06 The PowerShell in the shell, remoting

>> We’re back. And I have to tell you, now we’re going to talk about one of my most favorite things and you get to talk about And we’re going to do this twice, guys. We’re going to do kind of a short section of this to get you started and then, we’re going to get into scripting, teaching about variables and stuff, and then hit remoting this topic again with something called sessions that will be outstanding But, remoting: this changed how I manage in scale when it comes to the entire Windows, the products, the platform, everything This, when it released with Version 2, literally made me a hero overnight. So you have to tell us about what were you trying to solve with this >> Sure >> What does this thing do? This is unbelievable stuff >> Yeah, so in PowerShell we have this idea… We talked a lot about it in the past; we don’t talk so much about it now I guess because we already delivered it this notion of universal code execution, which is to say that you have code and sometimes you want to run the code here Yeah, that’s what we do. Everything we’ve been showing you today, we bring up a console window and we type the code and the code runs here. But actually it’s a generalization; here is a generalization or a specialization of anywhere Like, sometimes I want to run the code there and sometimes I want to run the code there and sometimes I want to run the code on those machines And sometimes I want to run the code on those machines on myself and sometimes I want to give a different set of credentials And sometimes I want to run it and get the results back immediately and sometimes I want to run it and then get the results back later And sometimes I want to run it in a way that I can do anything and sometimes I want to run it in an environment where, “No, no, no, these and only these commands you can run,” in secure environments And so there’s this notion of this universal code execution model And, oh, by the way, sorry, the last one was sometimes I want to run it and I’m going to run it for such a long time that I might want to like shut down the machine and bring it back up and have it continue to run >> Right, go somewhere else and maybe check on it or something >> Exactly. So this is the notion of the universal code execution model And remoting, of course, is intrinsic to that. Coupled with that are notions of jobs Jobs are things that run in the background… and then workflow which we added in PowerShell Version 3 which the idea that says, hey, I’m going to run this and at any stage after any command I can suspend things, shut down the machine, bring it back up and continue from where I started >> See, this sounds awesome. Now what we had before is like with the remote server administration tools, I have a graphical like I can direct users in computers It will connect to a domain controller over DCOM using RPC, right? >> Yes >> And there are a lot of challenges and problems with that: firewall challenges, right >> Yes >> …and all kinds of a mess. But what you guys created, though, solves all those problems >> Exactly. So here’s what we did: first, we wanted to solve all of those problems. So http? Super important. Next was, we already had a protocol that went over http, our standards-based management So you probably heard we talk a lot these days about standards-based management In fact, at TechEd’s I’ll show up and bring up a Linux box and I’ll show on a Linux box I can enumerate all the roles on a remote Windows Server and then install roles on a remote Windows Server from a Linux box. Just crazy stuff >> I saw you do that demonstration for the first time I think it was like a year and a half ago and I just went, “Ahh!” >> You head just explodes >> I know >> So this is because of this standards and WinRM or WS Management Protocols; WinRM’s are an implementation of that. And so for PowerShell remoting we leverage WinRM and we added streaming extensions to it. And that’s how it works >> And WinRM is the service that you’re going to see that’s running underneath all of that. As a matter of fact I’ve got a couple of slides here and then, we’ll talk some more about this If you take a look at the slide here as an overview of remoting, basically what this comes down to is you can go and touch Just as Jeffrey went through the scenarios, using what you’ve already been typing in at the console locally, you can pick that up and now fire that at whatever it is you want to fire it at And it’s over remoting which is going to give us a lot of cool characteristics It’s going to be fast. It’s going to be easy to cross firewalls because we only have one port to deal with and we’re dealing with a secured port So here’s the idea: if your machines are in a domain, this isn’t going over just http plain text >> No >> It’s getting all encrypted >> All encrypted >> …with Kerberos >> Yeah >> And then, of course, if you’re going across the Internet or

across firewalls and you want to put on SSL or if you even want to do SSL internally, you can put on SSL if you want that full encrypted tunnel >> Well let’s be clear: we’ll encrypt it twice >> We’ll encrypt it twice at that point [Laughter] If you really need it twice encrypted, we’ll do it twice But here’s the idea is that you’re hitting whatever machines you want securely and with what credentials you want and nobody can read it. Nobody can use a protocol sniffer and sniff out what’s going on. So this is actually really cool stuff. You know, enabling remoting is definitely one of these things that comes up First of all we just need to tell everybody that you have to remoting on kinda, sorta, maybe Kinda, sorta, maybe because in prior versions, not Server 2012 but in prior versions, remoting had to be turned. And this can actually kind of a hard conversation for some security people to have or some admins to have with their security people in that, “I’m going to turn on this really cool thing that lets me do whatever I want to whenever I want.” And the security guy goes, “No.” >> Yeah >> Which is exactly what they should say. But as soon as they understand remoting and how it works all of a sudden it’s like, “Oh, well yeah, this is perfectly fine.” >> Yes >> So there’s this conversation that has to happen to get it turned on And if you guys take a look at the slide here, what I’ve done is I’ve shown you a basic way to turn it on. I’m actually going to demonstrate this on one of my machines here. But there’s a cmdlet that you can use called enable dash PS remoting Now if you want to walk around to all of your servers and type enable PS remoting, knock