what if you try it this way:
cmd /c "echo .|powershell //localhost/BLD_PRD_PTCH/storage/extended_objects/admins2.p"
How is powershell going to understand the nsh path ?
I was only able to get PowerShell to work for an extended object with the syntax below. The script also had to be copied to the target server and Execution Type: Remote Execution for the EO.
Powershell.exe -ExecutionPolicy ByPass -InputFormat None -OutputFormat Text -NoLogo -NonInteractive -Command c:\\tmp\\PowerShell_SQL_Scripts\\Get_Instance_Configuration.ps1
I am not sure to be honest. Still in the fire and trying to learn as I go. We have had some training but all these manual compliance rules that had no logic, we are trying to customize to make them work.
So I know that adding in the //path to the NAS Unit/filename.ps1 can point me to the file however I am not sure about the nsh path.
it fails with
"execution fails with no such file or directory"
If your powershell is in a script you need to have a wrapper that copies it to the target server and then a nexec call to run it and the EO calls the wrapper script.
why does that sound complicated lol
okay well I am going to have to do more research. I just wrote the script via vi on the app server in the directory, gave it permissions, then created the object and set what parameters I thought would work.
If you can send me a link on creating wrappers please do but I will be researching that. This is one of those manual rules which is why it is a bit tricky I guess.
Then below is an example of a rule check in a compliance template. I think Bill just means the script has to be copied first to the server you are trying to run it against and then set it to execute remotely. Otherwise you would have to copy the script to every server you want to run it against. I could be confused myself though.
Thanks for the big help I really appreciate it. We have the powershell script working since we copied it locally to a windows box and created the rule the way we want.
Next we are now working on a way to make it run off of the app server via a wrapper or something. So I will take a look at this and see if I can get it working using your link
Did you get it? I just used Steffen's instructions in the link How to run VB Script via Bladelogic extended Object and it worked.
NSH Wrapper Script
# Declare variables
BLFS=//blfs/mnt/<path to BSA file share>
# As a first step we have to verify if PowerShell exists on the target
nexec $TARGET c:\\Windows\\system32\\reg query "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell" > NUL 2>&1
if [ $? -ne 0 ] ; then
echo "<Status><StatusExtendedObject>failed</StatusExtendedObject><Error>Powershell not found</Error></Status>"
# Copy the PowerShel script from the NAS to the target server
cp $BLFS/$PS_SCRIPT //$TARGET/$DIR/$PS_SCRIPT
if [ $? -ne 0 ] ; then
echo "<Status><StatusExtendedObject>failed</StatusExtendedObject><Error>Copy failed from NAS to target!</Error></Status>"
# Change to directory where powershell script is located so can run it
# Execute the script on the target server
nexec -i -l $TARGET cmd /c "Powershell.exe -ExecutionPolicy ByPass -InputFormat None -OutputFormat Text -NoLogo -NonInteractive -Command $DIR/$PS_SCRIPT"
# Remove the temp posershell script
very nice! I am working with support on this and will forward to Isaac. Also I will work on it myself to see if I can get it working. Thank you very much!
We stayed with using the net command: net localgroup administrators and added parameters
cmd /c net localgroup administrators | findstr -v "Alias Comment Members -- The"
Here is the rule:
"Extended Object Entry:Local Administrator Members in Object Dictionary//*"."Name (UI)" is one of ??TARGET.DISA Properties.PNC_Allowed_Local_Administrators??
This gives us who is in the local administrators and anyone in red means they are not in the "allowd local administrators" object dictionary group I created.
This is what we needed and it works. If anyone has any questions post and I will respond. Thanks to those who helped, as well as BMC support here at PNC.