Tips on Windows Automation

On one of the discussions on regarding Windows Automation there was some quite useful comments that I had to collect  for my own selfish purposes:

By: thalakan (14668)  on Friday May 06, @07:42PM

PowerShell. The only tool that knows how to talk to all the different frameworks in Windows is PowerShell. No other tool can talk to .NET, COM, WMI, native APIs (via P/Invoke), and external studio based tools. If you can't do the automation you want using something in one of the above frameworks, you've got bigger problems than finding a good automation tool.

Other tools:

System update readiness tool: []
WMI diagnostic utility: []
gplogview: []
Windows SDK (including debugging tools for windows): []
ollydbg: []
sysinternals suite: []
Windows Management Framework: []
WDK: []
WAIK: []
Windows 7 SP1 WAIK supplement: []

Other comments:

By bertok (226922) writes: on Friday May 06, @08:11PM

Essentially, for newer versions of Exchange and SharePoint, PowerShell is the only scripting option, and is excellent. For older versions, you don't have a lot of options, but you can probably call COM APIs using PowerShell as well, but the effort is a lot higher. The APIs exposed by Exchange (e.g.: MAPI) are hideous. SharePoint can be managed via direct SQL database queries from anything, with some care.

For Windows servers in general, stick to PowerShell. It's by far the best shell/scripting language by a wide margin. There's a learning curve, but it's absolutely worth it. To get set up to an equivalent level to Bash+SSH:

- Install PS2 + WinRM2 on pre-2008 R2 servers. It's not installed by default, and 2008 comes with PS1. There's a hotfix that updates PowerShell and all associated components to v2 on XP, 2003, Vista, and 2008.
- Enable unsigned scripts to run. Preventing .ps1 script files from running by default is a *** workaround for not having an execute bit, and is totally useless. Just turn it off.
- Enable WinRM. This is the equivalent of SSH, but has to be enabled on both servers (which is obvious), and the clients (for no discernible reason).
- Enable CredSSP. This improves WinRM by allowing delegated credentials to be used remotely. Unlike SSH, WinRM is an RPC protocol, and due to limitations of Windows authentication, the remote server cannot use network resources with the client's credentials (one hop security). The workaround is credentials delegation. This requires a server-side setting, and two client-side settings.
- Install plugins. There are about a dozen that ship with Windows 2008 R2, a plugin for Exchange 2007 and 2010, and a plugin for SharePoint. To set up the AD plugin on pre-2008 R2 domains, there's a module that has to be deployed, it's basically a web service that the PS plugin uses. The SQL plugin is an optional download that is particularly handy for SharePoint.

That seems like a lot, but can be done in seconds from the command-line, and even better, can be done completely automatically using Group Policy. For new server deployments, I ask for my servers to be created under an AD container, and I just set those options up in a common policy configured on that container, and then everything just works.

The equivalent of a remote SSH session in: Enter-PSSession 'computername'

However, it gets better: You can create and store sessions in variables by creating them using New-PSSession. You can pipe objects into remote sessions and invoke commands on them, or arrays of them. In other words, a single line of code lets you invoke commands in bulk across farms of servers.

For example, as a Citrix XenApp admin, I often have to update machine policy across a farm. This is just two lines with PowerShell:

$xaservers = Get-XAServer | Select -ExpandProperty ServerName
Invoke-Command -CN $xaservers { gpupdate }

That will query the list of XenApp servers, extract the server names into an array, and invoke "gpupdate" in parallel across all of them using a temporary secure shell session.

There might be equivalent capabilities on Linux, but nothing on the Windows platform comes close to what you can do with PowerShell.

Comments (0)

Skip to main content