PowerShell API Guide PDF
Preview PowerShell API Guide
Privileged Identity 5.5.4 PowerShell API Guide ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 Thispageneededfortableof contents.Donotdelete. PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE Table of Contents IntroductiontotheBeyondTrustPrivilegedIdentityAPI 5 PowerShellCmdlets 7 InstallthePowerShellCmdlets 8 PowerShellCmdletReference 12 PowerShell:Login 13 Get-LSLoginToken 13 PowerShell:Get-LSLoginSAMLToken 15 PowerShell:Auditing 17 Get-LSListWebAuditLogs 17 PowerShell:Jobs&JobSettings 20 Get-LSListJobs 20 PowerShell:Get-LSJobSchedule 25 PowerShell:Get-LSJobStatus 27 PowerShell:Get-LSJobAccountElevationSettings 29 PowerShell:Get-LSJobPasswordChangeSettings 31 PowerShell:Get-LSJobPreAndPostRunSettings 34 PowerShell:Get-LSJobSSHKeyChangeSettings 36 PowerShell:Get-LSListJobMessagesForJob 38 PowerShell:Get-LSListSystemStatusForJob 41 PowerShell:New-LSJobAccountElevation 43 PowerShell:New-LSJobAddSystem 45 PowerShell:New-LSJobClone 46 PowerShell:New-LSJobRefreshAndDiscoveryIPMI 47 PowerShell:New-LSJobSSHKeyChange 48 PowerShell:New-LSJobWindowsChangeAdministratorPassword 50 PowerShell:New-LSJobWindowsChangePassword 51 PowerShell:New-LSJobWindowsRefreshAndDiscovery 52 PowerShell:Remove-LSJob 53 PowerShell:Remove-LSJobSystem 54 PowerShell:Set-LSJobAccountElevationSettings 55 PowerShell:Set-LSJobAccountElevationExtension 57 SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 2 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 Thispageneededfortableof contents.Donotdelete. PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE PowerShell:Set-LSJobComment 59 PowerShell:Set-LSJobPasswordChangeSettings 60 PowerShell:PropagationTargetsConfigurationsData 68 PowerShell:Set-LSJobPasswordSpin 73 PowerShell:Set-LSJobPreAndPostRunSettings 75 PowerShell:Set-LSJobRun 77 PowerShell:Set-LSJobSchedule 78 PowerShell:Set-LSJobSSHKeyChangeSettings 81 PowerShell:Set-LSSharedCredentialList 83 PowerShell:Delegations 85 Get-LSListDelegationAccountMasks 85 PowerShell:Get-LSListDelegationIdentities 87 PowerShell:Get-LSListDelegationManagementSetsForIdentity 89 PowerShell:Get-LSListDelegationPermissions 91 PowerShell:Get-LSListDelegationPermissionsForSelfRecovery 93 PowerShell:Get-LSListDelegationPermissionsOnAccounts 94 PowerShell:Get-LSListDelegationPermissionsOnFile 96 PowerShell:Get-LSListDelegationPermissionsOnJobs 98 PowerShell:Get-LSListDelegationPermissionsOnManagementSets 101 PowerShell:Get-LSListDelegationPermissionsOnSharedCredentialList 103 PowerShell:Get-LSListDelegationPermissionsOnSystems 105 PowerShell:Get-LSListDelegationRoleMapping 107 PowerShell:New-LSDelegationIdentity 108 PowerShell:New-LSDelegationManagementSetForIdentity 110 PowerShell:New-LSDelegationPermissionForSelfRecovery 111 PowerShell:Remove-LSDelegationIdentity 112 PowerShell:Remove-LSDelegationManagementSetFromIdentity 113 PowerShell:Remove-LSDelegationPermissionAccountMask 115 PowerShell:Remove-LSDelegationPermissionForSelfRecovery 116 PowerShell:Remove-LSDelegationPermissionOnAccount 117 PowerShell:Remove-LSDelegationPermissionOnJob 118 PowerShell:Remove-LSDelegationPermissionOnManagementSet 119 PowerShell:Remove-LSDelegationPermissionOnSharedCredentialList 120 SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 3 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 Thispageneededfortableof contents.Donotdelete. PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE PowerShell:Remove-LSDelegationPermissionOnSystem 