Testing the DSC Pull Server, apply localhost.mof to a client node that disables Windows Firewall

In video number 45. Secure (HTTPS) DSC Pull Server with SQL Database using a Group Managed Service Account (gMSA), I setup an HTTPS DSC Pull server with a SQL backend using a gMSA to authenticate to SQL. We tested the Pull server simply by accessing the IIS website to verify that IIS was functioning, and the Database was built correctly.

In this video I will use this same infrastructure to configure the Windows Firewall on a client node. I will use the FirewallProfile resource from the NetworkingDSC Module on the PowerShell Gallery to accomplish the task. The video has all the step-by-step instructions, and you can download the code used at my website linked below.

I hope this was helpful.

This is the code to create the localhost.mof configuration file.

This will create the meta.mof to configure the LCM on the client node.

How to build a Secure (HTTPS) DSC Pull Server with a SQL Database using a Group Managed Service Account (gMSA)

You have seen on the interwebs many blog posts and videos about setting up a Secure DSC pull server with SQL authentication with a local SQL service account. What I have not seen is a tutorial for how to setup a secure DSC Pull Server with a SQL Database using a Group Managed Service Account (gMSA).

Spoiler alert it’s not as easy as I thought it was going to be. Check out the video below for details.

This is the Pull Server build code.

How to use Chocolatey to Install Software remotely on multiple computers.

In a previous video I used just PowerShell to install software remotely. In this video I show you how to use the Chocolatey packager manager to install packages (software) from the chocolatey repository on multiple computers simultaneously using a single function.

Be careful what packages you’re downloading, there are some security features built-in the chocolatey repo, but this may not be the solution for an enterprise environment. I use this to overlay software on top of lab VMs that I build and rebuild on a regular basis. In that case I’m not so concerned about the security aspect as I might be in a standard enterprise. There is a paid enterprise version of chocolatey that enables you to stand up a local repo and use chocolatey to rollout packages from the local repo, which would be a better enterprise solution in my mind.

My GitHub Repo: https://github.com/signalwarrant/MyPowershell

Here is the Chocolatey install script:

Here is the Function to install the packages remotely:

Remote Computer Inventory with PowerShell vNext, 2020 Edition

This is the successor to the first inventory script I put together in 2016 (https://www.signalwarrant.com/remote-computer-inventory-powershell/)  This version uses the Get-CIMInstance CMDlet to get all the information from the WMI classes as opposed to the WMI CMDlets. I have also added some additional information that I thought was relevant. If you can think of anything else that may be good to add let me know, or submit a Pull Request on Github.

My Github: https://github.com/signalwarrant/PowerShell

PowerShell Splatting How-To: I should use it more and so should you!

In my experience splatting is one of those often overlooked and underutilized features of PowerShell. Full disclosure, I don’t use it regularly myself. Most times I just forget it’s a thing.

For those that are new to PowerShell, splatting looks more difficult than it really is. The whole idea of this video is to demonstrate how easy splatting is, explain the syntax, and encourage its use.

Mark Kraus has already put together a more concise and detailed explanation on the subject here (https://get-powershellblog.blogspot.com/2019/11/teach-splating-or-die.html), I suggest you take a look. I particularly like Mark’s idea of “consider using splats for anything that uses 3 or more parameters”. I’m going to adopt this philosophy as my own best practice going forward.

If you have any questions leave them here, comment on the video or contact me on the twitter machine @signalwarrant.

Format and Combine Merch by Amazon Sales reports in seconds with PowerShell

I dabble a bit in Merch by Amazon and have grown to hate the monthly sales reports they give you. For whatever reason, Amazon dumps a bunch of useless information in the first column of the CSV file. Why they do that, I have no idea, but it makes the CSV files difficult to use from a data analysis perspective. There are some tools, most of which you need to pay for, out on the market where you can get your sales information. Since I’m only dabbling with Merch by Amazon, I wasn’t willing to pay for anything, so I decided to solve the problem with PowerShell.

You can use this script on pretty much any Windows machine and can easily adapt it to run it on Mac or Linux with PowerShell installed.

This is what the original reports look like.

Merch by Amazon Report Before

U.G.L.Y… the interesting information doesn’t start until row 13. All the other stuff at the top is just stuff in my opinion so we’ll get rid of it.

This is what the combined CSV file will look like.

