Hi Vinod,

I think you'll find that the scriptblock does not have visibility of the variables concerned. You can reference the variables by either using $using:variablename (e.g. $using:quiesc) . Note thats from PowerShell 3.0 and above.

Alternatively, you are able to also reference the variables via $args[0] to reference the first value passed into the scriptblock from the argument list, $args[1] the second and so on. Both of these will not require the param…. part.

Here's an example of your same code

$remotesession = New-PSSession -ComputerName $env:COMPUTERNAME
$filepath = 'c:\ps\DCS\dispatch.vbs'
$quiesc = 'task'


$scriptBlock = {
    Write-Output -InputObject "Command to be executed : Start-Process -FilePath $using:filepath -ArgumentList $using:quiesc"
    Start-Process -FilePath $using:filepath -ArgumentList $using:quiesc
}

Invoke-Command -Session $remotesession -ScriptBlock $scriptBlock
Remove-PSSession -Session $remotesession

And output :

Command to be executed : Start-Process -FilePath c:\ps\DCS\dispatch.vbs -ArgumentList task

Is there a way of using Powershell to get smartcard credentials?

Use Case.
I need to remote to a bunch of servers and disable specific task. The servers need my smartcard credentials.

thanks

thickgit wrote:

OK, just to follow on from that, I've exported a list of users whose 'Pager' field is empty. I've done a vlookup against a master spreadsheet to get the correct pager numbers for each user and ended up with a 2-column CSV file (Headers are 'SamAccountName' and 'Pager')

You're right – 'Set-ADUser' doesn't have a 'Pager' parameter, and this time it doesn't have an '-OtherAttributes' parameter either.

Meh.

Thought I'd play with it before coming here asking for more hand-outs! Read the help for Set-ADUser and found the answer!

Import-CSV C:\user_pagers.csv | ForEach-Object {Set-ADUser $_.SamAccountName -Replace @{Pager=$_.Pager}}

Re-sult!

For those who haven't tried this yet. I confirm it works.
Thanks for your answer!

how about running the code without the extra braces:


$filepath = 'c:\ps\DCS\dispatch.vbs'
$quiesc = 'task'

$scriptBlock = {
param ($filepath, $quiesc)
Start-Process -FilePath $filepath -ArgumentList $quiesc
}

invoke-Command -Session $remotesession -ScriptBlock $scriptBlock -ArgumentList $filepath,$quiesc

Hi,
I actually saw the command piped to Update-AzureVM in this article: {http://www.powershellmagazine.com/2014/08/05/understanding-azure-vm-dsc-extension/}
When I run

{Remove-AzureVMDscExtension -VM $vm -Verbose}

it prints the following

DeploymentName : my-first-vm
Name : my-first-vm
Label :
VM : Microsoft.WindowsAzure.Commands.ServiceManagement.Model.PersistentVM
InstanceStatus : ReadyRole
IpAddress : 100.91.86.111
InstanceStateDetails :
PowerState : Started
InstanceErrorCode :
InstanceFaultDomain : 0
InstanceName : my-first-vm
InstanceUpgradeDomain : 0
InstanceSize : Small
HostName : my-first-vm
AvailabilitySetName :
DNSName : http://first-ale-vm.cloudapp.net/
Status : ReadyRole
GuestAgentStatus : Microsoft.WindowsAzure.Commands.ServiceManagement.Model.GuestAgentStatus
ResourceExtensionStatusList : {Microsoft.Compute.BGInfo, Microsoft.Powershell.DSC}
PublicIPAddress :
PublicIPName :
NetworkInterfaces : {}
ServiceName : first-ale-vm
OperationDescription : Get-AzureVM
OperationId : b46f15a8a0cc7a9fb7578e7a1a8aec72
OperationStatus : OK

and nothing seems to happen as I checked by looking both at the graphical interface through portal.azure.com and by printing $vm.ResourceExtensionStatusList, obtaining:
…
HandlerName : Microsoft.Powershell.DSC
Version : 1.5.0.0
Status : Ready
Code :
Message :
FormattedMessage :
ExtensionSettingStatus : Microsoft.WindowsAzure.Commands.ServiceManagement.Model.ResourceExtensionConfigurationStatus
ExtensionData :

Thanks a lot for your help!

We are trying to make managers aware of who has users with email on their mobile devices whether company supplied or personal.

I have a task assigned to me. I am trying to learn PowerShell, but my skills are not up to this task yet.

I have been asked to get a list of all mobile devices and their owners/users connected to Exchange 2010 through ActiveSync.

Next step is to find the managers of the Mobile Device owners/users.

