> pshdo

Carbon v1.0.0 Released

I’m extremely happy to announce the release of Carbon v1.0.0. Thanks to everyone who’s already started using Carbon. Please continue to provide feedback. I love to hear from everyone that’s using it, good or bad. Also, now that we’re at v1.0, don’t hesitate to spread the word!

If you’re on v0.5.0.1, you should be able to upgrade with little or no work as this release is includes mostly fixes for bugs found in that release.

Get the bits here!

Upgrade Instructions

  • Remove the Quiet parameter from the Import-Carbon.ps1 script.
  • If you’re nesting Carbon as a sub-module of another module, STOP. This causes havoc. Create an Import-*.ps1 script for your module which imports Carbon before importing your own module. Update your scripts to import your module with your fancy new Import-*.ps1 script. See Best Practices for Importing PowerShell Modules for details.

Enhancements

General

  • The Import-Carbon.ps1 script no longer checks if Carbon is a sub-module of another module, so the Quiet parameter was removed. Please don’t nest Carbon in your modules! It will cause havoc.
  • Import-Carbon.ps1 will no longer stop execution if an error occurs during an import (i.e. the $ErrorActionPreference = 'Stop' line was removed).

Services

  • Renamed Install-Service’s Dependencies parameter to Dependency (with backwards-compatible alias), to follow PowerShell naming standards.

Users and Groups

  • Install-User: you can now set a user’s full name with the optional FullName parameter.

Bug Fixes

IIS

  • Added Test-IisWebsiteExists alias for Test-IisWebsite, for backwards-compatibility with earlier releases.

Security

  • Grant-Permission returns boolean values to the pipeline when clearing access rules.
  • Added Unprotect-AclAccessRules alias for Protect-Acl, for backwards-compatibility with earlier releases.
  • Updated v0.5.0.0 section of release notes to include a note that Unprotect-AclAccessRules was renamed to Protect-Acl.

Service

  • Install-Service fails if Dependency parameter doesn’t have a value. Sometimes.

Shares

Users and Groups

  • Add-GroupMember doesn’t handle when the .NET Active Directory throws an exception when adding members to a group, causing script termination.

Carbon v0.5.0.1 Released

OK. The guilt was too overwhelming. I’ve released Carbon v0.5.0.1, which adds a bunch of aliases for the functions renamed in v0.5.0.0. This should make upgrading from previous releases easier.

I’ve also renamed all functions with plural nouns in their names to use singular nouns instead, to better conform with PowerShell standards.aspx#SD01). But don’t worry, I’ve learned my lesson! There are aliases in place for all name changes so you won’t have to change any of your exising scripts. This is a 100% backwards-compatible release with v0.5.0.0. (Thanks to Jason Stangroome for the feedback!)

Go get it and please keep the feedback coming.

Enhancements

Active Directory

Certificates

COM

Firewall

  • Renamed Get-FirewallRules to Get-FirewallRule, with backwards-compatible alias.

IIS

  • Renamed Add-IisServerManagerMembers to Add-IisServerManagerMember, with backwards-compatible alias.
  • Added StatusCode alias for Set-IisHttpRedirect’s HttpResponseStatus parameter, for backwards-compatibility with earlier releases.
  • Added Test-IisAppPoolExists alias for Test-IisAppPool, for backwards-compatibility with earlier releases.
  • Added Remove-IisWebsite alias for Uninstall-IisWebsite, for backwards-compatibility with earlier releases.

Internet Explorer

MSMQ

Path

  • Added ConvertTo-FullPath alias for Resolve-FullPath, for backwards-compatibility with earlier releases.
  • Added Get-PathCanonicalCase alias for Resolve-PathCase, for backwards-compatibility with earlier releases.

Performance Counters

PowerShell

  • Renamed Add-TrustedHosts to Add-TrustedHost, with backwards-compatible alias.
  • Renamed Add-TrustedHost’s Entries parameter to Entry, with backwards-compatible alias.
  • Renamed Clear-TrustedHosts to Clear-TrustedHost, with backwards-compatible alias.
  • Renamed Complete-Jobs to Complete-Job, with backwards-compatible alias.
  • Renamed Complete-Job’s Jobs parameter to Job, with backwards-compatible alias.
  • Renamed Get-TrustedHosts to Get-TrustedHost, with backwards-compatible alias.
  • Renamed Set-TrustedHosts to Set-TrustedHost, with backwards-compatible alias.
  • Renamed Set-TrustedHost’s Entries parameter to Entry, with backwards-compatible alias.