yourself out. But there’s a group policy and I have it written down here for you; it’s much easier if you use the group policy to enable remoting. But here’s the deal: you have to turn this on. Let me say it again You have to turn this on We’re going to show you all of these great features, but none of it is going to work until you turn on remoting. It’s not necessarily and easy conversation There’s a free e-book on PowerShell.org, secrets about remoting >> Yeah, great book >> Which will not only take you through every possible scenario but is the information that your security guys need to know so that they understand that it’s secured and what ports it uses This has to be turned on It’s not because I’m just saying it, it’s because you’re running out of options now. A lot of the new administrative graphical tools are made to use PowerShell and PowerShell remoting Server 2012 is a great example with the new server manager, right? It’s using all of these capabilities that are built in and if you don’t have it turned on, you can’t manage anything with anything So you’ve got to get it turned on. And as a side note, Server 2012: it’s turned on by default So it’s going to get turned on >> Just to be clear on that one: so as you know, we are secure by default and released by release We continue to shut things off by default and you have to turn them on In the course… This has been going on for quite a number of years It’s been exactly, to my knowledge, one time where we went the other direction, where we turned something on by default instead of off by default. And that was? >> It’s got to be PowerShell remoting >> PowerShell remoting. That’s right So for Windows Server 2012 we turned on PowerShell remoting It was a big issue. The security guys are like, “What are you talking about? Maybe you didn’t get the memo, we’re going the other direction.” And it’s like, “Okay, well let’s talk about that Why is that?” And the answer is of course, Windows Server 2012, right, it is a cloud operating system A cloud operating system says, “Hey, it’s not about this server, it’s about these servers. I need to be able to manage things.” And, therefore, remoting of large numbers of systems is a critical function; it is the core of a cloud OS. And so they said, “Okay Well, I’m willing to entertain that That makes sense. But we’ve got to be sure.” And we said, “Okay, well let’s walk through it.” And we showed them all of the things we had done. And actually they’ve been involved all along And step by step by step we went and did the thread analysis, and they were convinced, “Yeah, this is safe to do.” And so when you have that conversation with your security guys, you just point to that, “In the history of this server, one time we switch and turn things on by default, it is PowerShell remoting.” So go for it >> Yeah and I think that’s a really great concept because Microsoft is not going to turn on something that is an easy to use attack service It’s just not going to happen >> Yeah, we put an extraordinary amount into the security of making sure that this is going to be a secure environment. We’ve got pen testers who have been evaluating the design, the code, etcetera Yeah, we spent a lot… Look, we started PowerShell after Bill Gates’ famous security >> Memo, yeah >> Right? And what started that security memo, what started that whole boof-o-rama? “I love you.” >> I

love you, man >> .VBS >> Oh, you’re talking about that. I was just saying I love you, man Sorry >> Oh, that’s special Okay >> Okay >> I don’t think there’s anything wrong with that. No, it was scripting had caused that big “I love you” mess, and so we knew that scripting was going to be a key vector. So we just spent a ton of time making sure we were secure, secure, secure >> So now that we’ve jumped up and down enough that you not only have to turn this on but it’s secured to have it turned on Get it turned on. Let’s start to show you some of the cool things that you can do. Now like I said, we’re going to hit this topic twice as we learn more and more about it. So this is all in the slides but let me take you through here and as soon as I can There we go Well, maybe not quite >> I can do something >> I think you have control of my machine >> No >> No? >> I gave it up >> Okay, my machine is just moving slow for a second. Oh, here we go. Okay, so let me do something real quick and, Jeffrey, please jump in. First of all I’m going to do a one-to-one connection And you’ll see exactly… Watch, I’m just going to type enter It’s a cmdlet PS session… PowerShell session and I’m going to put in a computer name that I want to go to. I’m just going to say DC; it’s one of the VM’s that have running. Watch what happens to my prompt here. Did you see what happened? Guess where I’m sitting right now? Guess where I am right now? I’m on the DC. I’m on the DC. You don’t believe me? Watch, I’m going to clean up this path a little bit. Watch. Host name and I’ll do IP config. That information is coming from the DC So I can actually do a one-to-one connection and I can trouble shoot and I can manage a single system this way as if I was sitting on there. As a matter of fact let me >> Think of this as a secured telnet >> A secured telnet. I love that And let me show you why I think that this is also so important that you just get used to managing servers When you just need to do one thing to one server, this is a great way to do it. Get used to this Have you guys seen Server 2012? Let me exit out of this and let me just show you. I’m going to go out to my domain control and I’m going to show you Server 2012 This is, to me, fascinating Welcome aboard >> Oh man, that is >> And by the way, what you guys did with the color scheme on here is just awesome >> It is >> Yeah, the background, the color scheme. This is totally awesome >> It’s XEN-like in its simplicity >> It’s very XEN-like in its simplicity Yep, you guys probably figured out that this definitely We used to refer to this as the core installation; and, yeah, it was Server 2012 This is now the default installation >> Yes >> And for a good reason: performance, security, all that kind of stuff. So let me show you, you would be managing the server that way anyways. And I don’t want to screw this up so let me get rid of him So doing that single session, that inter-PS session to a machine that you want to do work on, it gives you that one-to-one connection and you can now do whatever you want on that machine. But here’s the big one so let me exit this You guys have been watching all day long and you know you’re going to be doing a lot of good, hard work on stuff