122 PowerShell:Remove-LSDelegationPermissionRoleMapping 123 PowerShell:Set-LSDelegationIdentitySettings 124 PowerShell:Set-LSDelegationPermissionAccountMask 127 PowerShell:Set-LSDelegationPermissionForIdentityOnFile 128 PowerShell:Set-LSDelegationPermissionOnAccount 130 PowerShell:Set-LSDelegationPermissionOnJob 132 PowerShell:Set-LSDelegationPermissionOnManagementSet 133 PowerShell:Set-LSDelegationPermissionOnSharedCredentialList 135 PowerShell:Set-LSDelegationPermissionOnSystem 137 PowerShell:Set-LSDelegationPermissionRoleMapping 139 SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 4 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE Introduction to the BeyondTrust Privileged Identity API PrivilegedIdentityisasolutiondesignedto: Discoversystems,devices,andaccountsinyournetwork l ManagethepasswordsorSSHkeysforthosediscoveredaccounts l WithBeyondTrustPI'sAPIsupport,itispossibletoperformday-to-dayoperationswithouteverusingthewebapplicationor managementconsole.CommonusesforAPIaccessincludeprogrammaticretrievalofpasswords,integrationintothird-party applications,workflowestablishment,systemandidentityorchestration,etc. ProgrammaticaccesstoPrivilegedIdentitycanoccurthroughmultiplewebserviceendpoints. ThewebservicesupportsaREST/JSONformatandisrequiredforthePrivilegedIdentitywebapplicationtofunction.UseoftheAPI doesnotbypassthestandarddelegationsystem.Anyidentitymakingaprogrammaticcallmuststillbedelegatedtheproper permissionslikewebsiteusersinordertoperformanyactions. Fordiscoveryandmanagement,thetargetsystemsneedtobeonlineandhavenetworkconnectivitywithPrivilegedIdentity. RegularAuthentication Whentheserviceisinstalled,certainparametersareconfiguredandaffectconfigurationsinIISandthewebservice.Forexample,if youinstalledthewebserviceduringinstallationandconfiguredittouseAnonymousAuthenticationandSSL,anyattemptsto accessthewebserviceusinganalternateauthenticationmethodresultsinanerror. IfthewebserviceisconfiguredtouseAnonymousAuthentication,youmustpassusername,password,andauthenticator informationatlogin.IfthewebserviceisconfiguredtouseIntegratedWindowsAuthentication(IWA),youcanloginwithout providingfurtherinformation,oryoumaypassusername,password,andauthenticatorinformation. Inanyscenario,anauthenticationtokenisrequiredtologinandtoperformadditionalcommands. MultipleAuthenticationScenarios IfyouhaveascenariowhereusersconnecttotrustedWindowsmachinesandwishforthemtobeabletologinwithoutsupplyinga usernameandpassword,youmustinstallthewebservicewithIntegratedWindowsAuthenticationsupport.However,ifyouhave clientsorprocessesthatmustprogrammaticallyaccessPrivilegedIdentitywithoutintegratedauthentication,followthestepsbelow: 1. Gotothehostsystemsupportingthewebservice,%inetpub%\wwwroot\erpmwebservice. 2. CopytheErpmWebServicefolder. 3. Placethecopyin%inetpub%\wwwroot. 4. Deletethecurrentweb.configfileinthisnewdirectory. 5. Copytherequiredweb.configexamplefile. 6. Renameittoweb.config. 7. InIIS,right-clickConverttoapplication,andconverttheERPMWebServiceAnondirectorytoanapplication. Delegations& Access RegardlessofwhichmethodisusedtoprogrammaticallyaccessPrivilegedIdentity,thecallingusermustbeauthenticatedandmust haveproperdelegationstoperformtherequestedaction.Beforeanyactionscanoccur,ausermustbegrantedtheglobalLogon permission.Thepermissioncanbedirectlyassignedorinherited. SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 5 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE Asuccessfulloginprovidesthecallinguseranauthenticationtoken.Thistokenispassedtoallsubsequentcallsas AuthenticationToken. Authenticationtokenslhavethesameidlelife-timeexpiration,whichdefaultsto20minutesinbothIISandPrivilegedIdentitysettings. Ifatokensitsidlefor20minutesortheuserlogsout,thetokenexpires,andtheusermustlogintoobtainanewauthenticationtoken. PermissionsRequiredforManagementsetManipulationinPowershell Commandlets WithGlobalmanagementsetpermissionsonthemanagementset,themanagementsetisassignedtothedelegationidentityin theglobaldelegationdialog. Alternatively,useChangeGroupMembershipPermissiononthespecificmanagementset.Thiscanbeassignedonaper- management-setbasisbyconfiguringper-management-setpermissionsintheconsoleorthroughtheAPI. WebServicevsWebApplicationDependency Whilethewebservicecommunicateswiththedatabasedirectlyandisresponsibleforitsownclientcommunications,thewebservice isdependentonthewebapplication'sconfigurationoptions.Awebserviceinstalledonasystemalsohostingawebapplication inheritsthatparticularwebapplication'ssettings.Awebserviceinstalledonasystemnothostingawebapplicationmusthaveaweb server'sregistryconfigurationexportedandmanuallyimportedtothewebservicehost.Changescanbemadetotheconfigurationby directlyeditingtheregistryortheregistryimportfile. Databaseconnectivityiskey.Ifthedatabaseisunavailable,thewebapplicationisunabletoprovideanyservicestocallingusers. URI Information TheRESTAPIisaccessedatserverName/ErpmWebService/AuthService.svc/REST.RESThelppagesareavailableat serverName/ErpmWebService/AuthService.svc/REST/help. SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 6 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE PowerShell Cmdlets ThisguidedocumentsPowerShellcmdletsyoucanusetoextendthemanagementofPrivilegedIdentitytoashell/scripting environment. ThePowerShellcmdletscanrunfromanysystemthatsupportsPowerShell3.0+.ThePowerShellcommandsrequiresthePrivileged Identitywebservicetobeinstalled,functional,andaccessibletoyou.BeforeyouinstallthePowerShellcmdlets,considerthe following:: Howwillauthenticationoccur?Windowsintegrated?Anonymous? l Note:Westronglyrecommendagainstusingcertificate-basedauthenticationbecausePowerShellisknownto refuseclientcertificates,resultingina"Couldnotestablishasecurechannel"errormessage.Forpassword-less PowerShellauthentication,werecommendusingIntegratedWindowsAuthentication. IsSSLenabled? l Whatportisthewebservicelisteningon? l WhatisthefullURLtothewebservice? l TherearethreesetsofPowerShellcmdletsdistributedwithPrivilegedIdentity: LSClientAgentCommandlets:Provideswebapplicationandmanagementconsole-equivalentfunctionality. l functionalityforwebapplication,webservice,andzoneprocessordeploymentandmanagement. l IfusingthePowerShellprofilefiles,LSClientAgentCommandletsisautomaticallyimportedwhenyoustartPowerShell.Theothertwo modulescanbeimportedusingtheimport-modulecommand.Ifneeded,modifytheprofiletoincludetheseextracmdlets. Note:Programconfigurationsuchasdatastoreorsolutionemailconfigurationcannotbeperformedprogrammatically andmustbedonebythemanagementconsole. SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 7 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE Install the PowerShell Cmdlets PowerShell Cmdlets CmdletscanbedistributedtoanyWindowscomputeraslongasnetworkconnectivitytothetargetwebservicehasbeenestablished. BeforeusingPowerShellcmdlets,makesurethefollowingisinplace: 1. EnsurePrerequisitesAreMet 2. CheckandSettheExecutionPolicy 3. CreateFoldersandDistributetheCmdlets 4. ConfiguretheClient EnsurePrerequisitesAreMet WindowsPowerShell3.0+isrequired.PreviousversionsofWindowsneedtodownloadandinstallWindowsManagement Framework(WMF).WMFversion4+isrecommended.WMF4.0requiresMicrosoft.NETFramework4.5+.. 