Use PowerShell in SAM templates, application monitors, and component monitors

Some SAM templates and application monitors include component monitors that use PowerShell scripts to gather information. You can also create custom PowerShell scripts to use in SAM.

Created by Microsoft, PowerShell is a task automation and configuration management framework that consists of a command-line shell and associated scripting language, built on the .NET Framework. PowerShell scripts are used in several out-of-the-box SAM templates, including Log Parser and Office 365 templates.

The ability to deploy PowerShell scripts to remote machines within SAM is a powerful advantage for system administrators. With an interactive prompt and scripting environment, PowerShell provides access to the file system on remote computers, along with data stores such as the registry.

Your organization should internally review and assess to what extent PowerShell is incorporated into your environment. This is especially important when importing scripts from third parties, including content posted by other customers in the SolarWinds online IT community, THWACK. To learn more, see PowerShell security considerations.

PowerShell includes built-in commands with a consistent interface (as shown here), plus an Integrated Scripting Environment (ISE) host application.

PowerShell does not process text; it processes objects based on the .NET Framework.

PowerShell also includes default cmdlets — simple commands you can use to manipulate objects — and you can write your own cmdlets. Cmdlets have a unique format — a verb and noun separated by a dash (-), such as Get-Help. You can use them separately or combine them in scripts that perform complex tasks.

SolarWinds provides customer support for PowerShell scripts and functionality built into SAM, but not for scripting languages or custom scripts. For scripting support from the SolarWinds online IT community, visit THWACK.

Some ways you can use PowerShell scripts with SAM include:

Review these topics to learn more:

PowerShell security considerations

Depending on how you configure PowerShell in your environment, it can make your system vulnerable to unauthorized access. For example, running monitors as Local Host on the Orion server with Admin privileges gives scripts unlimited power. Your organization should internally review and assess to what extent PowerShell scripts will be incorporated into your environment.

PowerShell can be used with the Orion Platform in many ways. For example, you can use it with the Orion Software Development Kit (SDK) to perform IP Address Manager (IPAM) operations, such as creating subnets. When used in SAM component monitors and application monitor templates, PowerShell provides the ability to:

  • Access file systems on computers.
  • Access data stores, including the system registry.
  • Deploy scripts to run on multiple remote machines.

While PowerShell enhances SAM functionality, it's important to consider the security risks inherent in using PowerShell scripts. SolarWinds recommends the use of a dedicated Windows account with low-level privileges for PowerShell monitors, especially for scripts executed on a polling engine that uses the same Windows account as the Orion server.

You can also avoid security risks, such as malicious OS command injections, by using PowerShell's built-in security, as described in Microsoft PowerShell documentation (© 2018 Microsoft Corp., link available at https://docs.microsoft.com/en-us/powershell/, obtained on October 30, 2018).

PowerShell requirements

Following are PowerShell requirements for a typical SAM environment:

  • PowerShell version: Version 1.0 or later is required for local execution. For remote execution of scripts, PowerShell 2.0 or later is required on the main polling engine (that is, the Orion server), Additional Polling Engines (APEs), and target servers. PowerShell is included in most installations of Microsoft Windows Server or you can install it, if necessary. See Microsoft PowerShell Documentation.

    Some scripts require PowerShell 2.0 to execute certain actions. Later versions of PowerShell shipped with Windows Server include a backwards compatibility mode you can enable to run 2.0 with a later version.

    Another consideration is whether to use 32-bit (x84) or 64-bit (x64) PowerShell. For best results, match the PowerShell version to the OS and application configurations on a server. For example, on a 64-bit main polling engine that polls a 64-bit server, install PowerShell 64 bit (x64).

  • Accounts and permissions: Local Admin rights are required to run scripts on the Orion server. To execute scripts on target servers, select a Windows credential with rights to log into the Orion server plus sufficient rights on the target node to execute tasks in the script. For example, if a script does something with WMI, the credentials also need WMI rights on the target node.

    SolarWinds recommends using a dedicated Windows account with minimal privileges for PowerShell monitors, especially for scripts executed on the main polling engine.

    Without the correct permissions for a target server, scripts return an Unknown status.

  • Microsoft .NET Framework: Many PowerShell scripts require .NET 3.5.x but the latest Orion Platform products include later versions during installation. For example, SAM 6.7 includes .NET 4.6.2. If necessary, use Server Manager's Add Roles and Features wizard to add .NET Framework 3.5.x.
  • Remote access: To use Remote Host as the Execution Mode for a PowerShell script, enable the Windows Remote Management (WinRM) service on the Orion server so it can access remote target servers, as described next.

Enable remote access for PowerShell with WinRM

If you select Remote Host as the Execution Mode for a SAM component monitor, the WinRM service must be enabled and properly configured on the main Orion server. WinRM cannot be enabled on target servers remotely, but you can configure the Orion server to grant permission for PowerShell to access the target servers.

There are several automated ways to enable remote access for PowerShell on servers:

You can also enable remote access for servers in the PowerShell console, as described next.

  1. On the Orion server and each remote server you want to run PowerShell on:
    1. Change the startup type for the WinRM service to Automatic.
    2. Start the WinRM service.
    3. Run the get-service winrm PowerShell command to verify WinRM is running.
  2. On the Orion server, click Start > Accessories > Windows PowerShell > Windows PowerShell.
  3. In the PowerShell console, run:
    Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI -force
  4. Enable the "Full Control for everyone" option.
  5. Verify the group to which the polling user belongs can access PowerShell.
  6. Repeat these steps for all remote target servers.

When finished, each remoting server should include the following elements:

  • An SSL certificate
  • A WinRM Listener
  • A firewall exception to allow outside requests to reach the WinRM service
  • The WinRM service to receive requests from other computers

The following log file contains information and errors related to the WinRM configuration process: C:\ProgramData\Solarwinds\Logs\APM\RunWinRMConfigurator.log

Working with Exchange Management Tools

Many SAM PowerShell components rely on Exchange Management tools.

To monitor a specific version of Microsoft Exchange:

  • Use the corresponding version of Exchange Management Tools.
  • Install Exchange Management Tools on the Orion server and Additional Polling Engines that use PowerShell scripts. Install any required PowerShell snap-ins also.
  • Review Set PowerShell permissions for Exchange.

To ease PowerShell plug-in management in an environment with multiple polling engines, consider assigning all nodes with PowerShell templates to a single polling engine.

Learn more about PowerShell