Skip to main content

FIM 2010 - PowerShell Extension

Update 2011-07-01: I have moved the code, docs, scripts to http://fim.codeplex.com

I have been busy, thus why I haven't posted here in a while, learning FIM 2010. One of the features that are nice about FIM 2010 is the codeless provisioning you can do. However, you will reach a point where you need more than what is available out of the box. I don't want to have to write .NET code everytime I need to customize an attribute flow. So, I built a simple extension class that loads PowerShell scripts for the MA's data directory and runs the commands via that. FIM 2010 has a long way to go to being perfect, but with this simple extension code, customization is slightly less painful than banging your head against the wall trying to figure out how to use as much out of the box as possible...

Example scripts are below:

[Deprovision.ps1]
  1. param($csentry)  
  2.   
  3. $ADS_UF_ACCOUNTDISABLE = 0x002  
  4. $ADS_UF_NORMAL_ACCOUNT = 0x200  
  5.   
  6. switch ($csentry.ObjectType)  
  7. {  
  8.     'user'  
  9.     {  
  10.         if ($csentry.DN.ToString() -match ',OU=Contractors,DC=contoso,DC=com$') {  
  11.             'Delete'  
  12.         } else {  
  13.             $uac = $csentry['userAccountControl']  
  14.   
  15.             if ($uac.IsPresent) {  
  16.                 $uac.IntegerValue = $uac.IntegerValue -bor $ADS_UF_ACCOUNTDISABLE   
  17.             } else {  
  18.                 $uac.IntegerValue = $ADS_UF_NORMAL_ACCOUNT -bor $ADS_UF_ACCOUNTDISABLE   
  19.             }  
  20.   
  21.             'Disconnect'  
  22.         }  
  23.     }  
  24. }  
[FilterForDisconnection.ps1]
  1. param ($csentry)  
  2.   
  3. $ErrorActionPreference = 'Stop'  
  4.   
  5. switch ($csentry.ObjectType)  
  6. {  
  7.     'user'   
  8.     {   
  9.         $employeeStatus = $csentry['employeeStatus']  
  10.   
  11.         if ($employeeStatus.IsPresent) {  
  12.             $employeeStatus.Value -notmatch '^(Full-Time|Part-Time)$'  
  13.         }  
  14.     }  
  15. }  
  16.   
  17. $false  
[MapAttributesForImport.ps1]
  1. param ($FlowRuleName$csentry$mventry)  
  2.   
  3. $ErrorActionPreference = 'Stop'  
  4.   
  5. switch ($FlowRuleName)  
  6. {  
  7.     'displayName'  { $mventry['displayName'].Value      = "$($csentry['NICK_NAME'].Value) $($csentry['LAST_NAME'].Value)" }  
  8. }  

Comments

Popular posts from this blog

PowerShell SupportsShouldProcess Worst & Best Practices

This has been a very big discussion within the Scripting Games 2013 community and I want to add my two cents in an official blog post.

I've left several people comments on how they might be misunderstanding how SupportsShouldProcess works, but I also realize, everyone of these individuals has given me more insight into its use and perhaps, how it should best be utilized.

For those of you that don't know, SupportsShouldProcess is a parameter on the CmdletBinding attribute you can place on your cmdlets that automatically adds the -WhatIf and -Confirm parameters. These will naturally flow into other cmdlets you use that also SupportsShouldProcess, e.g. New-Item, Move-Item.

The major discussion has been around, should you just let the other cmdlets handle the $PSCmdlet.ShouldProcess feature, and if not how should you implement it. ShouldProcess has the following definitions.
OverloadDefinitions�����������������������������������������������������������������������������������������…

Generate Random SecureString Key

Ever need to encrypt a SecureString that can be used across multiple servers? I suggest storing this BASE64 value in a secure location only accessible by the account(s) that need to decrypt the SecureString.
$secret = 'secret1234'$key    = [Convert]::ToBase64String((1..32 |% { [byte](Get-Random -Minimum 0 -Maximum 255) }))  $encryptedSecret = ConvertTo-SecureString -AsPlainText -Force -String $secret | ConvertFrom-SecureString -Key ([Convert]::FromBase64String($key))  $encryptedSecret | Select-Object @{Name='Key';Expression={$key}},@{Name='EncryptedSecret';Expression={$encryptedSecret}} | fl  $ss = ConvertTo-SecureString -Key ([Convert]::FromBase64String($key)) -String $encryptedSecret(New-Object System.Management.Automation.PSCredential 'SECURESTRING',$ss).GetNetworkCredential().Password

PowerShell Error Handling Behavior Debunked

Note: I am using simple error messages as an example, please reference the best practices and guidelines I outlined on when to use custom error messages.

I have been churning in my mind for the last few days all the entries in the 2013 Scripting Games and how they handle errors, or lack thereof.

I am coming to the conclusion through some testing that the simple fact of seeing a try..catch or throw statements does not mean there is proper error handling.

I've been testing several variations and forms of error handling, so lets start with the basics.
function Test-WriteError {      [CmdletBinding()] param()  "Test-WriteError::ErrorActionPreference = $ErrorActionPreference"Move-Item -Path 'C:\Does\Not\Exists.log' -Destination 'C:\No\Where'"Test-WriteError::End"}   Test-WriteError::ErrorActionPreference = Continue
Move-Item : Cannot find path 'C:\Does\Not\Exists.log' because it does not exist.
At line:6 char:5
+     Move-Item -Path 'C:\Does\N…