1. OpenPowerShellorPowerShellISE. 2. Runthefollowingcommand: Get-Host CheckandSettheExecutionPolicy Note:Tosettheexecutionpolicy,administratorprivilegedarerequired. SettheexecutionpolicytoAllSigned,RemoteSigned,orUnrestrictedtousethePowerShellcmdlets.Also,ifyouleveragethese cmdletsfrombothPowerShellx64andx86,youmusttakethefollowingsteps: 1. OpenPowerShellorPowerShellISE. 2. Runthefollowingcommand: Get-ExecutionPolicy IftheexecutionpolicyissettoRestricted,theexecutionpolicymustbechanged.Otherwise,yoursystemisreadytousethe cmdlets. 3. Iftheexecutionpolicymustbechanged,openanadministrativePowerShellorPowerShellISE. 4. Runthefollowingcommand: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned 5. ClickYesonthesecuritywarning.. 6. Runthefollowingcommandtoverifytheexecutionpolicyisproperlyset: Get-ExecutionPolicy 7. ClosePowerShell. SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 8 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE CreateFoldersandDistributetheCmdlets ThisprocessdescribesonepossiblewaytodeployandconfigureaPowerShellenvironment.TherearethreesetsofPowerShell cmdletsdistributedwithPrivilegedIdentity: LSClientAgentCommandlets:Provideswebapplicationandmanagementconsole-equivalentfunctionality. l LSClientUpdateConfiguration:Providessomemanagementfunctionalityforthewebapplication,webservice,andzone l processor. LSClientUpdatePassword:ProvidesfunctionalityforworkingwiththeOfflineAccountUpdatefeature. l TherequiredPowerShellfilesarelocatedinthePrivilegedIdentityinstallationpathat \SupplementalInstallers\LSCPowerShellCmdlets. 1. Inthetargetuser'sprofile,createthefollowingfolderstructure: %userprofile%\Documents\WindowsPowerShell\Modules. 2. CopythedesiredcmdletstotheModulessubdirectoryintheuser'sprofile.LSClientAgentCommandletsismostcommon. 3. Copythetwoprofile.ps1filestotheWindowsPowerShellsubdirectoryintheuser'sprofile.Microsoft.PowerShell_profile.ps1 isforthestandardPowerShellenvironmentwhileMicrosoft.PowerShellISE_profile.ps1isforPowerShellISE.Theseaffect bothx64andx86environments. 4. LaunchPowerShell. 5. Runthefollowingcommandtovalidatethedesiredmodulesloaded: Get-Module -Name LSClient* Bydefault,theprofileautomaticallyloadsLSClientAgentCommandletsonly.Ifitshouldautomaticallyloadanyofthecmdlets,edit theappropriateprofilefile,andmodifytheexistingimport-modulecommandoraddanewimport-modulecommand.Youcanalsorun theimport-modulecommandatanytimetoloadthemodulesbyhand. FuturePowerShellupgradesrequirere-copyingthethreefoldersandtheirmodulestothetargetsystemsandoverwritingthe previousversions. ConfiguretheClient Theclientmustknowinformationaboutthewebserviceendpointitiscommunicatingwith,specificallytheendpointURLandhowto authenticate. Therearethreewaytosettheclient'sconfiguration: UsePowerShell l Pushtheconfigurationfromthemanagementconsole l Edittheregistry l TousePowerShell,configuretheclientsettingsanddefinewherethewebserviceishosted.UsetheSet- LSClientWebServiceSettingscmdlettoruntheconfiguration.Thesyntaxisasfollows: Set-LSClientWebServiceSettings [-EnableWebService] <bool> [-WebServiceAddress <string>] [- IntegratedAuth <bool>] [-ClientCert <string>] [-SSLEnabled <bool>] [-PassException] [-Trace] [- RunAs <pscredential>] [<CommonParameters>] Thevariablescanbeenteredinanyorder.Thevariablesareasfollows: SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 9 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019 PRIVILEGEDIDENTITY5.5.4 POWERSHELLAPIGUIDE EnableWebService:Ifconfiguringthehosttousethewebservice,thisvalueshouldbesetto$true. l ClientCert:Ifusingusercertificatestoperformlogin,specifythefriendlynameoftheusercertificateasshownintheuser's l certificatestore.IfusingIntegratedWindowsAuthentication,omitthisvariableorifpassingausernameandpassword.To usecertificate-basedauthentication,thewebservicemustbeconfiguredwithSSLandacceptclientcertificates. Note:Westronglyrecommendagainstusingcertificate-basedauthenticationbecausePowerShellisknownto refuseclientcertificates,resultinginaCouldnotestablishasecurechannelerrormessage.Thisisaknownissue withWindowsPowerShell.Forpassword-lessPowerShellauthentication,werecommendusingIntegrated WindowsAuthentication. IntegratedAuth:IfusingIntegratedWindowsAuthentication,thisvalueshouldbesetto$true.Ifyouarepassinga l usernameandpasswordorusingclientcertificates,setthisvalueto$false.: o SetthewebserviceandwebsitetoenableIntegratedWindowsAuthentication o SetAnonymousAuthenticationtodisabled o SetthewebapplicationglobaloptiontopermitIntegratedWindowsAuthentication SSLEnabled:IfthewebsiteusesSSL,setthisvalueto$true.BeawarethatenablingSSLalsochangesthedefaultlistening l portfrom80to443. WebServiceAddress:EnterthefullURL,includingtheprotocolandporttothewebservicepageandauthservice.svc,such l as https://webserver.domain.int:65535/erpmwebservice/AuthService.Svc. Anyitementeredcanbechangedatanytimebyre-runningtheabovecommandorbymanipulatingtheregistryat HKLM\Software\WoW6432Node\Lieberman\ClientAccountManagement\GlobalSettings.Theregistryvaluesare appropriatelynamed. Toviewtheclient'scurrentsettings,runthecmdletGet-LSClientSettingswithnoparameters. Becausethiswritestothesystem'sregistrykey,theSet-LSClientWebServiceSettingscmdletmustberanasanadministrator. Set-LSClientWebServiceSettings -EnableWebService $True -IntegratedAuth $True -SSLEnabled $True - WebServiceAddress https://lsdslscprd.lsds.int/erpmwebservice/authservice.svc ClientConfigurationCmdletAlternative AnalternativecmdletisSet-LSClientSettings.Thiscmdletconfigurestheclientforthewebservice.Thesyntaxisasfollows: Set-LSClientSettings [-WebserverName] <string> [-Page] <string> [-SSLEnabled] <string> [- VerboseLogging] <string> [-ClientCert] <string> [-IntegratedAuth] <string> [-CustomPort] <string> [-EnableWebService] <bool> [-WebServiceAddress] <string> [[-UserCertStore] <bool>] [- PassException] [-Trace] [-RunAs <pscredential>] [<CommonParameters>] Thiscmdletaddsthefollowingparameterstothosenotedabove: CustomPort:Thisvalueshouldbeconfiguredanytimethewebsiteisnotlisteningonthedefaultportof80.Iftheportever l changesfromport80,thisvalueshouldbeconfigured. Page:Thisvalueisnotrequiredforconfiguringthewebservicecommunication. l VerboseLogging:Thisvalueisoptionalandsuppliesallloggingmessagestothelocalclient.Thissignificantlyslowsdown l operationsandshouldnormallybesetto$false. WebserverName:Thisisthename(orFQDN)ofthehostprovidingthewebservice.ConsiderifthehostrequiresafullFQDN l orcanbeaccessedbyahostname.ThisisespeciallyimportantwhenusingSSLbecausethecertificatesuppliestheentire SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 10 ©2003-2019BeyondTrustCorporation.AllRightsReserved.BEYONDTRUST,itslogo,andJUMParetrademarksofBeyondTrustCorporation.Othertrademarksarethepropertyoftheirrespectiveowners. TC:3/12/2019
Description:The list of books you might like
