Proof of Concept POC ScriptRunner

ScriptRunner in the Proof of Concept [English Version]

The use of PowerShell in administration and as an automation language has become widespread. Nevertheless, there are great uncertainties regarding central administration of scripts, guidelines for script execution, rights and security, traceability, delegation options and much more. All reasons to test ScriptRunner in your own environment. This article shows how a proof of concept can be prepared and implemented without much effort.

Test Environment for ScriptRunner

To test ScriptRunner in a Proof of Concept, only a few systems are required in your infrastructure. The following are specifically required:

  • Active Directory for creating a few security groups
  • Virtual machine for the ScriptRunner host in a Windows domain and administrative access
  • Virtual machine as a target system in a Windows domain for running PowerShell test scripts and administrative access
  • Client with a web browser (IE11, Chrome, Firefox, Edge or Opera)

Preparatory Steps

Before you can install ScriptRunner, a few preparations must be made.

Groups and Users in Active Directory

At least two security groups in Active Directory, an administrative user account and a standard user account are required for the roles to work properly in ScriptRunner.

  • Administrative user account: This should also have administrator rights on the required test VM. We recommend to use your personal admin account if it has sufficient rights.
  • Standard user account: This does not require any administrative rights. We recommend that you use your personal standard user account.
  • Security group for ScriptRunner administrators: Create a security group. This can be based on your naming conventions, e.g. „SR-Admins“. Add your and any other administrative user accounts to this group.
  • Security group for ScriptRunner operators: Create a security group. This can be based on your naming conventions, e.g. „SR-ServiceDesk“. Include your and any other standard user accounts in this group. Existing security groups can also be used for operators.

Virtual Machine for ScriptRunner Host

It is recommended to install ScriptRunner on a virtual machine.

The virtual machine requires the following basic settings:

  • Windows Server 2016 or Windows Server 2012R2 as a member server in a domain
  • CPU: minimum 2 cores, productive 4
  • Memory: minimum 8 GB RAM and 64 GB disk (SSD or similar preferable)
  • .NET Framework 4.6 or higher
  • Management Framework 5 with PowerShell 5.1 (default for Windows Server 2016)
  • WinRM service is active
  • PowerShell Execution Policy and PowerShell Remoting is enabled including the Firewall Rules
  • Internet Explorer 11 with valid registered local intranet zone and deactivated enhanced security (in Server Manager)

Optionally, you can install the „Active Directory PowerShell Module“ feature from the Remote Server Administration Tools -> Role Administration Tools -> AD and DS Tools feature group using the Server Manager.

Setting Up the Web Server Role on the VM

The ScriptRunner Admin and Delegate Web Apps are JavaScript applications and run in Internet Explorer 11, Edge, Chrome, Firefox and Opera. A web server is used to distribute the web apps to the clients. Use the IIS on the ScriptRunner Host VM for the Proof of Concept.

Use the Server Manager to install the „WebServer (IIS)“ role with the management programs without any additional features.

For the Proof of Concept, use the IIS and ScriptRunner Web Apps over HTTP. You can easily reconfigure the IIS and ScriptRunner Host Web Service to HTTPS before using it productively.

Virtual Machine for Remote Management

A second test machine is required to run PowerShell scripts using PowerShell Remoting. You can also use an existing test machine. In the initial function tests, only PowerShell scripts are executed that do not make any changes to the system.

The virtual machine and ScriptRunner access require the following basic settings:

  • Windows Server 2016 or Windows Server 2012R2 as a member server in a domain
  • WinRM service is active
  • PowerShell Execution Policy and PowerShell Remoting is enabled including the Firewall Rules
  • Administrative account that is authorized to run PowerShell scripts on this machine

Open the PowerShell as an administrator and use the following commands:

  • Get-ExecutionPolicy or Set-ExecutionPolicy
  • Enable PSRemoting -Force

Check whether the PowerShell settings on both virtual machines are controlled by GPO! You can also use the PowerShellConfigWizard.EXE  from our setup package to configure the PowerShell settings.

