Tuesday, 25 November 2014

Listing Configuration Manager Security Scopes Assigned to a Task Sequence

Today I had a problem. I wanted to create a spreadsheet that included the following information about task sequences in a customer's System Center 2012 SP1 Configuration Manager environment:

- Task sequence name
- Task sequence description
- Task sequence security scope

When listing this information to the screen it was OK, but when sending it to a .csv file, the 'SecuredScopeNames' was being recorded as 'SystemString' and not the actual value I wanted.

A colleague spent 20 minutes looking at this for me as I was lost and he figured it out. This is what he did. Pretty cool:


$ts = Get-CMTaskSequence

$ts | `
Select-Object Name, @{Name="SecuredScopeNames";Expression={($_.SecuredScopeNames -Join ",")}}, Description | `
Export-CSV `
  -Path "C:\Temp\Scopes-Task-Sequences.csv" `
  -Delimiter ";"  

Friday, 31 October 2014

PowerShell and Remote Services

Some quick notes on how to work with services on remote machines with PowerShell ....

Get all remote services on a target machine ...

Get-Service -ComputerName DB01


Get a specific service on a target machine ...

Get-Service -ComputerName DB01 -Name MSSQLSERVER


Get services based on part of the name on a target machine ...

Get-Service -ComputerName DB01  | Where name -match "sql"


Start a service on a target machine ...

Start-Service -InputObject `
               $(Get-Service -ComputerName DB01 -Name MSSQLSERVER)


Restart a service on a target machine ...

Restart-Service -InputObject `
               $(Get-Service -ComputerName DB01 -Name MSSQLSERVER)


Stop a service on a target machine ...

Stop-Service -InputObject `
               $(Get-Service -ComputerName DB01 -Name MSSQLSERVER)

Friday, 17 October 2014

Create the System Management Container with PowerShell

If you want System Center Configuration Manager to publish to Active Directory you have to extend the directory schema and create the System Management container in the System container. You then have to give site servers full control to the new object. Here's some Windows PowerShell to create the System Management container and set the required permissions on the new object. If the container already exists, the script will still assign permissions for a new site server. The script has been designed to run from the site server, not from another server.


# ========================================================
# SystemManagementContainer.ps1
#
# Purpose: Creates and/or configures the Active Directory System 
# Management container
#
# Author: JustAnotherTechnicalBlog 
# (http://justanothertechnicalblog.blogspot.com.au)
# 
# Version: 1.0
# 
# NOTES:
#
# 1. Creates the 'System Management' container required by 
#    Configuration Manager if it does not already exist
#
# 2. Sets permissions on the 'Systems Management' container 
#    required by site servers
#
# 3. Is designed to be run from the site server.  It configures
#    permissions for the host from where it is run.
#
# 4. No variables required
#
# 5. Does assume the Active Directory PowerShell module is 
#    available on the target machine
#
# ========================================================

# Get the distinguished name of the Active Directory domain
$DomainDN = (Get-ADDomain).DistinguishedName

# Get the AD computer object for this system
$ThisSiteSystem = Get-ADComputer $env:ComputerName 

# Build distinguished name path of the System container
$SystemDN = "CN=System," + $DomainDN

# Get or create the System Management container
$Container = $null 
Try 
 { 
    $Container = Get-ADObject "CN=System Management,$SystemDN" 
 } 
Catch 
 { 
    Write-Verbose "System Management container does not exist." 
 }

If ($Container -eq $null) 
 { 
    $Container = New-ADObject -Type Container -name "System Management" `
                                             -Path "$SystemDN" -Passthru 
 }

# Get current ACL for the System Management container
$ACL = Get-ACL -Path AD:\$Container

# Get the SID for the computer object
$SID = [System.Security.Principal.SecurityIdentifier] $ThisSiteSystem.SID

# Create a new access control entry for the System Management container
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
                                     $SID,$adRights,$type,$inheritanceType

# Add the new access control entry to the ACL object we grabbed earlier
$ACL.AddAccessRule($ACE)

# Commit the new audit rule
Set-ACL -AclObject $ACL -Path "AD:$Container"