Security

  • Renamed Assert-AdminPrivileges to Assert-AdminPrivilege, with backwards-compatible alias.
  • Renamed ConvertTo-InheritanceFlags to ConvertTo-InheritanceFlag, with backwards-compatible alias.
  • Renamed ConvertTo-InheritanceFlag’s ContainerInheritanceFlags parameter to ConvertTo-InheritanceFlag, with backwards-compatible alias.
  • Renamed ConvertTo-PropagationFlags to ConvertTo-PropagationFlag, with backwards-compatible alias.
  • Renamed ConvertTo-PropagationFlag’s ContainerInheritanceFlags parameter to ConvertTo-InheritanceFlag, with backwards-compatible alias.
  • Renamed Get-Permissions to Get-Permission, with backwards-compatible alias.
  • Renamed Grant-Permissions to Grant-Permission, with backwards-compatible alias.
  • Renamed Grant-Permission’s Permissions parameter to Permission, with backwards-compatible alias.
  • Renamed Test-AdminPrivileges to Test-AdminPrivilege, with backwards-compatible alias.

Service

  • Renamed Get-ServicePermissions to Get-ServicePermission, with backwards-compatible alias.
  • Added Remove-Service alias for Uninstall-Service, for backwards-compatibility with earlier releases.

Users and Groups

  • Renamed Add-GroupMembers to Add-GroupMember, with backwards-compatible alias.
  • Renamed Add-GroupMember’s Members parameter to Member.
  • Added Remove-User alias for Uninstall-User, for backwards-compatibility with earlier releases.

Windows Features

Carbon v0.5.0.0 Released

I’m extremely happy to announce Carbon v0.5.0.0. This should be the last release of Carbon before v1.0, which will probably be released in late February or early March. This is the most stable version of Carbon yet, and should be considered a beta of version 1.0.

In order to stabilize the API, make it internally consistent, and improve future maintainability, this release contains many backwards incompatible changes. We apologize for this inconvenience. API stability will be a high priority once v1.0 is out the door.

Please take some time within the next few weeks to download Carbon, and see how it works for you. If you notice any problems or have any suggestions, please file a bug report. Help us make Carbon even better!

Upgrade Instructions

Take the following steps to get your scripts to work with this release.

Certificates

Replaces usages of:

  • Get-SslCertificateBinding with Get-SslCertificateBindings
  • Get-SslCertificateBinding -IPPort '0.0.0.0:443' with Get-SslCertificateBindings
  • Get-SslCertificateBinding -IPPort '10.1.1.1:8001 with Get-SslCertificateBindings -IPAddress '10.1.1.1' -Port 8001
  • Test-SslCertificateBinding -IPPort '0.0.0.0:443 with Test-SslCertificateBinding
  • Test-SslCertificateBinding -IPPort '10.1.1.1:8001 with Test-SslCertificateBinding -IPAddress '10.1.1.1' -Port 8001
  • Set-SslCertificateBinding -IPPort '0.0.0.0:443 with Set-SslCertificateBinding
  • Set-SslCertificateBinding -IPort '1.2.3.4:8001' withSet-SslCertificateBinding -IPAddress ‘1.2.3.4’ -Port 8001
  • Remove-SslCertificateBinding -IPPort '0.0.0.0:443 with Remove-SslCertificateBinding
  • Remove-SslCertificateBinding -IPPort '10.1.1.1:8001 with Remove-SslCertificateBinding -IPAddress '10.1.1.1' -Port 8001

Computer

Replace usages of

  • Set-EnvironmentVariable -Scope 'Process' with Set-EnvironmentVariable -ForProcess
  • Set-EnvironmentVariable -Scope 'User' with Set-EnvironmentVariable -ForUser
  • Set-EnvironmentVariable -Scope 'ForComputer' with Set-EnvironmentVariable -ForComputer

Cryptography

  • Protect-String -Scope CurrentUser with Protect-String -ForUser
  • Protect-String -Scope LocalMachine with Protect-String -ForComputer

IIS

  • Renamed the StatusCode property on the object returned by Get-IisHttpRedirect to HttpResponseStatus. Update usages accordingly.
  • The Bindings property returned by Get-IisWebsite is now a collection of Microsoft.Web.Administration.Binding objects. Update usages of $site.Bindings[$idx].IPAddress and $site.Bindings[$idx].Port to $site.Bindings[$idx].Endpoint.Address and $site.Bindings[$idx].Endpoint.Port, respectively.

