Who’s Your User? – Four flavors of the EMS Get-User cmdlet

While I’ve written some lovely Get-User functions for Windows PowerShell to work with Active Directory environments in general, and the good people at Quest have provided a Get-QADUser cmdlet as well, many people seem to have missed that Exchange Server 2007 happens to have a Get-User cmdlet available right in your friendly neighborhood Exchange Management Shell (EMS).

There are three syntactic forms of EMS’s Get-User, depending on what you want, yet the flavor of the first form without any specific identity will yield the most results. Here are the 4 flavors (scenarios):

• Get-User

[Vanilla] With no exciting parameters, Get-User returns all users. Actually, there are several variations on this theme. Kind of like getting French Vanilla versus ordinary vanilla, or maybe even the kind with vanilla bean flecks in it. We’ll come back to this.

• Get-User -Identity <UserIdParameter>

[Chocolate] If you know the identity of the user you want, just specify it and Get-User will just give you the proper user object. Yes, there’s fudge ripple and chocolate chunk variations, but that’s another story.

• Get-User -Filter <String>
[Strawberry] For something a bit more wild than the run of the mill chocolate or vanilla, we have the strawberry flavor of Get-User – this allows an expression such as {((Title –eq ‘Director’) –or (Title –eq ‘Manager’)) –and (Department –eq ‘Marketing’)} to be used. Only those users matching the search filter’s criteria will be delivered – kind of like those chunks of real strawberry.

• Get-User -Anr <String>
[Mint] Although not as common, once you get used to the acquired taste of mint, it can be a bit addictive; such is the rapport of ambiguous name resolution (ANR). Mixing in a bit of chocolate to the mint? Well, naturally – although we may use wildcards with the -Identity – the ANR functionality of Active Directory and Exchange is an awesomely minty way to choose users by approximate match of several attributes without crazy (strawberry) filters.

Yes, we have no mint-neapolitan.  You must choose between those different flavors: all, identity, filter, or ANR, however wildcards may be used with -identity, several matching options may be used with -filter, and -anr magically matches based on specific ANR criteria.

But wait, there’s more! Remember when we said there variations like bean-flecked vanilla? Here are some additional parameters which we could give to Get-User to be more selective in what we get – for the most part, all of these work with all the flavors mentioned earlier.

[-Credential <PSCredential>]

[-DomainController <Fqdn>]

[-IgnoreDefaultScope <SwitchParameter>]

[-OrganizationalUnit <OrganizationalUnitIdParameter>]

[-ReadFromDomainController <SwitchParameter>]

[-RecipientTypeDetails <RecipientTypeDetails[]>]

[-ResultSize <Unlimited>]

[-SortBy <String>]

[<CommonParameters>]

Anyway, many students in Exchange Server 2007 courses ask questions which are answered by delving into the tasty details of the EMS Get-User cmdlet. I hope that you found this brief introduction satisfying.

Are you hungry for ice cream at this point? Just so you know, I haven’t had ice cream in probably the past half a gigasecond or so.

Virtually Yours – Part 2 – Collaboration Tools

In another post, I wrote a brief overview of the virtual classroom. Now, I’d like to focus on some annotation tools I use to enhance the virtual classroom experience.

As I’ve taught in excess of 7,000 hours in the virtual classroom, I’ve developed a number of techniques for (I hope) delivering training as good or better than what we teach in the physical classroom.

When I’m teaching virtual instructor-led training for Global Knowledge, we use the iLinc platform. Like Interwise (AT&T Connect), Centra (Saba), WebEx (Cisco), Live Meeting (Microsoft) and others, iLinc is a network-based collaboration platform which allows students and instructors to come together from around the world. I’ve had students who are in New Zealand, Australia, and many other countries in Asia, Europe, South America, and North America. If you have attended a class with me and you were in Africa, Antarctica, or somewhere else I didn’t list above, please drop me a line! No, I haven’t had any students from the International Space Station – yet.

iLinc, like it’s competitors, has a wealth of annotation tools. Why do I think this is important? If you attend dozens of hours of training in a 3, 4, or 5 day class in the virtual classroom, I certainly want to make sure you’re doing well on the labs and asking questions, following other people’s questions, and hopefully even paying attention when I’m talking. I strive to use the technology as much as possible to assist with keeping you tuned in. Other instructors may have different techniques, but here are a few I use.

• Text chat – this may seem obvious, but when I mention URLs, file system paths, and even (the first use of) certain acronyms, I’ve had people scramble to write them down: “Brad, could you repeat that?” So often, I’ll be typing that URL or other text in the public text chat of iLinc. Any student can save the text chat transcript in iLinc before they exit. I’ve had numerous students tell me that’s handy because some of the paths aren’t spelled out in the student handbook or lab guide.