like this I want to do get-eventlog log name system, and I’m just going to do newest 3. Now I could do entry type and all this other stuff but I just want to keep it short and simple because let me just show you. I’m going to take this and I’m going to copy this What I can get to work here and what Jeffrey was saying is the whole point is it’ll work anywhere So here’s what I’m going to: I’m going to invoke-command This is a remoting command When you use this dash computer name, it’s using PowerShell remoting not the old DCOM RPC stuff which is what a lot of the older cmdlets use So this one is using the good stuff. And then, whatever you put in the squigglies is exactly what we’re going to do. Whoops, sorry Wait a minute. Put in some computer names and I’m going to be brave and risky Whatever you put in the squigglies is exactly what we’re going to do. And in this case, watch So over remoting Was that approval back there that we heard? >> Woo-woo >> A knock or something? I want you to get that what just happened is, is by using PowerShell remoting I just hit three different systems all at the same time and said, “Give me this information.” I can now convert this I can put it to a file. I can put it to a web page, whatever it is I want to do with it but I just used PowerShell remoting And, Jeffrey, this is actually so powerful that admins need to

be a little careful, right, because things like… I don’t know >> Restart computer >> Yeah, that’s a good one. Restart computer, all of a sudden takes on a whole new dimension because whatever you fill that with, that’s what it’s going to do. Dash computer name, I could be grabbing the computers from Active Directory, a CSV file, a text file >> You’re making me nervous, man >> I know, at the moment I’m actually very nervous too. I need to get rid of that so it doesn’t actually >> Why don’t you type minus what if [Laughter] >> And so it’s going to restart those machines. So this is a one-to-many connection. Now, Jeffrey, one of the things that comes up all the time is if I do get-service and I’ll do name Bits How’s this working? It’s actually sending the commands to the machine and then, how am I getting this data back? >> Yeah, so literally what happens is we go and we create a connection to that remote machine So there’s a TCP connection. We then fire up a PowerShell connection We load .NET. We load PowerShell We take that code and we squirt it across the wire. We then execute it. We logged you in, use your credentials to log you in We then execute the code there Then, we get those objects and we serialize those objects We move them across the wire and then, we reconstitute them; we deserialize them and emit them as though they happened here >> Okay. Okay, so let me see if I can get this straight because you’re going to have to explain the serialization stuff >> Yes >> But let me see if I can get this straight. So we’re connecting to these remote machines and we’re actually starting a PowerShell session on those machines and having the command run on those machines So it’s not my computer working harder, it’s those machines that are doing the work >> Yep >> Now the serialization, you’re squirting this stuff back. Serialize, deserialize? [Sound] What does this mean? >> Exactly. So what we do is we take the object and we transform it into something that can be moved around and reconstructed anywhere >> Okay >> So concretely anywhere. Like, I’m over here… I go talk to your machine and it’s Windows talking .NET. And then, I can bring it over here and it can be Linux. Now there is no .NET on Linux so how is that going to work? >> Right? >> And so I’ve got to serialize it into something that can work anywhere Now imagine I go and I say, “Well, hey, I talked to Exchange version whatever and I get the objects here, but I don’t have Exchange here.” So how do I recreate Exchange objects? >> Right? >> Again, that’s the problem. So what we do is we take these objects and we turn them into essentially a property bag. Now it’s just a bag of properties. And then we take them… You know, the properties have names and values and the values have types Now here’s the trick: the types are not the infinite set of types there If you tried to do that it would never work. So what we do is we render it down to a set of, I think, 26 or so types Which, you know, I put my badge on the table and I say, “I guarantee that these will always work. If these don’t work, fire me.” >> Well, there you go >> Forever. Forever. Because you know what? An Exchange mailbox, 30 years from now, probably going to change. But I guarantee you this, a 64-bit integer isn’t going to change >> Isn’t going to change >> …30 years from now >> Yeah >> So it’s those types of things: integers, strings, int’s, GUID’s, things like that >> Oh, okay, yeah. GUID’s Things that are >> Secure strings >> …going to be the same >> Exactly. So then I take that property bag and I just turn it into XML. I then bring it over here and then I reconstruct the property bag By the way, let me correct something >> Sure >> Show your screen >> Okay >> Okay. So you said that this was remoting. In fact, invoke command is not remoting >> Oh, what is it? >> Remote command is the way we do everything. Remember we have this kind of underlying system >> Oh, yeah. Yeah, yeah >> And then, we’ve got >> Great definition >> …syntactic sugar on top of it. So go remove the minus computer name >> So let’s do this >> Well that whole DC 123 DC, yeah. Get rid of that. Okay, and hit carriage return Okay, so that worked locally and that’s the same as if you hadn’t typed invoke command and squiggle brackets. Or rather, say when you just type get-service minus name Bits, we transform it into this and then we run it >> And then we run it >> This is the universal code >> Universal code >> …execution >> And this is what makes it so easy especially if you’re an administrator you work out what you want first then you can just put it in the squigglies and it’s going to work at the other side >> So from here, pipe that to get-member Okay, scroll up And what do we have? >> Service controller >> No, look at the beginning System >> System >> That’s service process; that’s service controller. Now add