Replace usages of:

  • Set-IisAnonymousAuthentication with Enable-IisSecurityAuthentication -Anonymous
  • Set-IisAnonymousAuthentication -Disabled with Disable-IisSecurityAuthentication -Anonymous
  • Set-IisBasicAuthentication with Enable-IisSecurityAuthentication -Basic
  • Set-IisBasicAuthentication -Disabled with Disable-IisSecurityAuthentication -Basic
  • Set-IisWindowsAuthentication with Enable-IisSecurityAuthentication -Windows and Set-IisWindowsAuthentication -DisableKernelMode
  • Set-IisWindowsAuthentication -UseKernelMode with Set-IisWindowsAuthentication
  • Set-IisWindowsAuthentication -Disabled with Disable-IisSecurityAuthentication -Windows
  • Unlock-IisConfigSection -Name <string> with Unlock-IisConfigurationSection -SectionPath <string> (run appcmd.exe lock config -section:? for values to the new SectionPath parameter)
  • Unlock-IisBasicAuthentication with Unlock-IisConfigurationSeciton -SectionPath 'system.webServer/security/authentication/basicAuthentication'
  • Unlock-IisCgi with Unlock-IisConfigurationSeciton -SectionPath 'system.webServer/cgi'
  • Unlock-IisWindowsAuthentication with Unlock-IisConfigurationSeciton -SectionPath 'system.webServer/security/authentication/windowsAuthentication'

INI

Replace usages of:

  • Split-Ini -Path <string> with Split-Ini -Path <string> -AsHashtable (hashtable is no longer returned by default)
  • Split-Ini -Path <string> -PassThru with Split-Ini -Path <string> (per-line objects are now returned by default)

Path

Replace usages of

  • Get-PathRelativeTo -To <string> -From <string>' with Resolve-RelativePath -Path <string> -FromDirectory <string>
  • Get-PathRelativeTo -To <string> -From <string> -FromType 'File' with Resolve-RelativePath -Path <string> -FromFile <string>

Performance Counters

  • Get-PerformanceCounters no longer returns an empty list if there are zero counters or a single element list if there is one counter. It now returns null and a single object, respectively. Update usages accordingly.

PowerShell

  • Get-TrustedHosts no longer returns an empty list if there are no trusted hosts. It now return nothing/null. Update usages accordingly.

Security

  • Assert-AdminPrivileges now returns True or False if the user doesn’t have admin privileges. It also no longer throws an exception, but writes an error. If you want to preserve current behavior where it stops script execution, replace usages with Assert-AdminPrivileges -ErrorAction Stop.

Shares

Replace usages of:

  • Install-Share -Permissions '"ShareAdmins,FULL"','"ShareWriters,CHANGE"','"ShareReaders,READ"' with Install-SmbShare -FullAccess ShareAdmins -ChangeAccess ShareWriters -ReadAccess ShareReaders.

Windows Features

Replace usages of:

  • Test-WindowsFeature with Test-WindowsFeature -Installed
  • Install-WindowsFeatureIis with Install-WindowsFeature -Iis
  • Install-WindowsFeatureIis -HttpRedirection with Install-WindowsFeature -Iis -IisHttpRedirection
  • Install-WindowsFeatureMsmq with Install-WindowsFeature -Msmq
  • Install-WindowsFeatureMsmq -HttpSupport with Install-WindowsFeature -Msmq -MsmqHttpSupport
  • Install-WindowsFeatureMsmq -ActiveDirectoryIntegration with Install-WindowsFeature -MsmqActiveDirectoryIntegration

New Features

IIS

Windows Features

  • Created new Get-WindowsFeature function for getting a list of available Windows features.

Bug Fixes

Service

  • Install-Service not granting default service identity, Network Service, the correct permissions.
  • Install-Service not correctly resolving local identity account names.