Merch by Amazon Report After

That is all the data you need to create valuable reports with your sales data using SQL, PowerBI or just using Excel. It runs super-fast; I ran the script on all my sales report back to October of 2017 and it took less than 1 second to create the combined CSV file.

If you’re new to PowerShell and have some trouble getting it running feel free to reach out to me in the comments and I’ll see if I can help you get it going.

Code: https://github.com/signalwarrant/Powershell/blob/master/Format-MerchReports.ps1

How to get the local Administrators of one or many computers remotely with PowerShell.

This is a request that was made by someone a few months ago. It’s been a while so I apologize for not remembering who requested it. We’re using the Win32_GroupUser class to get the local administrators of a computer or many computers remotely. The function is modular enough to give you the ability to view the results in the console, export to a CSV, or a text file if you really wanted to I guess.

If you know of an easier method of doing this please let me know.

Code Download: https://github.com/signalwarrant/Powershell/blob/master/Get-LocalAdmins.ps1

Visual Studio Code and Azure DevOps (formerly VisualStudio.com) Integration Step-by-Step

My previous video walked through the process of using the old Visual Studio Team Services VS Code extension. That extension has now been deprecated. With the latest version or VS Code (I installed v 1.28.1) you should see the Azure Repos extension baked into VS Code. The only other requirement is a local Git repo (I installed 2.19.1). Once you have all the software installed it’s much easier to get this going, all the steps are below as well as in the video.

Step 1: Download and install VS Code (Download Link: https://code.visualstudio.com/download). The default install should work fine.

Step 2: Download and install Git (Download Link: https://git-scm.com/download). Choose all the defaults except change VS Code to the default editor. That’s actually optional but I did it.

Step 3: Access your VisualStudio.com / Azure Repos repo and click the “Clone to VS Code” link… see the video for details. You’ll be asked where in the file structure to clone the repo and prompted for your VisualStudio.com / Azure Repos credentials.

At this point you should be all set. Make sure you test changing a file and committing it to the cloud just to make sure. It’s a much easier process than before but I wasn’t able to find instructions on the interweb thus, this video and writeup.

Thanks for watching / reading.

Enterprise Security: How to configure and use Group Managed Service Accounts

I routinely see organizations big and small still using “regular” Active Directory user accounts as service accounts. Typically, they have the password for those service accounts set to never expire or an alternate password policy that only requires the password is changed yearly. If your organization is managing service accounts like this you are only increasing the potential for exploitation when a nefarious actor gets inside your enterprise. It’s a matter of WHEN not if.

With the introduction of Windows Server 2012, Microsoft introduced Group Managed Service Accounts to address this specific situation. Group Managed Service accounts (gMSA) are an upgrade from the Managed Service accounts that were available in Windows Server 2008 in that gMSA can be used on multiple servers. There is no need to create a specific service account for each server although, your internal policies may dictate otherwise.

Why use gMSA?

  • The Password is managed in Active Directory (AD) and is changed every 30 days by default.
  • Because the password is managed by AD, no human will ever know the password.
  • gMSA passwords are 240 bytes long so they are complex.
  • gMSAs are not permitted to logon interactively.

How do I configure and use a gMSA?

The code below is everything you need to get started with gMSAs. Also, take a look at the video below for a more in-depth walk-through of the process.

Do yourself a favor… get rid of legacy service accounts. It’s one of those things you can do to incrementally harden your enterprise.

Quickly deploy LAB Virtual Machines with the AutomatedLab PowerShell Framework

My Requirements:

  • Use PowerShell to minimize the time spent on creating VMs.
  • Install ADDS along with the VM creation.
  • Use a differencing disk for all the VMs to save disk space.

In the spirit of kickstarting this channel again, I needed to spin up a few Virtual Machines to facilitate PowerShelling. I was going to go through the process of using the Hyper-V management Cmdlets when I stumbled upon the AutomatedLab framework on GitHub (https://github.com/AutomatedLab/AutomatedLab). I had never used this framework before, so a little trial and error was in order.

Kudos to the developers, they have included an assortment of sample Lab scripts that you can easily modify to suit your needs and get going fairly quickly without a lot of hassle. The framework also includes the ability to install some applications like Exchange, SQL and a few others. There are many more features included that I haven’t started playing with yet. It’s worth having a look, particularly if you find yourself doing things like demoing applications or testing GPO settings on a regular basis.

The code I used to spin out my lab is below.