If You Work with Firewalls or Proxies

Make sure that the two test VMs are accessible from the client via HTTP using a browser. In addition to port 80, port 8091 is also required for REST communication with the ScriptRunner Web Service Interface. The default port for PowerShell 5985 is used for communication between the ScriptRunner host and the remote machine via PowerShell. If necessary, this should be enabled in an intermediate firewall.

When PowerShell Execution Policy and Remote Powershell are activated, all necessary settings are made automatically on the local Windows Server firewall.

Quick Installation

Only use the current ScriptRunner setup files to perform the installation.

Important note: A link to download the setup files was sent to you in the same email with the link to this article.

  1. Take a snapshot of the ScriptRunner Host VM before installation.
  2. Extract the ZIP file with the setup files on the ScriptRunner Host VM
  3. Run SetupScriptRunnerService_version.EXE first.
    The central service and all functions of the ScriptRunner host as well as a set of performance counters are installed.Important note: Change the group for the ScriptRunner administrators on the corresponding setup page. To do this, enter the group name of the security group you created for it and press Verify. The security claim for this group is then displayed. If an error occurs, the connection of the ScriptRunner host to the Active Directory is disturbed.

    Note: You should select Remote Signed on the PowerShell configuration setup page. This is the default setting for Windows Domains.

  • Check the newly installed AppSphere ScriptRunner Service. This must have started.
  • If errors occur during installation, check the setup log in Drive:\Program Files (x86)\AppSphere\ScriptRunnerService
  1. Then run SetupScriptRunnerWebApps_version.EXE with the „Deploy to IIS“ option.
    Important note: Enter the complete FQDN of the ScriptRunner host on the corresponding setup page and use the default port 8091.Note: During installation, the setup checks whether the ScriptRunner Web Service is accessible via HTTP (or HTTPS) under the specified URI.

If you want to use the ScriptRunner ISE PlugIn on your Admin and DevOps clients, run SetupScriptRunnerTeamApps_version.EXE there and select the option „ISE Plugin“ and remove the two other apps. If you want to use the ISE PlugIn, your client login account must be a member of the security group for ScriptRunner administrators.

Optionally, you can install all Team Apps on the ScriptRunner host.

Easy initial configuration on the host

The PowerShell module ScriptRunnerSettings is used for the unique settings on the ScriptRunner host. Open PowerShell as an administrator. Enter the following commands:

  • get-asrlicense; the license information is output
  • get-asrservice; the status of the ScriptRunner service is displayed
Example for Get-ASRLicense

Example for Get-ASRLicense

To configure the e-mail notification functions via SMTP, use the following commands:

  • get-asremailnotificationconnector -verbose; this command shows you the default settings
  • set-asremailnotificationconnector -ON -Host SMTPhostname -Port number -UseTLS yes/no-channel scriptrunner@yourdomain -restart -verbose 

    Important note: Use the other options for authenticated sending.

  • test-asremailnotificationconnector -recipient recipient@yourdomain; a test mail is sent to the recipient and a message about the sending status is sent to the console.Note: SMTP error codes are displayed in case of errors. Please also check the logs of your mail server for troubleshooting.
PowerShell Cmdlets in the ScriptRunnerSettings Module

PowerShell Cmdlets in the ScriptRunnerSettings Module

First Function Test

Log on to a client with your administrative account and start a web browser. Enter the following URL:

  • http://FQDNyourhostvm/scriptrunner/admin -> the Admin Web App is loading
  • Select the green „Test“ button.
  • You can optionally switch the language in the app. To do this, select the language in the top right-hand corner of the application’s top bar.

If you are using Internet Explorer, the domain ID from the FQDN of the ScriptRunner host must be entered in the security settings of the Local Intranet Zone.

Important note: These settings may be set by GPO for the browser and the domain of the ScriptRunner host is not listed!

Optionally, you can start the Admin App directly in Internet Explorer on the ScriptRunner host. Switch off the enhanced security options for IE with the Server Manager. Also use the FQDN in the URL on the host.