Enhancements

Certificates

  • Moved functionality of Get-SslCertificateBinding into Get-SslCertificateBindings. Can now filter by IPAddress and/or Port.
  • Get-SslCertificateBindings now returns Carbon.Certificates.SslCertificateBinding objects. All information displayed by the netsh http show sslcert command is returned as part of those objects.
  • Get-SslCertificateBindings now supports filtering by IPAddress and Port separately, instead of requiring both. The old IPPort parameter is replaced with IPAddress and Port parameters.
  • Test-SslCertificateBinding now supports testig by IPAddress and Port separately, instead of requiring both. The old IPPort parameter is replaced with IPAddress and Port parameters.
  • Replaced IPPort parameter on Get-SslCertificateBinding with separate IPAddress and Port parameters on Get-SslCertificateBindings. Set IPAddress only if you want to bind to a specific IP address (i.e. not 0.0.0.0). Set Port if not binding to port 443.
  • Replaced IPPort parameter on Remove-SslCertificateBinding with separate IPAddress and Port parameters. Set IPAddress only if you want to remove a binding for a specific IP address (i.e. not 0.0.0.0). Set Port if the binding is not on port 443.
  • Renamed Remove-Certificate to Uninstall-Certificate (added backwards-compatible alias in v0.5.0.1).

Computer

Cryptography

  • Replaced Protect-String’s Scope parameteter with the ForUser or ForComputer scope-specific switches.

Hosts File

  • Set-HostsEntry no longer throws an exception if the hosts file contains an invalid line. Instead, a warning is written and the line is commented out.

INI

  • Split-Ini now returns strongly-typed Carbon.Ini.IniNode objects instead of hashtables.
  • The line numbers returned by Split-Ini start at 1 instead of 0.
  • Split-Ini now returns name/value objects by default (the PassThru switch is no longer needed for this behaviro). This makes it more PowerShell-y. The old behavior of returning a Hashtable is available be using the new AsHashtable switch.

IIS

MSMQ

Path

  • Renamed Get-PathRelativeTo to Resolve-RelativePath. Renamed its To parameter to Path, and moved it to position 0. Replaced/combined the From and FromType parameters with FromDirectory and FromFile parameters.
  • Renamed ConvertTo-FullPath to Resolve-FullPath (added backwards-compatible alias in v0.5.0.1). Added support for converting unrooted paths using the current location.
  • Renamed Get-PathCanonicalCase with Resolve-PathCase (added backwards-compatible alias in v0.5.0.1). Added support for piping in Get-Item and Get-ChildItem output, e.g. Get-Item C:\WINDOWS | Resolve-PathCase returns C:\Windows.

Performance Counters

  • Get-PerformanceCounters now returns nothing/null or a single object instead of an empty/single element array when there are no or one performance counters.
  • Install-PerformanceCounter no longer re-installs a counter if a counter with its name, description, and type already exist.

PowerShell

  • Get-TrustedHosts now returns nothing/null if there are no trusted hosts. (It used to return an empty array.)

Security

  • Assert-AdminPrivileges no longer throws an exception if the user doesn’t have administrative privileges. Instead, it writes an error and returns False. It returns True if the user has privileges.

Shares

  • Replaced the Permissions parameter on Install-SmbShare with FullAccess, ChangeAccess, and ReadAccess parameters. Previously, to set share permissions, you passed in specially-formatted values to the Permission parameter, e.g. "MyGroup,FULL","MyOtherGroup,READ". Now, just pass a list of identity name(s) to the FullAccess, ChangeAccess, or ReadAccess parameters to grant those identies full, change, or read access, e.g. -FullAccess MyGroup -ReadAccess MyOtherGroup.

Users and Groups

  • Renamed Remove-User to Uninstall-User (added backwards-compatible alias in v0.5.0.1).

Windows Features

Miscellaneous

  • Replaced all instances where functions were throwing exceptions with Write-Error.
  • The Carbon assembly is now versioned and signed.

Carbon v0.4.0.0 Released

I’m extremely proud to announce Carbon v0.4.0.0, my favorite release so far. This release contains some backwards incompatible changes, so be sure to read the Upgrade Instructions.

This release contains three major new feature sets. First, I’ve created new functions for granting/getting/revoking Windows security privileges/rights (e.g. the Logon As a Service right). Before this, Carbon used Microsoft’s legacy ntrights.exe program for managing these privileges.

Second, there are new functions for setting/getting/revoking ACLs on Windows services. These service ACLs regulate who can control a service, read a service’s properties, etc. They replace Microsoft’s legacy subinacl.exe program.

