Run a Powershell script from PHP

Running a Powershell script from PHP is easier than I expected. I was pretty new to this as well, but after a while I manage to build some pretty nice automatized tasks that help a lot with small processes.

Of course, if you’re using Windows Powershell, you’ll need to run these script from a Windows Server/Client.

If you’re in a Windows environment, the best way to go is installing PHP in IIS. I recommend using the latest PHP version (at the time of writing, we’re at 7.2), you can grab it from https://php.iis.net, or you can launch the Web Platform Installer if you’ve already got it in IIS.

Possibilities

Many! You really have a huge playground here to develop whatever you need. Here’s a few examples:

  • Automate the creation of an AD account and allow access to the web end to just the Help Desk team.
    • What does this mean? You’ll no longer need to delegate permissions to the entire Help Desk team, you’ll just need to delegate permissions to the service account running the Application Pool in IIS. Also, because nobody else has permissions, you can choose the way you want this AD Account to be created (base OU, syntax, password length, settings etc).
  • Allow users to change a specific setting in their AD Account.
    • Imagine a large organization, you may want to delegate as many tasks as possible. For example, say we’re ok to trust the users to change their own Phone Numbers in AD. You can build a script that will allow to do that, at your own conditions and expose a small web interface to allow the user to see the current phone number and change it.
  • Allow the Help Desk and Desktop Teams to view a share’s NTFS permissions.
    • Once again, no need to provide access to the share, just the service account will need access. You’ll build a script that will grab the ACL from a share and return just that, based on the User’s input.

These are very basic examples of course. For instance, I’ve also built a tool that will allow Group’s managers to add/remove users to these groups. Super handy. (more…)

Read More

Powershell Replace all child object permission entries with inheritable permission entries from this object

How could would it be if in Powershell there’d be an option to Replace all child object permission entries with inheritable permission entries from this object, like we have in the GUI when applying permissions?

Well, there isn’t :), at least not for now (20181003), but I found a workaround that seems to be working pretty good.

When would we need this?

This is really handy to reset NTFS permissions from a certain level. Imagine this folder structure:

-Folder1 (inheritance disabled, John in Read Only and Albert in Read/Write)
–SubFolder1 (inherited from Folder1)
—-File1.txt (inherited from SubFolder1 plus Mark in Read Only)
—-File2.txt (inherited from SubFolder1)
–SubFolder2 (inherited from Folder1 plus Simon in Read/Write)
—-Sub-SubFolder1 (inherited from SubFolder2 plus Michael in Read Only)
—-Sub-SubFolder2 (inheritnace disabled, John in Read and Write)
–File1.txt (inherited from Folder1 – This is located under Folder1)

I hope you don’t actually have such a permission mess, as this would be bad, however this is just to generalize the example. Let’s also say that Folder1’s permissions are ok and we want to make sure they get replicated under every item recursively. So we want to remove Mark from accessing File1.txt, Simon from SubFolder2, Michael from Sub-SubFolder1 and also, we want to re-enable the inheritance from Sub-SubFolder2 (removing John as well). This is something you can force through with the GUI by flagging Replace all child object permission entries with inheritable permission entries from this object in the Advanced Security Settings.

So, this is fairly simple, but it’s really not cool when you’re trying to automate a permission setup process.

The logic behind the workaround

Let’s first talk about the example we have above, so we’re happy with Folder 1, how do I go and make sure every sub-folder/file will inherit the same permissions and will also remove any addition and reset the inheritance from the parent? (more…)

Read More

Run a command as a different user in Powershell

There are three main ways to run a command as a different user in Powershell, besides the classing Right click shift. This article will show you how to do that, within the same Powershell session.
By the same Powershell session, I mean something like this:

  • You’re logged on as ITDroplets\UserA.
  • You have a powershell script/console running as UserA.
  • Within that powershell script/console, you want to run a command as ITDroplets\UserB.

In the Options below, I will consider the above example and I will run “Get-Process Explorer” as UserB. This is very handy when running elevated commands, for instance when UserA is a standard user account and UserB has local admin rights. Of course, Get-Process Explorer doesn’t really need elevation 🙂
Remember that the examples are super concentrated, which means I didn’t add any check to see if the command ran successfully etc. They’re there as pure examples, you can then shape them to fit your needs.

Option 1 – System.Diagnostics.ProcessStartInfo

(more…)

Read More

Add output to PVOutput with Powershell

In this article, we will see how to setup your PVOutput account in order to add output to PVOutput with Powershell.

I found a ton of info on how to add Ouput to PVOutput with curl, but nearly nothing (as I needed it) for Powershell. No wonder why I received a couple of questions on this.

If you’re the owner of a GoodWe inverter, take a look at Get GoodWe data with Powershell.

I don’t want to go too deep, so in this article I will just explain how to send data to your own system on PVOutput and how to set up the account to be able to do so.

Set your PVOutput account

In order to make API calls to PVOutput, against your system, you’ll need to enable API Access and generate a new API Key. You will also need the System Id you want to manage.

This is super easy as it’s all located in the same area of the account settings.

  • Login to PVOutput
  • Click Settings
  • Scroll at the bottom and:
    • Enable API Access
    • Click New Key to generate a new Key
    • Write down your system ID
    • Save

That’s it! We’re ready to send data to our system.

Note: Before proceeding, make sure your system is correctly set up. You need to ensure you’ve added the right amount of solar panels as well as the correct Watt hour or else you may end up receiving errors.

A very simple script

So, this script is very simple and will just show you how to send your system’s outputs to PVOutput. I strongly recommend adding a Try/Catch to make sure you Catch any error (so that you can also set up an alert, perhaps with Telegram: Automating Telegram Messages with Powershell) and, most importantly, you want to automatically get the date, time etc automatically (look at Get GoodWe data with Powershell to see how I grabbed these info from my inverter).

Super easy! You can add more functionalities, like I said above. One of them could also be checking for the Content (or Status/Description) that will be held in $PVOutputInvokeResult:

Have fun 🙂

Read More

Get a list of users logged on a list of servers – Powershell

This post will show you how to get a list of users logged on a list of servers (or a specific server) and how to format the output in order to work with it, in Powershell.

Specifically, we will leverage quser, let’s see a quick example on how to query the current user sessions on a remote server.

The above command, will look like this.

quser_simple-example

This is just text however. If we were to assign that result into a variable (with Invoke-Command for instance), it’ll still be unmanageable. We can work with -Replace and with ConvertFrom-Csv in order to get this output to look decent.

Just for the sake of showing every step, the code below will first grab the list of sessions on a remote server and then use the -Replace and the ConvertFrom-Csv.

We’re not out of the woods yet, but here’s how the output looks like now.quser_output-converted-from-csv-after-replace

I’ve added some color to show you what the problem is at the minute. The output in green is good and it’ll always be good as long as the session is Active. The ones in yellow though have their values shifted up. That’s because SESSIONNAME doesn’t exist and so converting it to CSV shifted all values up.

To fix this, we just need the script to identify all sessions where SESSIONNAME isn’t like “console” and not like “rdp-tcp*“. When this is the case (like in the yellow sessions in the screenshot above), then we need to shift the values and we’re done! So, SESSIONNAME will have to be empty, the ID will match SESSIONNAME, the STATE will match the ID and so on. (more…)

Read More