www.idmwizard.com

So in the never ending GPM project, a new requirement came about recently.  It was a report to show the current state of the GPOs within Quest Group Policy Manager before any of the other work is done.  I wound up dubbing the report a ‘pre-flight’ report since we have one already for VAS and its a name that Ross J came up with a few years at another company he and I worked at. 

The first pre-flight report, which just listed every GPO and some info, was done in about 10-15 minutes during the meeting with the client.  However, they also pointed out that there may be many, many GPOs, and they would like to pare the list down to a specific subset of GPOs.  Of course, that proved a little more challenging but I managed to do it  in short order.  So now the script takes in the file path of a CSV and assumes GPOName is the column name with all the GPOs listed.

So, without further ado, here is the preliminary script:

########################################################################################################################################
#
# In an ideal world, this would be a cmdlet called:
#    Preflight-QGPO GPOName [-GPMServer] [-GPMPort] [-GPOListCSV]
#
########################################################################################################################################

Set-ExecutionPolicy Unrestricted;

########################################################################################################################################
# the next section is all hard coded variables which need to be set to script parameters
########################################################################################################################################
# set this param to $true to start taking in command line arguments
$useParams = $true;

if ($useParams)
{
 # Which GPM Server to export from
 $GPMHostname = $args[0];
 
 # Which GPM Server port to use
 $GPMPort = $args[1];
 
 # the location of a CSV file with a list of specified GPOs
 $GPOListCSV = $args[2];
}
else
{
 # Which GPM Server to export from
 $GPMHostname = "localhost";
 
 # Which GPM Server port to use
 $GPMPort = 40200;
 
 # the location of a CSV file with a list of specified GPOs
 $GPOListCSV = "";
# $GPOListCSV = "C:\GPMScripts\GPMPreflight\PreflightGPOs.csv";
}

function OutputGPOSettings ($p_currentGPO)
{
  $gpoName = $p_currentGPO.Name;
  $gpoVersion = $currentGPO.Version;
  $gpoStatus = $currentGPO.Status;
  $gpoLive = $currentGPO.HasLive;
  $gpoTrustee = $currentGPO.Trustee;
  $gpoApprovalRequired = $currentGPO.ApprovalsRequired;
  $gpoApprovalReceived = $currentGPO.ApprovalsReceived;
  
  Write-Output "GPO $iCounter : '$gpoName' - the most current version is $gpoVersion ";
  Write-Output "   The current status is $gpoStatus "
 # not quite sure how useful this is - it is basically live/not live indicator - but is not for the most current version
 # Write-Output "   Is a version of this GPO live ? $gpoLive ";
 
  if (($gpoStatus -eq $statusCheckedOut) -or ($gpoStatus -eq $statusPending) -or ($gpoStatus -eq $statusPendingDeployment ))
  {
   Write-Output "   The current user is: $gpoTrustee ";
   Write-Output "   The approval count required? $gpoApprovalRequired ";
   Write-Output "   The approval count received? $gpoApprovalReceived ";
  }
    
  Write-Output "";
}
#############################################################################################################
# include the GPM stuff - redirected to $null to avoid output to logfile
& 'C:\Program Files\Quest Software\Quest Group Policy Manager\QGPMInit.ps1' -computerName $GPMHostname -portNumber $GPMPort > $null

#valid GPO status for import operation are Available or Check-out
$statusAvailable = [Quest.Avalanche.Enums.StatusType]::Available;
$statusCheckedOut = [Quest.Avalanche.Enums.StatusType]::CheckedOut;
$statusDeleted = [Quest.Avalanche.Enums.StatusType]::Deleted;
$statusError = [Quest.Avalanche.Enums.StatusType]::Error ;
$statusErrorNoWorkingCopy = [Quest.Avalanche.Enums.StatusType]::ErrorNoWorkingCopy ;
$statusPending = [Quest.Avalanche.Enums.StatusType]::Pending ;
$statusPendingDeployment = [Quest.Avalanche.Enums.StatusType]::PendingDeployment ;
$statusUnregistered = [Quest.Avalanche.Enums.StatusType]::Unregistered ;

Write-Output "----------------------------";
Write-Output "Beginning Preflight Check of GPM Server '$GPMHostname' on port $GPMPort ";

$iCounter = 0;

if (($GPOListCSV -eq "") -or ($GPOListCSV -eq $null))
{
 # loop through all the objects in the data set and find the policy we want
 foreach($currentGPO in $VCManager.GetControlledObjects("GPO"))
 {
  $iCounter = $iCounter + 1;
  OutputGPOSettings $currentGPO;
 }
}
else
{
 # bring the file
 $GPOList = Import-Csv $GPOListCSV;

 # loop through all the objects in the data set and find the policy we want
 :GPOLoopCSV foreach($currentGPO in $VCManager.GetControlledObjects("GPO"))
 {
  foreach ($GPOName in $GPOList)
  {
   if ($currentGPO.Name -eq $GPOName.GPOName )
   {
    $iCounter = $iCounter + 1;
    OutputGPOSettings $currentGPO;
   }
  }
 }
}

if ($foundGPO -eq $false)
{
 Write-Output "No GPO named '$gpoName' was found.";
}
Write-Output "Preflight Completed";
Write-Output "----------------------------"; 

I just got an Amazon Kindle, and think its fantastic. However, I’m now torn on what to do with 1 particular book;  Infinite Jest by David Foster Wallace.  The reason is that its a massive book (1100 pages) and I am on page 20.  Should I re-purchase it on the Kindle? The Kindle seems ideal for it, yet I don’t want to spend another $10 on a book I already own.  If I don’t, I doubt I’ll actually get to finish it as I have very little time to read outside riding the train, and the book is just too big to carry around.  Plus, I have 12+ hours of train time coming up this week . . .

(This post was written a while back and has been held up in drafts)

Yesterday (29-5-2009), I was a customer that had 400 users, yet 1,300 active accounts in AD.  And these were not stray/orphaned accounts, but those used for actual services.  One thing they’re not aware of is a new type of object in AD called that Managed Service Accounts.  Regardless, even having that many accounts for so few users is alarming.

They definitely need a better management strategy for managing all those accounts because there’s simply no way to properly keep up with this accounts.  We’ll be working with them in the coming months to help them deploy out Quest ActiveRoles Server to start getting some of this under control and I’m sure it will be a sea change for them once they get a handle on that tool.  I’ll try and keep this site posted on what they do.