a computer name to that line >> Oh, yeah. So let’s do this. Let’s have it go to dash… and S1 >> DC1. Okay, S1. Yeah, whatever Now go up. Look at the beginning >> Deserialized >> It’s deserialized. Ding, ding, ding, ding, ding. Now a deserialized object is incredibly powerful but it’s different. So if you scroll up a bit >> Oh, I’m scrolled up all the way >> Did you do a clear? You didn’t clear >> No, I did a clear >> Don’t do clear and do it again Do the local command Notice… See these methods >> Right >> See the start and the stop method? >> See the stop, yeah >> Okay, that’s because it’s a live object and you can do methods on it. Go up to the deserialized one >> Yeah, it’s >> Yeah, there’s just one method. Two strings >> There’s one method, two strings >> Exactly. Because the object itself is gone and what you have is representation of the object Now it turns out that that is extraordinarily powerful. Now some people say, “Oh, well it should be the same everywhere.” No, no, no, no, my friends, it should be. The point is that because we have this live deserialized concept, what it means is that when I’ve over there I’m able to take advantage of the remote I’m able to take advantage of the full richness of the object system. Be able to do everything in a very light-weight way, very high performance, low latency way and then, when I bring it over here I can still do a ton of stuff but I can’t do that. So the way we refer to this is islands of optimization in a sea of interoperability >> Okay, islands of optimization in a sea >> Of interoperability >> Of interoperability. Which is to say it’s poetic [Laughter] >> It’s poetic >> So that means I can go to any of the machines and I can interoperate I’m guaranteed to do that. And then there are times, however, when I’m doing all of the code on one machine that I can optimize I have the live objects, I can do things, etcetera. And that, by the way is what allows us to do the layering GUI’s on top of PowerShell because we have these nice high speed, low latency activities If you tried to layer everything on top of a deserialized object, you know, you’ve got a lot of recreating objects, a lot of inefficiency >> Right, right >> Yeah >> Well, guys, this is our first hit into remoting. So we did one-to-one We did one-to-many. Now we’ve got more remoting to do because we’re just getting started with the remoting, but now it’s getting to that time for us to… Oh, you know, before we get into scripting, I just >> Oh no, we’ve got to show more here >> Yeah, I know. There’s a problem I have This is cool but You know one of the problems I have? >> I know a few of the problems you have [Laughter] >> One of the things I run into is wouldn’t it be cool if You know, when I go on vacation I don’t know about you but I like to go to places with beaches >> Oh yeah. Oh yeah >> That have the little drinks with the little umbrellas in them When I’m sitting on the beach, the last thing that I’m going to have is a laptop >> Yeah, right. Not so much >> I mean not cool. Not cool at all. But things still go wrong back at the office. And so, I am going to have a phone >> Ah, I see where you’re going >> You know, it’d be so cool if I could maybe have PowerShell here and I could launch a script which we’re going to be doing this afternoon or I could type in these commands and I could do all of this kind of cool stuff It’d be so cool if I had PowerShell here or on a tablet >> If only you had PowerShell Version 3 >> If only you had PowerShell Version 3 and at least one Server 2012 box. It could be a VM, but I want to show you something kind cool >> Have you picked up on the fact that we’re big fans of PowerShell Version 3? >> Yeah, were huge fans of PowerShell V3. So, guys, I want you to watch something. I’m actually going to take you through This is kind of a cute review not a cute review. I can’t believe I said the word cute This is a review. Over what? We started off with today discovering and utilizing cmdlets and in this case using a feature that I just think is wickedly awesome So here’s what I’m going to do I’m going to enter a PS session to a server I have out there called PWA. Now this server doesn’t really have anything on it. It’s just a generic Server 2012 box Key is, 2012. It can be a VM somewhere but it’s got to be 2012 What I’m going to do is there’s a cmdlet out there called get-WindowsFeature Get-WindowsFeature is part of the server manager module What it does is it lists for you all of your roles and features

for your server. And if there are X’s in it >> Oooh >> Yeah, I know. Oooh, I love it If there’s an X, that means it is installed. If there’s not an X, it’s not installed Well, I’m going to use this cmdlet to see what features are available for PowerShell. And in Server 2012 we have something down here at the bottom called PowerShell Web Access. I’m about to change the way >> The world as we know it >> And it’s not me. The only thing that I’m changing is I’m showing you how to set it up. You’re the one that changed the world >> Well, the team. The team. The team >> So, yeah, the team. The team So it’s called Windows PowerShell Web Access, and this is pretty cool So I want to install this. So we have this install Windows feature cmdlet that’ll let me install Windows PowerShell Web Access I’ve used get-help. The install Windows feature will let me choose whatever thing I want to install and away it goes. Now here’s what it’s going to do >> Oooh >> Oooh. It’s going to install IIS because this is going to be a web thing. So it’s going to install IIS. We have .NET 4.5 on here and it’s Server 2012 When it gets this installed, we’ll also get a new module with some additional cmdlets, six additional cmdlets. So what we’re going to do is use get-help to find them and then use them Because in like three steps, I’m going to have one of the coolest features in the world turned on So watch. I’m going to clear my screen. This is just to let me know that I have my updates turned off which it’s a VM; right now it does. But it exited with success. No restart needed Awesome. So clear my screen. And, guys, notice, I’m doing this all on a different server, right? >> How cool is that? >> Yeah, I know. That’s totally, wickedly cool. So I’m going to do get-help >> This is not your dad’s server >> This is not your daddy’s server I love that. So it’s called PowerShell Web Access so PSWA. A lot of us just refer to it as PWA, PowerShell Web Access. But PSWA. And you’re going to see that there are six cmdlets. By looking at the verbs you could probably figure out the first place I’m going to go is to install a PowerShell Web Access application Technically what’s going to happen is we’re going to create a web application by default off of the default web site when we installed IIS. Now we didn’t need to install it; that happened for us automatically. You can alter these defaults but I’m just going to take the defaults for right now Now install PWSA. And I’m going to You’ve got to use HTTPS for this