Then display/write a report showing Managers and their subordinates with devices connected to ActiveSync

I would like to be able to run the script and have it email the report to the managers.

I do have script that gives me User (FirstName LastName), PrimarySMTPAddress, DeviceType,Device Model, Device OS, lastSyncAttemptTime and LastSuccessSync

I can pull the User field but cannot seem to match it to Get-ADUser data

All help would be greatly appreciated.

Thanks

I have an arraylist that is dynamic. It is created from the results of a get-mailboxexport command. Each entry has 3 values. 2 will definitely contain duplicate values and the other will potentially contain duplicates.

I only need to use 2 of the values however. So I have an Identity value and a status value. I need to be able to find all duplicate identity's where at least one status is 'Failed'.

I found this example $arrPies | Group-Object | Where-Object {$_.Count -gt 1} but it doesn't quite seem to fit this situation. So I have tried this:

foreach ($i in $test)

{select-object -identity | group-object | where-object {$i.count -gt 1}

$i.identity

}

This still does not return any value. At this time I am not comparing the Status value, just wanting it to select any items where there are duplicate identities.

This should be the finished product. Copy and make changes as needed.

#======================================================
# Get Server Information
# Modify the path to get list of servers
#======================================================
param (
[string[]]$ServerArray = (Get-Content -Path ListServers.txt)
)
#======================================================
# Create new Excel workbook
#======================================================
Write-Verbose "$(Get-Date): Script begins!"
Write-Verbose "$(Get-Date): Opening Excel…"
$Excel = New-Object -ComObject Excel.Application
$Excel.Visible = $True
$Excel = $Excel.Workbooks.Add()
$Sheet = $Excel.Worksheets.Item(1)
$Sheet.Name = "Server Services"
#=======================================================
# Place Column Header Names in Excel file
#=======================================================
$Sheet.Cells.Item(1,1) = "Server"
$Sheet.Cells.Item(1,2) = "Service Name"
$Sheet.Cells.Item(1,3) = "Status"
$Sheet.Cells.Item(1,4) = "Startup Type"
$Sheet.Cells.Item(1,5) = "Service Account"
#=======================================================
# Format the Top Header Rows
#=======================================================
$intRow = 2
$WorkBook = $Sheet.UsedRange
$WorkBook.Interior.ColorIndex = 40
$WorkBook.Font.ColorIndex = 11
$WorkBook.Font.Bold = $True
#=======================================================
# Main Loop
# Gets the computer name from the txt file, searches and removes any notlike
# Places results in the Excel file
#=======================================================
ForEach ($Server in $ServerArray)
{
$Sheet.Cells.Item($intRow, 1) = $Server
$Sheet.Cells.Item($intRow, 2) = ""
$Sheet.Cells.Item($intRow, 3) = ""
$Sheet.Cells.Item($intRow, 4) = ""
$Sheet.Cells.Item($intRow, 5) = ""
$a=Get-WmiObject win32_service -ComputerName $Server | where {$_.startname -notlike "*Local*Service*" -and $_.startname -notlike "*local*system*" -and $_.startname -notlike "*Network*Service*"}
$a | % {
If ($Server -notlike "SERVERTEST")
{

If ($Server -ne $_.systemname)
{
$intRow ++
}
else
{
$Sheet.Cells.Item($intRow, 1) = $_.systemname
$Sheet.Cells.Item($intRow, 2) = $_.Name
$Sheet.Cells.Item($intRow, 3) = $_.State
$Sheet.Cells.Item($intRow, 4) = $_.StartMode
$Sheet.Cells.Item($intRow, 5) = $_.StartName
$intRow ++
}
}
$WorkBook.EntireColumn.AutoFit() | Out-Null
}
}
#=======================================================
# Format the Ending Row
#=======================================================
$intRow ++
$Sheet.Cells.Item($intRow,1) = "Server Inventory Completed"
$Sheet.Cells.Item($intRow,1).Font.Bold = $True
$Sheet.Cells.Item($intRow,1).Interior.ColorIndex = 40
$Sheet.Cells.Item($intRow,2).Interior.ColorIndex = 40
$Sheet.Cells.Item($intRow,3).Interior.ColorIndex = 40
Write-Verbose "$(Get-Date): Completed!"

If you have no legacy configuration management, why not use DSC in the enterprise from the get-go.

Hello,

I have been successful at getting PS Remoting to work between untrusted domains, Yaay!! However, I can't figure out how to enable CredSSP.
CredSSP is working great for me within the same domain.
I've created an SSL endpoint on the target server, but still cannot connect, as per below:
I have every WinRM trust setting imaginable set to WSMAN/*.lab.testing.com, on the client machine.

