Customizing PowerGUI Configuration

From PowerGUI Wiki

Jump to: navigation, search

Contents

Use Case

This article explains how to create customized branded locked-down PowerGUI configurations. This functionality enables the following scenario:

An IT architect/consultant/system integrator customizes PowerGUI admin console, leaving only the functionality for a particular role (e.g. helpdesk) within this particular organization needs. For example, it would have a list of users limited to a specific geographic location and only provide actions to reset passwords, change phone numbers, and so on.

PowerGUI admin console (without script editor) gets installed for each helpdesk person in the office.

A new management feature is used to lock-down these consoles so helpdesk people cannot see the PowerShell code behind the actions, or modify the functionality, and so on.

This helps equip everyone in the IT organization with the exact tools they need, gets rid of scripting (scripts get turned into admin console UI), and thus reduces risk and associated costs, etc.

Customizing PowerGUI Console (for PowerGUI 1.9.6 and later)

The Central Configuration feature in PowerGUI has been simplified. If you want to deploy a customized version of PowerGUI simply follow these steps:

  • Create a custom PowerPack and export the PowerPack as a .powerpack file using the \File\PowerPack Management\Export functionality.
  • Edit the lockdown.xml file to restrict or hide functionality in the Admin Console. Changing Enabled to 'False' will prevent the user from interacting with that feature, and changing Visible from 'true' to 'false' will preven the user from even seeing that the option exists. For example, if you want to remove the ability for the user to create a new tree node: change the enabled value from 'true' to 'false' and if you don't want the user to even see the option: change the visible value from 'true' to false'.
<Item Guid="947a3087-c1fe-47c0-a4af-a15e7819e978" DisplayName="Tree Node: New">
      <Enabled>false</Enabled>
      <Visible>false</Visible>
</Item>
  • You can create a custom homepage that will be displayed when PowerGUI starts. The homepage must be saved as a .mht file.
  • Edit the redirections.xml file to point to the files you have created.
<?xml version="1.0" encoding="utf-8"?>
<Redirections>
<!--
    <Lockdown>c:\lockdown.xml</Lockdown>
-->
<!--
    <PowerPackFolders>
        <Folder>\\compname\share\PowerPacks</Folder>
        <Folder>c:\PowerPacks</Folder>
    </PowerPackFolders>
-->

<!--
    <WelcomePagePath>c:\MyWelcomePage.mht</WelcomePagePath>
-->

</Redirections>
  • Install PowerGUI, but do not allow the installer to install the default PowerPacks (unless desired). Silent install options are outlined here: http://wiki.powergui.org/index.php/Silent_Installation
  • Place the redirections.xml file in the users profile: %appdata%\Quest Software\PowerGUI


When PowerGUI starts, the PowerPacks specified in the redirections.xml PowerPacks Folder Path will load, the custom home page will load, and the restrictions enforced in the lockdown.xml will be enforced.



Customizing PowerGUI Console (for PowerGUI 1.9.5 and earlier)

By default, any PowerGUI user can access (view and activate) any configuration item (that is, management tree nodes, menu commands, interface language, currently used libraries, etc.). The PowerGUI administrator can create a customized admin console configured to support exactly the functionality required by the certain user role (e.g., helpdesk). For that, the administrator can do the following:

  1. Make the necessary changes to PowerGUI console (for example, delete some folders from the tree structure) and save modified configuration to xml file.
  2. Use the lockdown feature to deactivate or hide the functionality which the users are not supposed to access (e.g., add or modify nodes in the tree, view the PowerShell code behind the functionality, and so on)
  3. Distribute customized configuration and lockdown settings to users across the network.

Step 1: Customize Configuration

After you deploy PowerGUI, the initial configuration settings are stored in '"quest.powergui.xml"' file in its profile folder - %appdata%\Quest Software\PowerGUI (which resolves to c:\Documents and Settings\user_name\Application Data\Quest Software\PowerGUI on Windows 2003 and Windows XP and c:\User\user_name\Application Data\Roaming\PowerGUI on Windows Vista and Windows 2008).