because this is going to be something that you hit from anywhere in the world back to your home So we’re going to need HTTPS You can’t do this with HTTP Now and if you don’t have a good certificate to put on your web box right now, for testing purposes they have this option of use a test certificate. Now my screen freaked out a little bit, but use a test certificate. It’s going to put on a temporary cert Just remember this is not the cert that you want when you go to production. So what’s going to happen is, is that it creates in IIS terms an application pool for the web app, creates the web app, points the web app to where the files are and we’re almost ready to go We just now have to tell it who’s allowed to use this. Now this is going to be one of those rare do as I say not as I do And let me tell you why because I’m going to do get-help again on PSWA We need to create who’s allowed to use this and what they’re allowed to go to when they use this So we need to add rules, and you’re going to want to add granular rules that make sense. In other words, is there a group of administrators that you want to be able to have PowerShell Web Access and what machines should they be allowed to get to or remote to when they use this. You’re going to want to keep control on this You’re not going to want to do what I’m going to do just for easy sake. So let me show you what you’re looking for here So add PSWA authorization rule. And let me just show you, what computers do you want to be able to remote to? So you can make this list. You can create it as a computer group. You also have another parameter you’re going to need is either by user group or user name, who’s allowed to use this. So you going to want to fill out the user name, what computer and we’re not going to get a chance to do different kinds of configurations but you can control through different configurations what cmdlets a person is allowed to use when they get there which is actually totally cool These three things, you need to specify >> Just to be clear, that’s for things like, “Hey, I’m going to let these people come into these machines and all they can do

is read-only operations.” Like they can do gets but they can’t do sets. And then, this guy on these machines he can reboot the machine, okay, but he can’t read data things like that >> And that’s a really important point: these users, I’ve got administrators that have full capabilities but I’ve got a guy who is allowed to reset passwords when we gets there, that kind of stuff that you can control Don’t do what I’m about to do in real life. If you’re just testing out a VM, that’s fine But what I’m going to do is for those three parameters, I’m going to do star, star, star [Laughter] Yeah, I know that means everybody can do everything to everybody and it’s just, yeah, not cool. But for demonstration purposes >> Summer of love >> The summer of love. At this point I installed the feature, I installed the web app and I have not created a rule >> Anarchy >> Anarchy. This is so freaky cool, guys >> Yeah >> Let me exit out of that machine This is so freaky cool that I’m going to… This is start process I’m going to use start and I’m going to start iexplore with HTTPS and I’m going to go to that PowerShell Web Access box, the box I just set up, PWA, and it’s going to do the default web site. And there’s a web application underneath the default called PSWA. You can of course alter all of this to make it cleaner, but watch what happens Secured site. As a matter of fact, let me make this just a little bit zoomier >> Zoomier >> Zoomier. So this is the temporary certificate. Remember in real life when you go to production, you’re going to replace this Continue to web site It’s going to come up; it’s going to ask me. Oh, lookie It’s going to ask for some credentials So let’s do this >> Doesn’t it look like Outlook web access? >> Yeah, we need to talk about that So here I’m going to put in my credentials And what computer do I want to remote to and work with? Well, let’s go mess with the domain controller; I feel kind of froggy today Get it >> Oh, do a host name. Do a host name. Show them where we are >> Oh, this is so cool. It’s PowerShell through a browser It’s PowerShell through… You made PowerShell work through But, guys, gals >> On the beach >> On the beach through any browser >> Any >> It’s funny that it can be Safari. It can be IE It can be Chrome. It can be on any device, a Microsoft device, a non-Microsoft device, your phone, your tablet, your laptop, anywhere in the world, you’ve got PowerShell. And I want to point out that not all of these things have tab buttons when you use them But, look, I’ll just even type a get-serve Lookie, they gave you a tab completion button I mean, come on. They thought this through This is so totally awesome Now a lot of you right now are going, “Wait a minute. Wait a minute Wait a minute. Wait a minute. Wait a minute. What about security?” Stop it. It’s just like getting your e-mail. It’s the same thing as getting your e-mail. If you have Exchange, you’ve got a CAS-Role out there probably in your middle tier or protected by Threat Management Gateway, whatever you have, it’s the same thing You can put the box right next to it. It’s the same thing So everybody says, “Well, this is going to be dangerous.” No more dangerous than you checking your e-mail. It’s over HTTPS You control who has access to this You can even control what cmdlets they can run This is one of the best tools. And for a guy like me that’s traveling all over the place, I don’t have a laptop necessarily with VPN to my network all the time. Sometimes the only thing I have is the tablet in my hand and I can run scripts… Which we need to do scripts and I can have access to PowerShell and remote to any box that I want to remote to >> Dude, you’ve undersold it [Laughter] >> I’ve sold it >> Undersold it >> I’ve undersold it? >> The security. Yeah, absolutely. No, this is more secure than that Okay, why? So let’s see what we’re comparing ourselves against So there you are and you’ve got your laptop and you connect to your domain controller versus you’re on your phone or this device or that device. And you go HTTPS to a browser or to a web site that then goes and talks to the domain controller, okay? Now on that machine, that web server, you’re not setting that up so that people are surfing the net, that web server that you go to. On your laptop you’re off there surfing your net. You’re at this new site, that new site, maybe some dodgy sites >> Dodgy sites? >> Yeah. You’re reading your e-mail and people are saying, “Oh,