ScriptRunner Admin App with Dashboard, top menu, main menu on the left and Action bar on bottom line

ScriptRunner Admin App with Dashboard, top menu, main menu on the left and Action bar on bottom line

To test the functionality of the script execution, do the following:

  1. In the Admin Web App, click on „Actions“ in the main menu on the left.
  2. Select the action with the Name „Local: Add two values“ in the list view.
  3. Start the action with the „Run“ button in the context-oriented action bar at the bottom of the application. The Action Wizard appears in RUN mode with an input mask for the PowerShell parameters with two prefilled fields.
  4. Click the Ok button at the bottom of the wizard. Now the PowerShell script is executed, which adds two numbers.
  5. After the execution of the script a green bar appears in the line of the action. Click on the bar and display the report.
  6. Repeat the action and select other options. Note that numbers and strings cannot be mixed together.
  7. Now switch to the dashboard via the main menu. There you can click on individual reports or use various display options.
  8. In the Dashboard, click the Reports button in the Action Bar below. In the report display, you can now scroll through the individual reports and use the various display options in the top right-hand corner of the report window.
Contextual Action bar with help button

Contextual Action bar with help button

First configure a group in the role „ScriptRunner Operators“. Users with this role can use the ScriptRunner Delegate Web App and start pre-configured PowerShell Actions without requiring administrative rights to the target systems. To do this, execute the following:

  1. Switch to the Delegation main menu.
  2. Click on the button „Create“. The wizard for creating operator groups and operator accounts opens.
  3. Assign a display name for the group and go to the next wizard page.
  4. Enter the name of the security group in the AD for the service desk and press the button to verify. In the Claim Type field, a string with group-sid appears at the end.
  5. Switch to the „Delegated action“ page and click on „Local: Add two values“ from the list. Multiple selections can be made with the CTRL mouse button.
  6. Finish the creation and assignment with OK.
  7. Go to the „Actions“ main menu and click on the action „Local: Add two values„.
  8. Click the button „Delegate“ in the action bar below. The Action Wizard opens in EDIT mode and represents the configuration page for the delegation of this action.
  9. Enter a tag identifier „MyRegister“ without spaces and press the Tab key. Select a color for the action tile in the Delegate app.
  10. Close with OK.
ScriptRunner Delegate App with login as Service Desk user (example)

ScriptRunner Delegate App with login as Service Desk user (example)

Now log on to a client with your standard user account and start a web browser.

  1. Enter the following URL: http://FQDNyourhostvm/scriptrunner/delegate -> the Delegate Web App is loaded.
  2. Select the „All“ tab and then the „My Register“ tab.
  3. Click the tile. An input screen appears for the PowerShell parameters with the two prefilled fields.
  4. Enter a comment on the action in the „Reason“ field, e.g. a reference to a ticket number.
  5. Start the action by pressing the RUN button in the Action Bar at the bottom.
  6. Wait for the execution.
  7. Click the „Report“ link in the modal display window or the Reports button in the action bar.
  8. Repeat the action and select other options. Note that numbers and strings cannot be mixed together.

Now go to the Admin App on the main menu „Actions“ and select the Action „Local: Add two values“. Now click on the button „Reports“ in the action bar below. You can then browse through all the reports and so on. Pay attention to the different information in the meta data block above.

My First Script with PowerShell Remoting

After a successful initial functional test, the system is now integrated into ScriptRunner to test remote management with PowerShell and an action is configured to run a script on the remote machine.

ScriptRunner Infobox on each wizard page

ScriptRunner Infobox on each wizard page

To do this, proceed as follows:

  1. Go to the main menu „Credentials“ in the Admin Web App and click the button „Create“.
  2. Create an administrative account that is authorized to run PowerShell scripts on the remote System.

    Important note: Create domain accounts in the notation domain\account.

  3. Complete the process with OK.
  4. Now go to the main menu item „Targets“ and mark the target with the Name „Sample Target“.
  5. Click the „Edit“ button in the Action Bar below. The configuration wizard opens in EDIT mode.
  6. Change the display name and FQDN to the actual FQDN of the remote system.
  7. Select the PS Remoting Credential.
  8. Close with OK.