• Demonstrations – application sharing can be done with iLinc so that I share out my Remote Desktop Connection session to my lab pod. I can move between the virtual machines and demonstrate the answer to a question, or a lecture/discussion point that I think is best seen. I love demonstrations to the point that I sometimes ask students if it’s OK if we demo through a certain lesson and then review the slides quickly as a after-the-demo reinforcement. But I use extensively in the physical classroom too, so that’s not really a virtual classroom difference – just something I felt compelled to mention.

• Slide annotation – text, drawing, highlighting, dropping graphics. While there are applications which make this possible in the physical classroom, the virtual classroom is where I find annotating slides essential. I don’t have to maintain eye contact with everyone and stand on one toe on a chair to reach the top of the whiteboard or duck-walk across a stage. Certainly, physical comedy, and tossing whiteboard markers to people (physically) doesn’t exactly translate very well into the virtual classroom.

Instead, the habit I’ve developed is based on a pet peeve of mine. If I’m attending an online meeting – even 15 minutes, or one hour – let alone dozens of hours a week – just listening to someone talk about a static slide drives me batty. I’ve already mentioned that I use text chat and demonstrations more than in the physical classroom to “compensate” a bit; but it’s not enough.

Therefore, I draw. Well, as some of my students might tell you (maybe some will respond here?), I tend to scribble. In my office, more than half a dozen of the computers have Wacom external tablets with pen and mouse. Whatever I’m talking about on the slide – shown in iLinc like it would be in PowerPoint – I’m highlighting, pointing to, or drawing on. Sometimes I’ll even type text on the whiteboard, but for better interactive audio-visual I usually write or draw with the pen. I always tell my students at the beginning of class that if a slide or originally blank whiteboard becomes too cluttered, just let me know and I’ll wipe off my annotations and we’ll start clean. Although I’m sure my art skills can still use much improvement, I feel that this technique is superior to using the currently available whiteboard and projector-based markup options available in a typical training center. I’ll avoid elaboration on that topic at the moment.

Some students have told me that they do screen captures of the whiteboard. I guess I’d better hone my artistic and penmanship skills. But one of my main goals of this technique is to keep students awake with visual motion, not 100% legibility.

• Questions – I like to encourage questions even more in the virtual classroom than in the physical classroom because I can’t see people’s eyes (or confused/querulous looks) in the virtual classroom. Some students feel more comfortable asking questions via audio (Global Knowledge sends an audio headset with microphone along with the virtual classroom kit – it may be in a separate box). Others seem to prefer text chat. For the truly anonymous approach, we have a private text chat option, so that other people don’t know who has asked the question, or if I don’t mention “someone just asked…” but just segue into the topic my attempted answer, others might not even know there was a question. I believe that once students realize these different options for asking questions, and the option to draw on the whiteboard themselves, more questions get asked in the virtual classroom than in the physical classroom.

I hope that you’ve enjoyed reading a few of the techniques I’ve adopted for enhancing the virtual classroom experience. Other instructors might not use these techniques (but they may have better ones). But no matter who you have as an instructor, I think the virtual classroom is a great way to not just attend training, but to immerse yourself into training.

Perhaps I’ll “see” you in the virtual classroom some day?

Virtually Yours – An Introduction to the Virtual Classroom

Since 2001 I’ve taught quite a few classes in the virtual classroom. Global Knowledge’s virtual classroom e-learning (VCeL) provides instructor-led training via the Internet. GK currently has 157 courses available via this modality, 42 of which are about Microsoft technologies.

As I’ve taught in excess of 7,000 hours in the virtual classroom, I’ve developed a number of techniques for (I hope) delivering training as good or better than what we teach in the physical classroom. The goal of this post is certainly not to get into the tradeoffs and differences between physical classroom and virtual classroom deliveries of instructor-led training. Instead, my focus here is just an overview. In a future post, I’ll focus on annotation tools I use.

Global Knowledge currently uses iLinc to facilitate the lecture/discussion/collaboration parts of the virtual classroom. Many classes, such as the training on Microsoft technologies I teach, use what we affectionately call Remote Labs. With the remote labs access, each student uses Remote Desktop Connection (or similar technologies such as Sun Secure Global Desktop (Tarantella)) to connect to a pod of virtual machines used in performing the lab exercises at the end of each training module. In some courses, students can use the remote labs environment for practice exercises in the midst of the module, perhaps during each lesson – it depends on the course.