Works:
$sessOption = New-PSSessionOption -SkipRevocationCheck
New-PSSession -Authentication Default -Credential $credentials -SessionOption $sessOption -ComputerName srv004.lab.testing.com

Fails:
$sessOption = New-PSSessionOption -SkipRevocationCheck
New-PSSession -Authentication credssp -Credential $credentials -SessionOption $sessOption -ComputerName srv004.lab.testing.com

Error:
New-PSSession : [srv004.lab.testing.com] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client cannot process the request. A
computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure
the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint=""}' Or you can check the Event Viewer for an event
that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot
use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following
policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and
configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or
WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.

Fails:
New-PSSession -Authentication credssp -Credential $credentials -ComputerName chelwebvci004.cctlab.expecn.com -UseSSL

Error:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.

Fails:
$sessOption = New-PSSessionOption -SkipRevocationCheck
New-PSSession -Authentication credssp -Credential $credentials -ComputerName chelwebvci004.cctlab.expecn.com -UseSSL -SessionOption $sessOption

Any help is appreciated, thanks!

Well, the error message seems pretty clear. I know I'm going to sound like a jerk. But, what it wants is a trusted certificate on the server that you were trying to connect to. Because it doesn't have Kerberos to verify the identity. or am I not getting your question in my head? If not, sorry – try again, it's been a day!

Doh!

I had tried that command before, but this was my usage:
winrm set winrm/config/service @{CertificateThumbprint=""}

Looks like after re-reading the error message I was missing the single quotest around the @
winrm set winrm/config/service '@{CertificateThumbprint=""}'

Now I have set this on the target server and my client

When connection I got:

New-PSSession : [] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client received an HTTP server error
status (500), but the remote service did not include any other information about the cause of the failure. For more information, see the about_Remote_Troubleshooting Help topic.

I just gave Everyone read access to the cert, and here is the winrm configuration.

Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source="GPO"]
IPv6Filter = * [Source="GPO"]
EnableCompatibilityHttpListener = true [Source="GPO"]
EnableCompatibilityHttpsListener = false
CertificateThumbprint = 9267198CA389DCC3C96582742D406A96792E8CEA
AllowRemoteAccess = true [Source="GPO"]

However, now I'm back to:
New-PSSession : [srv004.lab.testing.com] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client cannot process the request. A
computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure
the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint=""}' Or you can check the Event Viewer for an event
that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot
use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following
policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and
configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or
WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:13

Creds are creds, there's no difference except when the UAC prompts you type a pin instead of user/pw. By default, any command you run inside a PoSH will use the credentials you used to launch the shell. Some cmdlets like "Invoke-Command" have a -Credential parameter that allow you to provide different credentials.

All you need to do is match one of the attributes from the first script to a user attribute in AD. You could modify the first script to spit out a field like "SAMAccountName" or you could use some string parsing tricks with one of the attributes you have to query the AD user. If you're still stuck it might help us to post your original script.

Your first example was close but you should specify the property that Group-Object should focus on like:

$arr | Group-Object -Property Identity | Where-Object {$_.Count -gt 1}

Hi Team,

I am trying to install reportviewer from a network path in a system using package resource. Below is the code snippet.

Package ReportViewer
{
Ensure = "Present"
Path = "\\arwdfsp01.mw.na.cat.com\shares\wam942-60\Software\Microsoft\Microsoft Report Viewer 2012 Runtime\ReportViewer.msi"
Name = "Report Viewer"
Arguments = "/S /V/qn"
ProductID = "
LogPath = "$env:ProgramData\report_install.log"
DependsOn = "[Package]SQLScript"
}

But while running the code …it gets stuck..
So, any idea what could be the issue here?

Thanks,
Aravinda

You've showed us the code for [Package]ReportViewer, but it's [Package]SQLScript that's shown in your screenshot.

Couple of questions: How large is the MSI / exe used in this installation? What permissions are set on the share where the file is being downloaded from? Have you tried setting the Credential parameter in the Package resource? (This is used to access the source path.)

One workaround might be to use the File or xRemoteFile resources to copy the MSI to a temporary location on the local computer, then point the Package resource at that path.

Have you checked that Group Policy setting that you bolded in the original post? (I assume so; just checking.)

Dave, When is it best to copy locally vs install remotely? what is going to use less network, the extraction of the ID and name from the MSI for comparison or the file comparison that the File Resorce uses? Doe they both have to transfer the full file?

I'd have to double check the code, will look into that when I have time.