Function to Create Certificate Template in Active Directory Certificate Services for PowerShell DSC and CMS Encryption

Today I’m cleaning out my code closet. I found this script that I have wanted to share for a while now. Problem Active Directory Certificate Services does not include a template for Document Encryption. This is required for DSC credential encryption and the CMS encryption cmdlets. Current processes require manual effort to create the template….


Top 10 PowerShell DSC Node Events to Monitor

In a previous blog post I demonstrated how to get a list of all possible PowerShell Desired State Configuration (DSC) events for monitoring. Admittedly, that was an overwhelming list. Today I want to narrow that down to the essentials of DSC monitoring events. These are the events you’re looking for. Recently I was working with…


Practical PowerShell Security: Enable Auditing and Logging with DSC

PowerShell Security Almost two years ago Lee Holmes released his famous PowerShell ♥ the Blue Team whitepaper. This is required reading for anyone who works with PowerShell at all in their job or who is concerned about the security of PowerShell in their environment. I outlined a number of PowerShell security-related resources in this previous…


Compare Group Policy (GPO) and PowerShell Desired State Configuration (DSC)

What is the difference between Group Policy (GPO) and PowerShell Desired State Configuration (DSC)? Why would I use one over the other? I hear these questions frequently. Today we are going to fully explore the pros and cons of each. Is GPO going the way of the floppy disk? Let’s find out. The Contenders Group…


Pro Tip: PowerShell DSC Events to Monitor

The Problem I need to monitor PowerShell DSC health on all of my nodes. But I do not want to wait for every possible event to happen in production to catch it and add it to my monitoring event list. The Options There are many options for monitoring PowerShell Desired State Configuration (DSC) status on…


Gnarly Innards: How to live debug PowerShell DSC configurations without using Enable-DSCDebug

The Problem Have you ever needed to debug a PowerShell Desired State Configuration that appeared to be hanging when it was applying? At that point it’s a little too late to run Enable-DscDebug. Here’s how to debug it anyway… The Solution On the box applying the active configuration you can see the LCM is busy….


Using Credentials with PsDscAllowPlainTextPassword and PsDscAllowDomainUser in PowerShell DSC Configuration Data

Warnings and errors, oh my! If you have written a DSC configuration containing a credential, then you have likely seen error messages about plain text passwords. And recently a warning was added when using domain credentials. In today's post we explain how to handle these appropriately using DSC configuration data. Where is the documentation for…


DevOps for n00bs (ie. Windows people like me)

Tidal Wave: DevOps There is a tidal wave coming to Windows IT Pros, especially those supporting infrastructure. That tidal wave is called DevOps. I’ve spent the last year wiping out in the surf of the tidal wave, trying to learn the lingo. As a Windows ops guy I’ve been attending non-Microsoft events where I feel…


PowerShell DSC FAQ: Sorting Out Certificates

Hello, everyone. This week I posted over on the PowerShell Team Blog. One of the most common questions I get regarding PowerShell Desired State Configuration is about certificates. What kind do I need? How many? Where do they go? In this blog post we will sort out certificate requirements for PowerShell DSC. You can read…


Configuring Active Directory with PowerShell DSC and the New xADRecycleBin Resource

Active Directory and PowerShell DSC Today’s post is the second in a series on using PowerShell DSC with Active Directory. We will demonstrate configuring the AD Recycle Bin and domain trusts with PowerShell Desired State Configuration. As a bonus we will throw in a registry key for some special logging on the domain controller. Continuing…