Lastly, thanks to Jonathan Valdez, the Grant-Permissions function now has the ability to control inheritance and propagation flags.

As usualy, the full release notes are below and at the Carbon website.

Go get it!

Upgrade Instructions

  • If you install a manual or disabled Windows service with Install-Service, you now have to call Start-Service yourself. Install-Service only starts services whose startup type is set to Automatic (which is the default).
  • We’ve stopped distributing Microsoft’s subinacl.exe program. We didn’t have permission to distribute. Plus its no longer supported. If any of your scripts used Invoke-SubInAcl, you’ll want to download subinacl.exe yourself and copy Invoke-SubInAcl before upgrading (you can find it in the Carbon directory in the Services.ps1 file.
  • If you’re using Grant-Permission without named parameters, the Path parameter moved from position 3 to position 1. Re-order your parameters accordingly.
  • Rename usages of Set-IisDirectoryBrowsing to Enable-IisDirectoryBrowsing. If you use named parameters, rename its Directory paremter to Path.
  • Replace usages of Set-HgrcDefaultPushUrl with Set-IniEntry instead, e.g. Set-IniEntry -Path 'Path\to\repo\.hg\hgrc' -Section paths -Name 'default.push' -Value 'DefaultPushUrl'
  • Rename usages of Test-IisWebsiteExists with Test-IisWebsite.
  • Rename usages of Get-FullPath with ConvertTo-FullPath.

Enhancements

  • Created Get-Privileges, Grant-Privilege, Revoke-Privilege, and Test-Privilege for managing an identity’s security operation privileges.
  • Install-Service now uses Grant-Privilege to grant custom service identities the SeServiceLogonRight privilege. This replaces usage of Microsoft’s legacy ntrights.exe, which we probably didn’t have permission to distribute.
  • Created Get-ServicePermissions function for getting the permissions for a service, i.e. what users can control a service.
  • Created Assert-Service function to write an error if a service doesn’t exist.
  • Created Get-ServiceAcl function to get the discretionary access control list (DACL) for a service.
  • Created Get-ServiceSecurityDescriptor function to get the raw security descriptor for a service.
  • Created Grant-ServicePermission function to grant service control permissions to an identity.
  • Created Revoke-ServicePermission function to revoke all of an identity’s permissioms to control a service.
  • Created Set-ServiceAcl function to set a service’s discretionary access control list (DACL).
  • Created Test-Service function to check if a service exists without writing an error.
  • Removed Invoke-SubInAcl function and the subinacl.exe program. Use the Grant-ServicePermission and Revoke-ServicePermission functions instead. If you still need subinacl.exe, please download it from Microsoft.
  • Grant-Permissions now supports controlling inheritance and propagation flags via the ApplyTo parameter, which should be a value of the new Carbon.Security.ContainerInheritanceFlags enumeration, which encapsualtes all the valid combinations of inheritance/propagation flags. See the help for Grant-Permissions for more information. Thanks to Jonathan Valdez for the feature request and initial code.
  • Created ConvertTo-InheritanceFlags function for converting a Carbon.Security.ContainerInheritanceFlags to the necessary/applicable System.Security.AccessControl.InheritanceFlags.
  • Created ConvertTo-PropagationFlags function for converting a Carbon.Security.ContainerInheritanceFlags to the necessary/applicable System.Security.AccessControl.PropagationFlags.
  • Created Get-Permissions function for getting the non-inherited permissions on a file, directory, registry key, or registry value with the ability to return a specific identity’s permissions and/or inherited permissions.
  • Renamed Set-IisDirectoryBrowsing to Enable-IisDirectoryBrowsing and renamed its Directory parameter to Path.
  • Removed Set-HgrcDefaultPushUrl. Use Set-IniEntry instead.
  • Renamed Test-IisWebsiteExists to Test-IisWebsite to adhere to PowerShell naming conventions.
  • Renamed Get-FullPath to ConvertTo-FullPath to adhere to PowerShell naming conventions.

Bug fixes

  • Install-Service no longer tries to start a service if its StartupType is set to Manual or Disabled.
  • Path is now the first parameter to Grant-Permissions (it was the third) to match PowerShell standards/patterns.
  • Find-ADUser writes an error and returns null instead of throwing an exception.