PowerShell | BoothBilt Blog

The situation:

I want to add an account to the FIM portal manually, and make that account a FIM Administrator.

Of course, for this to work, the FIM portal needs to have the account name, domain, and objectSID of my new FIM administrator. Account name and domain are not a problem, but how to get SID in there? Yes, the account exists in AD, but it is stuck off in an OU that will never be discovered, so I can’t just flow it through an AD MA. If you look at the existing administrator object in Advanced view, you see the objectSID and can even export it to a file. There’s a browse button too, so to import a SID, you just need to point to a 28 byte binary file that holds the SID. But how to create this file?

Turns out to be dead simple in Server 2008 R2. The following few lines will do it (assuming you’ve already imported the ActiveDirectory module).

$b = New-Object byte[] 28
$u = Get-ADUser squeebo
$u.SID.GetBinaryForm($b,0)
$b | Set-Content ($u.SamAccountName + '.dat') -Encoding byte

I’ve been discovering lots of little things like this as I’ve been using FIM more, and I’ll blog about them as soon as I can organize my thoughts a bit. Most of them are a little more complicated than this, and were the result of a lot of iterations and head-scratching, so I need to distill them down before I post.

Anyone who has worked with me knows I’m a bit of a command-line junkie. Lately, I’ve been setting up a test environment with lots of servers. I want to be able to use my favourite command line utils from the prompt, and since this is a Microsoft Windows environment, that means PowerShell. Today I found myself installing some utils then adding the newly installed locations to the PATH environment variable. After the first machine, and facing the prospect of several more, I decided to cruft up something that would work from within PowerShell and keep me away from that nasty GUI stuff. (Computer-Properties-Advanced System Settings-Environment Variables-Path-Edit-DearLordThereMustBeABetterWay…)

And so here’s what I came up with: Add-Path.ps1. You feed it a path name, it checks to make sure it is a valid path, and if so, adds it to the PATH environment variable. You can either add it just for the current session, or use the -Peristent switch to make the change stick.

Add-Path.ps1

param([string]$pathName,[switch]$Persistent=$false)

if ($pathName)
{
    if (Test-Path $pathName)
    {
        if ($env:PATH.IndexOf($pathName) -gt -1)
        {
            Write-Host "$pathName is already on the path"
        }
        else
        {
            Write-Host "Going to add $pathName to the path"
            $newPath = "$env:Path;$pathName"
            if ($Persistent)
            {
                # update the registry and add the path
                # NB, you'll need admin creds for the reg change
                [System.Environment]::SetEnvironmentVariable("PATH", $newPath, "Machine")
                $env:Path = $newPath
            }
            else
            {
                # just add the path for this session
                $env:Path = $newPath
            }

            Write-Host "Path is now: [$newPath]"
        }
    }
    else
    {
        Write-Host "Path does not exist"
    }
}
else
{
    Write-Host "Need a path name to add"
}

BoothBilt Blog

James Booth's blog, mostly about Identity Mangement, and PowerShell

Category Archives: PowerShell

PowerShell to create a SID file for FIM 2010

Handy PowerShell script for tweaking $env:PATH

Add-Path.ps1