This fusion of Remote Desktop and virtual machines with the iLinc communications platform provides a wonderful delivery vehicle for all sorts of training. For courseware on Microsoft technologies, we may have a lecture/discussion of the lessons in a module on Exchange Server 2007 or Windows Server 2008 and then using the remote labs access, the students work through the lab exercises on virtual machines running operating systems such as Windows XP, Vista, Server 2003, and Server 2008. Because these virtual machines are hosted at Global Knowledge facilities, the student doesn’t need to have local capacity to host the virtual machines, or maintain the right images for the operating systems, SQL Server, System Center, Exchange Server, and so on. Some courses, like Group Policy and Defending Windows Networks have custom Global Knowledge courseware which makes use of third-party tools. Again, this software doesn’t need to be licensed or installed on the student’s premises, because it’s on used on the virtual machines. Each student accesses all of the software needed for the course labs by way of the remote labs environment (e.g. Remote Desktop Connection).

Just writing about the virtual classroom gets me excited, so before I go overboard I’d better stop there. If you haven’t had the opportunity to attend a class in the virtual classroom, I’d like to personally invite you to give it a try. Click here for a list of courses Global Knowledge offers in VCeL.

Wrapping Functions

It was a dark and starlit morning a couple of weeks ago. My students arrived one by one with the usual greetings for the second day of class. The course I was teaching in the Global Knowledge virtual classroom was Automating Windows Server 2008 Administration with Windows PowerShell – more on that later.

One of the questions that day was a question I’ve heard many times before – a question I often also get in Exchange Server 2007 classes, in consulting, and occasionally from people I meet on the street.

“I’ve typed a lot of great commands in PowerShell just now. How do I save those to a file to run again as a script? Actually, if I could save all or part of my recent commands as a function in my profile, that would be great! Is that even possible?”

Possible, indeed. If you’ve ever had the experience that something you just typed in Windows PowerShell was so much fun (or useful too) that you want to do it again, consider the following utility script [See Figure 1].

filter global:Wrap-Function {

param($fun=”Wrapped”) # include global: or other scope

BEGIN{ Write-Output “function $fun {” }

PROCESS{ “`t” + $_ }

END{ Write-Output “}” }

}

Figure 1: Wrap-Function

 

All this innocent looking filter does is writes a function definition with a <TAB> at the beginning of each body line. Two questions usually arise: (a) So just how does this work? (b) Great, but how would I use this? Let’s focus on how we’d use this and save how it works for another day – if you’re like many people, you want something done, then maybe you’ll have time and curiosity to wonder how it works.

Figure 2 shows an example where literal string values are put into a function.

“Get-ExchangeServer”,”Get-MailboxStatistics” | Wrap-Function

function Wrapped {

Get-ExchangeServer

Get-MailboxStatistics

}

Figure 2: Using Wrap-Function

For a tad more practical value, consider getting the contents of a file, wrapping them as a function, then saving the output to file [Figure 3].

gc myscript.ps1 | Wrap-Function myfunction >myfunscript.ps1

Figure 2: Using Wrap-Function to Convert a Script

Converting a script file into a function definition which could be saved in another script file can prove to be quite useful during administration or during script development. But it doesn’t exactly answer the original question: “How can I save my recent commands?”

And that we’ll take a look at in a later entry.

Global Knowledge on Microsoft Blog

Tim Hazel over at Global Knowledge asked if I’d submit some blog entries that relate to training, Global Knowledge, Microsoft technologies and such.

I gladly accepted!

Richard Luckett and Mark Menges are also blogging over at <http://microsoftblog.globalknowledge.com/>. Take a look and let me know what you think.

Enjoy!

FYI: Werner Training and Consulting, Inc. has been working with the good people at Global Knowledge for many years.

Who Do You Trust? Concepts of using private PKI for OWA

I’d be slightly exaggerating if I said that I get questions about public key infrastructure every day, because yesterday no one asked me anything about PKI. Today, I received several questions. I’m sure there are plenty great references on the web. But here’s my response to recent student with questions about IIS, SharePoint, and E2K7 (OWA) web security. I thought I’d share it with you in case it helps you too.

When using a public key infrastructure (PKI) for security, a device such as a phone, workstation, or server needs to be configured to trust the other machines or users it’s communicating with. The trust could be direct or indirect. PKI-based trusts are based upon public key certificates. I’ve written quite a bit about public key cryptosystems, and certainly there are many chapters or whole courses of material which get into the details, but I’ll try to distill down a few basic facets for you.

