieMonster> ## Jeffrey tweeted about DSC being fast tracked for the common engineering criteria a while back... in what sense?  standard for configuration management? Something else?

[22:44:23] <_____> "How I learned to stop clicking and love the shell" Jeffrey Snover

[22:47:50] <BartekB> ## why not xResources on GitHub, so that others can jump on it and help? We had some fixes to cResources and than almost the same on xResource.

<Ver_Anderson> @sepek I was looking at this one http://www.ncix.com/detail/cooler-ma...85648-1141.htm

<Ver_Anderson> http://www.ncix.com/detail/cooler-master-storm-devastator-ms1k-cc-85648-1141.htm

<sepeck> ## http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014?sort=sequential&direction=desc&term=powershell#fbid=

<JonWalz> http://vaughnlive.tv/embed/video/jonwalz

<sepeck> http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B362#fbid=   <_- refered to video

<psCookieMonster> jcotton - check out http://blogs.technet.com/b/privatecloud/archive/2014/05/14/just-enough-administration-step-by-step.aspx

<gpduck> DSC on linux: http://blogs.msdn.com/b/powershell/archive/2014/05/19/announcing-windows-powershell-desired-state-configuration-for-linux.aspx

<gpduck> DSC on linux step by step: http://blogs.technet.com/b/privatecloud/archive/2014/05/19/powershell-dsc-for-linux-step-by-step.aspx

<MikeFRobbins> Steve Murawski is speaking on DSC next Wednesday for the PowerShell Virtual Chapter of SQLPASS: http://powershell.sqlpass.org/

<DonJ-MVP> http://www.petri.co.il/enable-powershell-logging.htm# - enable command logging

<ScriptingWife> https://powershell.org/community-events/summit/

<psCookieMonster> https://connect.microsoft.com/PowerShell/feedback/details/838221/powershell-must-support-calling-async-apis

<Dave_Wyatt> gpduck: http://gallery.technet.microsoft.com/Invoke-Generic-Methods-bf7675af

<MattHitchcock> http://blog.opslogix.com/?p=217

<ehorley> Nexus 6k OMI guide - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus6000/sw/omi/b_OMI_guide_chapter_01.html

<brwilkinson> did anyone see this article last month: http://blog.opslogix.com/?p=203

<sepeck> any chance of a DSC getting added to the TLGs?   http://social.technet.microsoft.com/wiki/contents/articles/1262.test-lab-guides.aspx

<sepeck> AlexTeachesTech: http://technet.microsoft.com/en-us/virtuallabs/bb467605.aspx

<vhusker> https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=microsoft.holsystems.com&altadd=true&labid=10846

<psCookieMonster> AlexTeachesTech - presumably a subset or superset of something like https://automatedlab.codeplex.com/ could be handled by DSC

<psCookieMonster> AlexTeachesTech https://www.youtube.com/channel/UCX27-k3xeNSgXVklCx-dnXQ

<_____> https://powershell.org/2013/05/07/powershell-summit-videos/

<_____> https://pbs.twimg.com/media/BpxkHsKCUAAUPcN.jpg:large

<halr9000> this song in spotify http://open.spotify.com/track/6wfPPd3eNgBoW7YXMwzRb0

<JonWalz> http://grooveshark.com/s/Hurricane+Season/3Ctx2y?src=5


The Question - How do you unplug?

  • Beer and yoga
About the Author

Jonathan Walz

Since March 2007, Jonathan Walz has been the co-host and technical brains for the PowerScripting Podcast. Conceived as a radio show for the PowerShell community, the podcast is the longest-lived PowerShell show in existence, and has featured dozens of weekly guests.