click here for something wonderful.” >> Yeah >> And so the risk of using that same box to manage your domain controller is >> Oh, yeah >> …is pretty dodgy >> And so that’s why the professional sites, they set these things up called Jump Boxes. What they said is, “Okay, look, take your dodgy device, whatever, and then you go to this machine.” Now this environment is safe, safe, safe. You get to do one thing on this environment and that is go to these other environments >> And, you know, I think that that is such a great description because a lot of you guys probably have… you might refer to them as Bastion boxes >> Bastion servers, yeah >> Bastion servers where that’s the whole point is that my laptop might be the wrong tool to be managing Active Directory with because of all of the weird things on it. But this is a controlled server, a controlled point that I’m going to that isn’t going to have all the garbage and viruses and worms and crap on it And this becomes your Bastion point or your Bastion server This is awesome. This is a huge time saver, anywhere in the world And this is why… I heard this from Microsoft I think it was in the year 2001, “We want to get to a place to where we can be anywhere, anytime on any device,” I think was the phrase And when this feature came out it was, “I can do PowerShell anywhere, anytime, any device. You win.” So awesome feature. Before we wrap up remoting… Now we’re going to do sessions in a little bit >> Okay. I think there was a key point we didn’t nail. You got the remoting, man >> What would you like to do? Let’s leave this page >> Yeah. Okay, so go back to where you did the get-event log >> Okay. So you just want the get-event log? >> Invoke command >> Invoke command >> Yeah, on the three >> Okay, invoke command >> …machines. Oh, you’re going to do it all over. Computer name Oh, wait. If you want, you can just type CN. But anyway, that’s fine Get-event log >> So, yeah. Get-event log Log name, let’s do system Notice tab completion is working in the squigglies, guys Let’s do newest three >> Yeah, good. Carriage return Okay, so here’s the question: why did we return objects? Like that looks like text to me and that looks like what I wanted Why don’t you just do that? And the answer is because it’s objects and objects are awesome. So now what you can do is you can take that and do… Oh. Go back. Just run it >> All right >> I need that >> Just run it. Okay >> Because I can’t run this. Okay, so now what you can do is you can say pipe to sort time. See these aren’t sorted by time So you get three >> So sort it by time >> …from this guy and then three from this guy and three from those guys. Then say select oh, sorry, format table >> Format table >> Let’s just say time and message >> Property time and message Oh we need to do time >> Time written? >> Yeah, time written so let’s do time written Oops and I need to actually write it in here. You guys get the idea but let me just get the >> And then, maybe it’s auto >> Oh, this is getting better. And then, with the format commands, guys, the format commands are wonderful You should take a look at them. Format table is one of my favorite ones because it has auto size >> Is that crazy? >> That is totally crazy. So looking at that one-liner What we’re bring back… And this is a great thing… is that we can then continue the pipeline and sort and select and still work with this >> Exactly. That’s why the power of objects is so important because when you and do this stuff, it’s not about text. It’s about give me the objects. And now all of a sudden when I’m over there and I’m doing stuff, I can manipulate the objects there And that’s great. But when I do remoting what I can do is I can the objects from a very large set of machines, bring them here and operate against the objects So imagine… You say, oh, I got somebody and I need to give them a share. You can go out to all of your file servers, get the disk space from all of your file servers as a collection of objects, sort it by free space and then, you can say, “Give me the top three.” And then, you can look at those and say, “Yeah, that’s the one I want.” Imagine how else you’d do it. You go to this one, find it, write it down You go to that one and write it down. You go to that one and >> How many of you guys are just still sending people out to do that? >> Go check that file server and see how much disk space it is Put it into the spreadsheet so we can keep track of this as opposed to And there’s several ways to do it, what he’s talking about, but as opposed to Let’s just use, what is it, get-volume, right? Is one of the new commands? >> Get-disks >> I think get-volume will give you free space and size >> Okay. Look. We’re going to find out in a minute. Oh, size remaining and size >> Ooh, ooh. Yeah, yeah. Do it Do it. Do it. Do it. Do it Do it. Do it >> Do it. Do it. Do it. So let’s do… What do you want to do? >> Invoke command >> And we’ll do it to the

>> By the way, can we show them the short way? >> Yeah, and then >> This is time. Here’s the short way >> Yeah >> Yeah, ICM >> ICM >> And then the names Comp >> No, just CN >> Or just do the names, yeah, because it’s positional. So DC, S1, S2 >> That’s the short way >> And we want to do >> Get-volume >> …let’s see, get-volume >> And pipe it to sort size remaining >> Get-volume sort size I can’t spell anymore. It’s been a long day… sort size remaining Let’s just try that and see what we get. Oh god, look Look, look, look. Size remaining >> No, wait. Wait, wait. Now here’s the thing. Go back up Scroll up >> Scroll up. Scroll up Okay, notice how the formatting… No, I want to show the previous text >> Oh, the previous one. Okay >> So notice here, it just shows you drive letter, da, da, da, to size. But now you go scroll down, notice we have PS computer name >> Yay >> When the objects come back we add properties to it. And we add, “Where did this thing come from?” So when I do this sort and then we go down to the bottom, I can see, okay, there’s my volume But where did that volume come from? And the answer is S2 >> That’s right. So, guys >> Party on my friends >> Here’s the thing: that cmdlet you can just say just show me the C drive. You can sort and filter this out more where I just want to see the computer name and size remaining and just get a nice, short, terse list then export to CSV. You got your report done and you did it on as many computers as you wanted to in seconds >> Oh, should we show them select last? Yeah, show that >> Oh, yeah. Yeah, yeah, yeah, yeah >> So like if I had done this to like lots of machines and they were file servicing lots of stuff