Everybody loves Powershell.
If you don’t, you’re wrong, really. It provides a way around everything!
I’ve been lucky enough to be stuck in high-security environment with multiple domains and no communication allowed between them. No trust, no nothing.
Which of course can be fine security-wise, but horrible from an admin standpoint.
Being the solution-oriented guy that I am, I didn’t really feel like settling into doing one operation in three different domains (this was a test/dev setup with identical users in all domains).
How do we fix that? Powershell with PowerCLI-
PowerCLI is VMware’s PS-module, which is very powerful, though a bit awkward at times.
It does have one nice, often overlooked function:
invoke-VMScript
Invoke-VMscript really does what you think it does. It runs a scriptblock using vmware tools on a remote computer.
What does that mean? It means you have full access to everything if you have access to vCenter.
And how do you use it? Simple! This is just a basic command to copy AD users group from one user to another.
$addtogroup = @"(Get-ADUser -Identity $fromuser -Properties memberof).memberof | Add-ADGroupMember -Members $touser"@
invoke-VMScript -vm $mgmt -ScriptText "$addtogroup" -ScriptType Powershell -guestuser "$domain\$username" -GuestPassword $pass}This is a part of a larger context/ecosystem (which I’ll blog about later) involving Keepass to manage passwords and all sorts of bruaha.
But the setup as far as commands go is pretty damn simple. Using @” you can pretty much just do the entire script block to execute remotely, calling it with -ScriptText and -vm is simply the VM you invoke through.
And if you’re thinking ‘well what about security’: I’m not really doing anything here that I wouldn’t have done anyway, I’m merely invoking the command instead of logging on the box and running it manually.
Cool, huh? I think so.