When creating a profile you can either start with existing profile or from empty profile. See more information in this section: Managing PowerGUI Profiles

To customize configuration for a user role, do the following:

  1. Analyze specific role requirements and identify what functionality it will need (that is, what extensibility options should be available: script editor, import, add node/link/action, edit properties, and so on).
  2. Open the PowerGUI console, make the necessary changes, for example, delete a node from the tree, add a script, import a PowerPack, or perform any other modification you need.
  3. If remote PowerGUI installations already have some configuration you need to give the central file a later version so remote PowerGUIs start the configuration upgrade process. The same considerations apply to any subsequent changes to configuration: for the updates to take effect, you need to create a copy of quest.powergui.xml configuration file, with configuration version that differs from the original (initially deployed), and save that file to a location specially intended for its users. So, open the configuration file with preferred XML editor, locate the tag defining product version, e.g.:
    <container id="3a908f4a-c672-4883-8b26-18bb3aac1638" name="version">
    <value>1.7.0.66</value>
    change version value to any number greater than current product build, e.g.,:
    <value>2.0</value>
    Each time you save customized configuration, you should change the version of configuration file as described above - otherwise, updates will not be applied.
  4. Save the copy of configuration file to the certain location, e.g., \\mysrv\public\cfg\cfg.xml.
  5. To make customized configuration available to authorized users, the Redirections.xml file is used. It contains the paths to configuration file and lockdown settings. A sample Redirections.xml file is created by default when you deploy the product; it can be found in your personal folder located at \Documents and Settings\<user_name>\Application Data\Quest Software\PowerGUI on Windows 2003 and Windows XP, or \User\<user_name>\Application Data\Roaming\PowerGUI on Windows Vista and Windows 2008.
Store the path to customized configuration file to the corresponding tag in Redirections.xml like this:
<CommonConfiguration>\\mysrv\public\cfg\cfg.xml</CommonConfiguration>

Then you can proceed with Step 2 to configure lockdown settings and store the path to the corresponding XML file in the Redirections.xml, as well. The Redirections.xml file should be then distributed to users, as described in Step 3.

Step 2: Lock Down Configuration Items

Most likely, in this scenario of centrally managed PowerGUI deployment you would want to protect the the PowerGUI admin console on delegated administrators' machines from accidental UI modification, as well as to limit the ability of delegated administrators to go beyond the scope of the consoles you provide.

You can limit the functionality exposed by PowerGUI by editing its lockdown file.

To lock configuration items/actions, use the quest.powergui.lockdown.xml file (by default, it is also placed to your personal folder when you deploy the product):

  1. Open the quest.powergui.lockdown.xml file (located at \Documents and Settings\<user_name>\Application Data\Quest Software\PowerGUI on Windows 2003 and Windows XP, or \User\<user_name>\Application Data\Roaming\PowerGUI on Windows Vista and Windows 2008).
  2. Modify the file as needed. Locate the tag that corresponds to configuration item, and set its Visible and Enabled attribute values:
    Visible attribute
    True - configuration item will be shown to user
    False - configuration item will be hidden from user
    Enabled attribute
    True - user can run the action (e.g., delete/add/rename, and so on)
    False - user cannot run the action
    For example, to prevent users from renaming a folder (that is, to disable and hide the Rename command for folders), modify the corresponding tag as follows:
    <Item Guid="6EEC597F-2CFA-400b-98A2-32469C7C86FB" DisplayName="Folder: Rename">
    <Enabled>false</Enabled>
    <Visible>false</Visible>
    </Item>
  3. Save modified file to the certain location (a local folder or a network share), for example, \\mysrv\public\LD1\lock.xml.
  4. Store full path to that location to the corresponding tag in Redirections.xml file like this:
<Lockdown>\\mysrv\public\LD1\lock.xml</Lockdown>

Step 3: Distribute Shortcuts to Modified Configuration

To distribute customized configuration in a centralized manner, the Redirections.xml file is used. After you complete Steps 1 and 2, it should contain the paths to configuration snapshots and locked configuration items like this:

<?xml version="1.0" encoding="utf-8"?>
<Redirections>
    <Lockdown>\\mysrv\public\LD1\lock.xml</Lockdown>
    <CommonConfiguration>\\mysrv\public\cfg\cfg.xml</CommonConfiguration>
</Redirections>

Distribute this file to PowerGUI authorized users (roles), e.g., helpdesk. For that, any suitable method can be used: remote access, logon script, Group Policy, and so on. The Redirections.xml file should be stored in users' personal folders storing the product configuration (\Documents and Settings\<user_name>\Application Data\Quest Software\PowerGUI on Windows 2003 and Windows XP, or \User\<user_name>\Application Data\Roaming\PowerGUI on Windows Vista and Windows 2008).

Using Customized PowerGUI Console

To obtain PowerGUI console customized for their role, authorized users (helpdesk, AD admin, Exchange admin, and so on) check the locations specified in their Redirections.xml file (these locations in our example are \\mysrv\public\cfg\cfg.xml and \\mysrv\public\LD1\lock.xml), and copy the updated configuration and lockdown settings to their personal folders.
When users (e.g., helpdesk personnel) launch PowerGUI next time, customized console will be displayed to them.

See also this video: http://www.youtube.com/watch?v=Zr_VB3_KvLc

You might also want to rebrand PowerGUI with a customized welcome page - see http://www.youtube.com/watch?v=Wm3a66derZM

Personal tools