on it, this would be pretty big And you don’t want to mess with that. So what you do is you say select minus last Let’s pick the last three >> And what it’ll do is give you the last three, just exactly what you think it would do >> Boom >> Boom. And there’s the last three >> PowerShell rocks >> PowerShell so rocks. We have first; we have last. There are all kinds of ways. This is the importance of taking a look at >> Skip >> …those help files. Skip, exactly So make sure you look inside these help files because you can do it. It’s not something, “Well I can’t figure out how to do it.” You don’t need bizarre long links of code; you need to look at the help files They really thought this stuff through >> And if you get stuck, PowerShell.org >> .org >> …forums >> And ask on the forum >> Yeah, lots of really helpful people out there. And just as a side note, it’s fascinating how strong the PowerShell community is >> It is, yeah >> You guys have noticed that this is not necessarily the easiest tool in the world for you to learn It’s the most powerful one in your toolbox but it’s not an easy tool to learn because you’re just staring at a prompt, “And now what do I do?” We’ve all gone through this, and so the PowerShell community is so strong; they want to help you so avail yourself of those resources. And I’ll give you some more here a little bit >> Yeah, can I riff on that a second? >> Yeah >> So here’s the thing: we found as we were rolling out PowerShell that the community just flourished and it’s like wow. And people are having a blast. Now here’s the interesting thing, it turns out that this, this like hurts the community. No, seriously It hurts the community. Why? And we noticed this because as some point we were putting things together and then, we were like, “Hey, did you see what Bruce did?” No, what did Bruce do? We all run into Bruce’s office and he shows what he does And it’s like, “Oh man, that’s awesome. Can you send that to me?” He sends it to me and I’m doing it. And then, I change it And they’re like, “Oh, Joe, check out what Jeffrey did.” And everybody comes running. And we were having a blast with this And we talked about this a little last night, we said, “Boy, we’re really having fun here.” And computers always used to be fun And then for some point they stopped being fun and it just seemed like it was a job >> It became mundane >> And I think it was because of this damn thing, the mouse And so here’s the idea: I never, never, never say, “Hey come one, guys, did you check to see the way Jason was clicking that mouse? My god, you are such a clever guy Did you see the snap on that thing?” >> See, I love you, man, because I work on my mouse moves >> Well, no that’s the point. So when I see program, when you script and you write together this command line, I see how you think and I’m able to say, “Wow, that’s really clever That’s really neat.” Then I say, “Oh, can I have that?” >> Right >> And you give it to me and all of a sudden you’ve helped me Like say you’re a god at clicking that mouse, right? How can you help me? Like, step back and be impressed, I guess >> Nice clicking >> You can’t help me. But with a script you can help me. And I can take it and I modify it and it meets my needs. And I look great to my boss. And now all of a sudden, you know what, two things: one is you feel good because you helped me. Two, I have a debt of gratitude to you. I mean, thank you very much That’s very awesome. And I’ll buy you a beer or something like that, and also I say, “Hey, you know what, I should help other people too.” So really you should help other people. First, be

aware there are lots of people in the community out there more than willing to help. You should not be suffering in silence No, no, no if you’re confused or anything, I guarantee you nobody is going to be… you should not be embarrassed by any of your questions People aren’t going to make fun of you. That’s not going to happen The barrier for you asking a question should be extraordinarily low Just ask the question in a form, in Twitter. Twitter is a very useful place as well. Just ask that question. People will help you And it turns out and then you should participate. You should say, “Hey, I found this clever way to do things.” You should blog things. And here’s the great thing, right, so you might now I’ve been doing this PowerShell things for a little while I blog things. I blog things and say, “Oh, here’s what I do.” And people will say, “Geez, why do you do it that way? Why didn’t you do it this way?” And it’s like, “I didn’t know you could do it that way.” And so the community is teaching me how to do things Honestly, it’s just a wonderful thing >> And I have to say it’s truly amazing And remember when computers were fun when it wasn’t, “I need to reset a bunch passwords,” and you just sat there and went like this >> Click, click, click, click >> Where now you’re actually going, “Oh, I’m going to figure out how to reset these passwords. Or I’m going to figure out how to do X, Y, Z.” Awesome And now I’m going to automate it so I never have to do it again But it was fun figuring out the problem It used to be fun solving the problem. And PowerShell has brought that back, and the community is really strong with that. Folks, so here’s what we’re going to do. Is let me show the… Just to let you know that all of this stuff we did in remoting is in the slides. And I’m just going to go through these real quick But it’s not the end yet of remoting; we’ve got some more stuff to do but we want to start some automation and some scripting to come up. And so we’re going to kind of get started on this before we take a break So if you have questions or comments, please make sure you’re jumping out there. And we’re going to come back to remoting in just a second. But before we take a break, let’s get started on this concept of automation. And to do that, we need to start to talk about things like security because we’re going to start about scripting now. And so we’re going to take the commands that you’re building as one-liners and so forth, and we’re going to take those commands and now automate them by putting them into a script and just telling the script to run them for us No major deal yet. It’s pretty straightforward. But to run a script requires some special security So we’re going to talk about security. We’re going to talk about variables, a place to store your stuff. Maybe a little bit with quotes and then, we’ll start getting into the automation So the first thing off And by the way, that’s a picture of me right there, the big guy >> Ooh >> On the