Wednesday, September 30, 2009

Using PowerShell to Clear ILM Run and Password History

With our latest implementation running completely Windows Server 2008, SQL Server 2008 in a Windows 2008 Active Directory I've noticed that my old standby of calling the MIIS Resource Kit utility ClearRunHistory no longer works. Despite having the following in place:
  • Domain service account
  • Member of the ILM Administrators domain group (our renamed MIISAdmins)
  • Granted the "Logon as batch" right via policy
  • Runs fine logged in as the service account interactively
My scheduled task runs fine, but when it executes the utility it fails with a generic "Access Denied" error. So, I've said goodbye to the last of my Resource Kit buddies and hello to PowerShell! I'm now using the following script to clear both the run history and the password history (in the event you are using PCNS).
The script below is parameterized and I borrowed heavily from earlier work by Craig Martin and Markus Vilcinskas. If you pass no parameters it should default to 14 days of history to maintain, otherwise you can pass the value, in days, to the script for each. To call this from your own scheduled task, setup the task to call a CMD file of your creation and add the following:
   1: # Call ClearHistory.ps1 from a CMD file 
   2: powershell -nologo -command "& D:\ILMTasks\ClearHistory.ps1 5 10"

Remember that you must always refer to your script with the full path.

ClearHistory.ps1

   1: # Setup the argument parameters and declare defaults

   2: # Default is two weeks of history to retain

   3: param([string]$NumDaysToKeepRunHistory = 14,[string]$NumDaysToKeepPwdHistory = 14)
   4:  
   5: # Calculate the date to clear runs against

   6: [string]$ClearRunsDate = [DateTime]::Now.AddDays(-$NumDaysToKeepRunHistory).ToUniversalTime()
   7: # Calculate the date to clear password history against
   8: [string]$ClearPwdHistoryDate = [DateTime]::Now.AddDays(-$NumDaysToKeepPwdHistory).ToUniversalTime()
   9:  
  10: # Get the WMI Object for MIIS_Server

  11: $miiserver = @(get-wmiobject -class "MIIS_SERVER" -namespace "root\MicrosoftIdentityIntegrationServer" -computer ".")
  12:  
  13: # Clear the Run History
  14: Write-Host "Clearing the Run History prior to (UTC)" $ClearRunsDate
  15: Write-Host "Result: " $miiserver[0].ClearRuns($ClearRunsDate).ReturnValue
  16: #--------------------------------------------------------------------------------------------------------------------
  17:  trap 
  18:  { 
  19:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
  20:  }
  21: #--------------------------------------------------------------------------------------------------------------------
  22:  
  23: # Clear the Password History
  24: Write-Host "Clearing the Password History prior to (UTC)" $ClearPwdHistoryDate
  25: Write-Host "Result: " $miiserver[0].ClearPasswordHistory($ClearPwdHistoryDate).ReturnValue
  26: #--------------------------------------------------------------------------------------------------------------------
  27:  trap 
  28:  { 
  29:     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
  30:  }
  31: #--------------------------------------------------------------------------------------------------------------------

This script is calling the WMI provider and invoking the functions. The API calls for handing the dates formatted as UTC. I have these scripts posted separately in the ILM ScriptBox in the ILM Forum.
Committed to BlogTerm memory by Brad Turner at 10:16 AM
Labels: ,
Reactions:

0 comments:

Post a Comment