The Identity Management Wizard

If you haven’t checked it out yet, see the PowerGUI site at http://www.powergui.org/ .  What lead me to posting the subject of this post, though?  Here’s an excerpt of an edited email I sent internally:

————————————–

It dawned on me how cool it is just now.  Here’s my current scenario – I volunteered to help with some PS scripting for Group Policy Manager thinking, “How hard can it be?  Its just another scripting language, so having worked with bash, perl, python, ASP and lots of other junk, it can’t be much different than any of those.” I installed GPM 4.1, and then googled for:

“group policy manager” powershell

And got led to this:

http://gpm.inside.quest.com/entry.jspa?categoryID=153&externalID=1870

After downloading the zip, and following the instructions, . . .  I get nothing.  I can now open a PS window, initialise the script, but there’s no other documentation so I don’t know what to do next.  Get-help doesn’t have anything useful since I have nothing but 1 string ($VCManager) to work with.  After thinking about things, I realise all I need is PowerGUI, and its code editor, so after installing it, I am now getting this:

click for full view

THAT IS AWESOME!!!!!

So the funny thing is that this is nothing new.  The whole IntelliSense thing has been around for years, and I remember using back in the early 2000s when I did development, but I don’t think most people (admins, SCs, etc) realise what a benefit this is.  I don’t really need documentation with this if I know what I’m doing, code-wise.  Just look – if I want to know how to check in a GPO, the code it right there!

{ Comments on this entry are closed }

Following up on one of my ‘to do’ list items, here’s what I came up with.  First off, the requirement was to provide a sample of how to use PowerShell to roll back a GPO within Quest’s GPM to a previous version.  Now, GPM doesn’t have a set of cmdlets (that’s coming in another post) but it does have an API, so coding this is definitely possible.

The interesting thing about a ‘rollback’ as that you don’t actually want to roll anything back.  You want to restore old settings/code but you want to ‘roll foward’ since want to preserve the history of what has been deployed before.  That’s what this script shows – enjoy.  Oh, and the first line references a script that is available here: http://gpm.inside.quest.com/entry.jspa?categoryID=153&externalID=1870

———————————-

& 'C:Program FilesQuest SoftwareQuest Group Policy ManagerQGPMInit.ps1' -computerName questdc1

# define the GPO name, which is what people will probably know it as – this

# can be an argument to a script later

$gpoName = "VAS Policy";

$foundGPO = $false ;

# loop through all the objects in the data set and find the policy we want

foreach($currentGPO in $VCManager.GetControlledObjects("GPO") |

      Where-Object {$_.Name -eq $gpoName})

{

      $foundGPO = $true;

      # count the number of deployed versions

      $counter1 = 0;

        $rollbackSuccess = $false;

      # check out the GPO so we can edit it

      # you can discard the contents returned since we want a previous version

      $VCManager.CheckOut($currentGPO.VCId, "Rollback to previous version");

      # now start rolling through history - note: the array brought back by getHistory is unsorted

      # so we need to sort it, and find the 'Deploy' version that is 1 back

      foreach ($action in $VCManager.GetHistory($currentGPO.VCId) | Sort-Object -Descending Version)

      {

            # pull back only deployed objects, since we need to go 1 back

            # this should probably be deployed or registered GPOs -

            # someone else can put in the additional check

            if ($action.Type -eq "Deploy")

            {

                  $counter1 += 1;

                  # 2 is really 2 deployed versions ago - change the 2 to

                  # deploy older version - make it an argument if you want flexibility

                  if ($counter1 -eq 2)

                  {

                                                               
                # Retrieve a backup from version control.  We need this to pass

                    # to the GPO-specific version of the Save() method.

                    $rollbackVersionBackup = $VCManager.GetBackup( $currentGPO.VCId, $action.BackupId);

                    # This version of the Save() method is for GPOs only, and takes

                    # the version control ID of the GPO, a backup object, and a

                    # migration table.  Since we're just rolling back a GPO, the

                    # backup is obviously from the same domain as the GPO, and we

                    # can just pass $null.

                    $VCManager.Save( $currentGPO.VCId, $rollbackVersionBackup, $null );

                    $VCManager.CheckIn($currentGPO.VCId, "Rolling back");

                    $VCManager.RequestApproval($currentGPO.VCId, "Requesting Roll back");

                                                                               
                    $VCManager.Approve($currentGPO.VCId, "Approving Roll back");

                    $VCManager.Deploy($currentGPO.VCId, "Deploying Roll back");

                    # I should probably break out of the loop here since I’m done with everything

                    # and there may be more versions that I will just cycle through

                    $rollbackSuccess = $true;

                  }

            }

      }

   if( $rollbackSuccess -eq $false )

   {

       $VCManager.UndoCheckOut($currentGPO.VCId, "Rollback to previous version")

    }

}

{ Comments on this entry are closed }

Trying to get posting via email to work with little success.  Need to keep working on it.

In the mean time, I just finished off an internal session on integrating two of our products (QAS and QPM4U) and it went well . . . at least I think it did.  Its hard to tell anything on muted live meetings where you’re talking to everyone and no one . . .

I plan on publishing in a public version of that walk through shortly.

Also on my plate, I owe the following to various people:

– Managing VSJ service account settings via ActiveRoles Server and PowerShell

– Duplicating accounts in AD, but using Quick Connect to avoid the mess caused by your normal AD copy.  Controlling and suppressing attributes is key.

– QPM integration with Defender and some unique use cases for a large retailer

– A sample PowerShell script (or two) for GPM

Any takers on any of these?

{ Comments on this entry are closed }

Let’s see if this helps any.  In general, I have a lot of random thoughts around Identity Management but don’t have the time to keep a blog going.  At the same time, Twitter and other ’social media’ channels are too restrictive, so I definitely need a site of my own.  I’m hoping the Word Press approach, along with a little automation to my email/mobile will help get posts out.

{ Comments on this entry are closed }