But first, an analogy. Imagine that you’re driving 100 km/h (62.5 mph) through a school zone in some other province or state. In most jurisdictions, going that fast in a school zone is highly illegal and a really bad idea too. Let’s assume that you have a license in issued the government of Québec and you’re driving in Ontario. The citizen or law enforcement officer who stops/questions you about your driving might ask for your license – how do they know it’s a legitimate license? The government of Ontario trusts the government of Québec, right? So you’re known as an authentic licensed driver, or at least you were before driving so fast in a school zone. So you’re authentic but not necessarily legal (authorized). Enough of that for now, but where you ask is the analogy?

Ah yes, the analogy. A certification authority (CA) is a type of server on a network which can issue certificates to users, computers, or other devices just as a motor vehicle department of a government can issue identity cards and drivers licenses to citizens and residents. With a real-world ID card, the agency certifies that your name and likeness (photo) go together, and that they’ve checked other credentials such as your date of birth, eye color, hair color, and height. There’s typically a validity period with a start date and end date (expiration). Driver’s licenses also add information vouching for your credentials as someone who passed a driver’s test for a certain class of vehicle (e.g. motorcycle, car, truck, bus, etc.) and vision test. Other information may be included. Similarly, a certificate server providing the certification authority (CA) service certifies your identity along with a public key which can be used to encrypt or decrypt information with a corresponding private key. Let’s not get into the details of public/private key relationships. The point is that the certificate associates your name and your digital identity instead of your ability to drive a vehicle. The strange part is that people can get certificates from a CA without proving that they can “drive” a computer, but that’s another story.

There are publicly operated CAs that are hosted by government agencies and by corporations. Just as a public driver’s license would usually be trusted between states or provinces, and perhaps across national boundaries, a public key certificate issued by a public CA is usually trusted across corporate, government agency, and residential boundaries. Most operating systems, including Windows XP and Vista, come with a number of PKI “trusts” built in, and a systems administrator can change those PKI trusts. Normally, just as licenses from New York, California, Sonora, Chihuahua, British Columbia, and Saskatchewan are trusts world-wide, public key certificates from Verisign, Entrust, many national post-telephone-telegrams organizations, and lots of other corporations are already trusted in the default installation of Windows.

Why would you want to use a private CA within your organization (corporation, agency, partnership, etc.)? And what would the limitations be? Imagine that you drive a tractor in a farming community, or a forklift in your corporate warehouse. You might be known in your community or corporation to be a legitimate driver of such vehicles. Does that imply that you can drive those vehicles or other kinds of vehicles in other environments? Certainly, Mac OS X, Linux, Solaris, other UNIXes, and certain editions of Windows Server can be set up to host a certification authority which can issue certificates to users, smartcards, workstations, servers, and other devices. For example, your own internal servers running Windows 2000 Advanced Server, Windows Server 2003 Enterprise Edition, Windows Server 2008 Enterprise Edition (and in some cases Standard Edition), could be set up and configured to run certificate services (called Active Directory Certificate Services in Windows Server 2008) and issue certificates. But just doing that much doesn’t extend trust of these certificates even within the organization, let alone outside.

For example, if you set up your own internal CA, a certificate could be issued to a server running Microsoft Exchange Server 2007 with the Client Access Role installed for the purposes of securing access to Outlook Web Access (OWA), Exchange ActiveSync (EAS), or other services. Normally a web browser or other application would generate a warning message when that client attempts to utilize secure communications using SSL/TLS (e.g. https://myca2.example.com/owa) when the certificate issued to that web server running Exchange OWA is not trusted. How would we get client machines to trust that OWA server’s certificate? Conceptually, we could either install the OWA server’s certificate in the client machine’s trust list, or better yet, we could configure trust of the certificate of the PKI CA which issued the OWA server’s certificate. Be careful: an Exchange Server 2007 Client Access server is often referred to as a CA server or CAS, but a PKI certification authority is also called a CA or CA server, or the plural would be CAs – don’t let those abbreviations confuse you – that’s why we referred to an OWA server (the E2K7 CA server hosting Outlook Web Access).

Why set up an internal private CA? Hosting such a server to issue many certificates to servers or even clients could potentially be less expensive than paying a public CA for each certificate you’d like them to issue on your behalf for your servers, let alone your clients. What are some of the limitations of using an internal CA? First of all, all client machines, either those of employees or external customers who need secure access to your content servers (e.g. Exchange Client Access, SharePoint, or other web servers) would need to be configured to trust your internal CA(s) and the certificates they’ve issued. There are lots of techniques to accomplish this, which are beyond the scope of this article, but for now let’s just note that this does indeed need to be done. Briefly: for Windows clients in workgroup mode, scripts or preconfiguration would be useful approaches, and for Active Directory domain services clients, Group Policy could be utilized to establish the necessary PKI trusts of your internal CA(s).