After the remote system is known in ScriptRunner and execution is linked to the credential set up, a PowerShell Script Policy is now created. To simplify the process, proceed as follows:

  1. In the Admin Web App, go to the „Actions“ main menu and select „Local: Add two values„.
  2. Now click the button „Copy“ in the action bar below. A copy is created and displayed in the list.
  3. Select the copy in the list and click „Edit“ in the action bar below. The wizard opens in EDIT mode.
  4. Click on the first wizard page „Action Properties“ and change the name of the action, e.g. to „My Remote Test“.
  5. Switch to the second wizard page „Select Targets“ and select the remote system you have configured.
  6. Skip the third page now once.
  7. Switch to the fourth wizard page „Assign Parameter Values“ and select „Select a value“ from both drop-down menus.
  8. Click on the fifth wizard page „Set Result Options & Notifications“. Select E-mail Notifications, select the „Always“ option and enter your e-mail address.

    Note: For proper operation, the E-mail Notification Connector must be configured as described above.

  9. Close with OK.

Now the PowerShell script policy is set up for a test with PowerShell Remoting. To test with the Admin Web App and the Delegate Web App, use the „My Remote Test“ action to complete the steps described above in the section First Function Test.

Important note: If errors occur during execution, read the PowerShell error message in the report carefully and check the following settings:

  • on the remote system:
    • WinRM service must be active.
    • PowerShell Execution Policy must be enabled and configured to Remote Signed.
    • PowerShell Remoting must be enabled.
    • The account entered under Credentials and used for remoting must have rights to run PowerShell scripts.

      Note: A domain-wide PowerShell GPO can make other settings take effect!

  • on the ScriptRunner host:
    • Check the target settings to see if the appropriate credential has been assigned.
    • Check the action settings to see if the appropriate target has been selected.
    • If an error has occurred in the authentication method, you can change it on the wizard page „PS Remoting Session Setting“ under the option „use a non-default PS Remoting authentication method“, e.g. on Kerberos.
    • Enter the password for your credential correctly.

After you have successfully installed and tested ScriptRunner, it is now time for a…

Online PoC Session with Us

A 1-hour online PoC session helps you to get to know the many possible uses and the extensive functions of ScriptRunner better. As a result, you can better estimate and plan which of your use cases you want to implement and how. You will also get to know our action packs and can use them immediately for your applications.

 

PoC ScriptRunner Websession

In an online PoC session you get to know the many possible uses and functions of ScriptRunner better.

The online PoC session contains the following topics in an overview and takes into account your focal points in consultation with you:

  • Short review of your installation and answers to questions about the host configuration
  • Brief introduction to the functional scope of the Admin Web App
    • Main menu, views, context-sensitive action bar, additional views
    • Tag system, filters, filtered views
    • Help, info boxes, tool tips and support functions
  • First overview of the structure and operation of actions with PowerShell Script Policies
    • Action Wizard, differences between EDIT and RUN wizard modes
    • Creating, modifying and testing actions
    • Preassignment functions for parameters
  • First overview of targets, containers and credentials
    • Setup of targets, containers and credentials for local and remote use
    • PowerShell remoting modes for Windows, Exchange, Skype4Business and more
  • First overview of dynamic parameters with queries
    • How Queries Work
    • Setting Up an AD Query
    • Including a Script Query
  • First overview of the delegation of actions
    • Menu, functions and search in the Delegate Web App
    • Generic Forms and Validations
    • Delegation of actions, tab pages with view tags
  • Optional: Use of the ISE App for script development
  • Optional: Setup Office365 Services

Important – Support During the Test Phase

While testing ScriptRunner completely free of charge for 30 days you will receive technical support from us during this phase. You will receive your support contact and all necessary information in our online PoC session.

Please understand that we cannot provide support for our automation platform without a joint PoC session and an introduction to our product.

 

Request free live-test

Anika Beck

Anika Beck

Werkstudentin im Marketing bei ScriptRunner
Anika Beck studiert an der Hochschule Karlsruhe und unterstützt das ScriptRunner-Team im Marketing sowie insbesondere im Social Media Bereich.
Anika Beck

Letzte Artikel von Anika Beck (Alle anzeigen)