next screen, usually people say that’s the picture of me but >> I see >> Oh no. The guys in the back are going, “Yep, that’s it.” So PowerShell is secured by default several different ways Now we had some problems in the past with… Like VB script, you double-click on it and it runs >> Oh god, yeah >> Talk a little bit about what PowerShell does for us >> Yeah, so okay again remember it is secure by default. We did this: secure, secure, secure. So what happened if you weren’t around then, people came in one morning >> Oh god, yeah >> …and they got their mail, “I love you.” And they’re like, “Oh, I feel special. I’ve got a secret admirer.” And even the people like, “I bet that’s not true, but it might be.” >> That’s right. So, “I want to find out.” >> “I want to find out who loves me.” Click, click. And then it would run You click and this thing would run. And guess what? Bad things happened >> Bad things happened >> Anybody who’s like giving you something free or promising to grow or shrink your body parts just with money, it just doesn’t work And so too if somebody sends you love, don’t click on that stuff Anyway, so with PowerShell somebody sends you that and you double-click on it, it brings up in the editor It doesn’t run it >> It doesn’t run it >> That is the key >> So let me do a quick demonstration of that. Let’s just make a really quick script. And, guys, it’ll get cooler than this but I’m going to make a really quick script. And I’ve been doing this get-service Bits all morning; I’m getting sick and tired of typing this in. And I’m going to make sure that it works It works. I’m going to take this right now and I’m going to copy it And I’m going to start up Notepad and I’m going… Yeah, we’re using Notepad right now. Don’t worry, we’re going to get to the ISE I’m going to paste it in there File, save as. And here’s the magic to making a script… Well, let me put it on my desktop so we can see it… is what do you want to call this script? Let’s call it >> I love you >> …I love you. I love you. And let’s .PS1. PS1. And I don’t actually want to put it on my desktop >> No >> I’m going to put it under my scripts folder here so I can get to it. And wait a minute, there’s a scripts folder right there Iloveyou.PS1 >> You’ve got to get rid of the text >> I got to… Oh >> Yeah. All files, right there >> All files. And save >> Stick with me, guy, I’ll help you out >> You’re the man. So I’ve got a script. What I want you to see is, yes, I’m going to show you this graphically first because

I want you to see what Jeffrey just said. I’m going to go out here And if somebody were to send this to me, Iloveyou.PS1, and I’m going to double-click it. See? Brings it up in Notepad or whatever editor you have set for it >> They didn’t love you >> They what? >> They didn’t love you >> They didn’t actually love me It didn’t execute my script Now this is a good thing for so many reasons as you guys already know You don’t want scripts to automatically execute. But I want to bring something up: a lot of the security that we’re going to be talking about in the next thing which is execution policy which we’re going to do before we go on break, I need to tell you that this security is designed to take an unintentional user to stop them from doing unintentionally malicious things In other words, I want you to think about I downloaded a script, I double-click on it; I didn’t want it to run. I wanted to look at it This helps you Now if you are a power-user that wants to be malicious, can we change this? Well, yeah >> Power >> I mean, yeah. I know how to change the association of PS1 to make it actually execute. That’s not just a good idea >> Yeah, don’t do that Don’t do that >> The point is, is we’re not going to stop you from doing that But this helps you from making foolish mistakes like this So let’s try to execute this script and watch what happens There’s another security feature The whole path thing, you make us type in the path >> Yeah, well, first just try and type it >> So C colon scripts and it was Iloveyou.PS1 >> Well, no just CD to there CD to that directory >> Oh, okay. You want me to CD to it, okay >> And then just type I love you >> Oh, I love you >> Ipe love you? >> No, that’s not going to work IP… Well, I love IP but >> I love IP >> I love IP. IP therefore I am. There we go. I love you. What? What? What? What? >> See. It says, “No. No, no, no, my friend.” >> No, not recognized as the name of a cmdlet, a function or a script file Check the spelling Well >> Look at the suggestion. Have you ever noticed that? >> Oh, oh, dude >> You haven’t noticed that? >> That command I love you was not found but does exist in the current location >> You never noticed that? >> I never noticed that Tricky, tricky >> Yeah >> So now that’s just going to confuse me more because it’s going to say… Oh, but then it actually tells me how to solve it >> Yeah, type dot slash. Now here’s the reason why. This is what’s called kind of a trolling attack So what happened is And this is only time UNIX problem You’re admin and you CD to somewhere and you say, “Current working directory.” And a bad guy would go in that directory, and they’d put something called print working directory They would rename Iloveyou.vbs to print working directory. So you CD there. You do print working directory; you run that code And bad things would happen. And so what we said was, “No, no, no If you want to run something in the current directory, you have to be clear that that’s what you want to do.” We’re very big on intentionality. You have to tell me that that’s what you want; otherwise, no >> I remember root kits used to come in >> Root kits >> …and there was a DIR root kit. And you would go DIR and you were running the root kit >> Yeah, bad >> Yeah, bad, bad. So what this prevents from is… Let me show you this two ways. One is I could try to run the script by typing in the full path to the script, I love you, or I can be in the current directory and let me show you that one. If I’m in the current directory with the script and try to run it, it’s dot slash Iloveyou.PS1 and that’s what that general message at the bottom told you to do because it saw it there. This will run my script Oh, no. I’m a failure. I’m a failure in life because it found it, but it says it can’t be loaded because the running of scripts is disabled on this system. For more information . In other words, you’re not allowed to run scripts. And when we come back from break, we’re going to show you why you’re not allowed scripts and then how to change that. So we’ll see you guys in ten minutes Yeah? Ten minutes >> Cheers