Users don’t necessarily need user certificates to access OWA when the users are authenticating with OWA’s forms based authentication – the username/password dialog web page. The client machines just need to trust the private public key infrastructure (certificate servers). User certificates are another option for mutual authentication which could be explored as an advanced option. There are a number of methods for obtaining user certificates from a private CA, notably Group Policy and scripting, depending of the relationship between the clients and the domains/realms of the CA servers and Exchange servers.

Yes, SharePoint and other web-based services can certainly use the same configuration method of setting up SSL/TLS for OWA.

In summary, if your OWA users are all internal employees, it’s quite reasonable to establish an internal CA to support the PKI needed for OWA security.

Getting a List of Installed Roles and Features

Over at Andy Schneider’s Get-PowerShell blog, there’s an article/rant titled “Roles and Features Part 2” <http://get-powershell.com/2008/09/18/roles-and-features-part-2/>. After discussing the issues with different commands such as oclist, ocsetup, and servermanagercmd on Windows Server 2008 with Server Core versus Full (non-server core) installs, he mentions that there are differences in the query versus install XML formats which throw a monkey wrench into the ease of import/export possibilities of server cloning – or at least setting up for dial-tone recovery another server with the same roles, role services, and features. Also mentioned are different server and server core role names.

And at the very bottom of the rant he asks a question: “Perhaps what would be cool is a PowerShell function that could at least convert the output of servermanagercmd -query query.xml and turn it into an xml file that could be used by servermanagercmd -input input.xml. Any PowerShell XML Ninjas up for the challenge ?”

Well, seeing as one of my students was wanting to convert from one (query) to another (install) to avoid using pkgmgr in semi-automatic mode, let’s take a look at what degree of ninja arts would be required.

Let’s take a look at what ServerManagerCmd -query gives us when we specify an XML file. Figure 1 has an example in which we perform such a query, read the XML file into a variable in the shell, and then examine the ServerManagerConfigurationQuery property of that object. That’s shown in the green-background part of figure 1.

ServerManagerCmd -query feat.xml 
$smq = [XML](gc feat.xml) 
$smq.ServerManagerConfigurationQuery 

 

 

Time : 2009-03-04T12:29:55 
Language : en-US 
xmlns : http://schemas.microsoft.com/sdm/Windows/ServerManager/Configuration/2007/1 
Role : {AD-Certificate, Active Directory Domain Services...} 
Feature : {NET-Framework, BitLocker, BITS, CMAK...} 

Figure 1: ServerManagerCmd -query (example)

The example results shown in the blue-background part of figure 1. The important thing is that we get back Role and Feature sub-properties (members of the ServerManagerConfigurationQuery). Therefore, we look at those.

Here’s a helper script for looking at those Role and Feature components (figure 2).

function global:Get-RoleFeature( 
    [Switch]$role, 
    [Switch]$feature 
){ 
    $q = "query{0}.xml" -f (Get-Date).Ticks
    ServerManagerCmd -query $q | Out-Null 
    $smq = [XML](gc $q) 
    rm $q 
    $what = @() 
    if( $role ){ $what += "Role" } 
    if( $feature ){ $what += "Feature" } 
    $what|%{
       $smq.ServerManagerConfigurationQuery.$_|
       FT -auto
    } 
}

 

Figure 2: Get-RoleFeature Function

Once defined, this function may be invoked without arguments which doesn’t do anything, or with the -Role switch, the -Feature switch, or both. The “|FT -auto” portion could be removed from the last body line of the function to return objects and let the caller decide whether to do the formatting.

Get-RoleFeature -Role will give show the DisplayName, Installed, Id, and RoleService properties of each role.

Get-RoleFeature -Feature will give show the DisplayName, Installed, Id, and Feature properties of each role.

Without the “|FT -auto” part of the last body line, the resultant objects could be used in further scripting to search for a particular role or feature, such as:

Get-RoleFeature -Role | ?{ $_.displayname -match "Active Directory" } 

 

Figure 3: Filtering Get-RoleFeature Results

Either way, this little function can provide a quick glimpse of what roles and features are installed on Windows Server 2008. As shown in figure 2, with “|FT -auto” included, quick interactive queries are possible. Without that formatter included in the function, post-processing (e.g. group, sort, select, where, etc.) such as the filter illustrated in figure 3 are easily accessible.

So obviously, I’m not a ninja. All this post shows is how to work with the ServerManagerCmd -query XML output in PowerShell and doesn’t solve the issue of giving a presentable format to the -install option, nor what to do with Server Core. We’ll save that for a later post.