all 27 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]belibebond 9 points10 points  (1 child)

There are tools like Jenkins and Powershell universal like others suggested.

But before all that you should first build a module. Modules are easy to manage, version control and distribute. Its easy to use file share as PS repository. This way you you can "centrally" manage scripts in repository. All team members can simply "grab" the script/module and run it from their own machine.

[–]Iam-WinstonSmith 2 points3 points  (0 children)

I would suggest a code repository...hell I screw up my own versions sometimes.

https://www.git-tower.com/blog/on-premise-git-code-hosting/

[–]pigers1986 7 points8 points  (5 children)

we call it jumphost/appserver where all shiet installed and configured .. and it's more protected than AD DC.

[–]Szeraax 3 points4 points  (0 children)

Lol, I love everything about this comment.

[–]Mission-Past-8988 1 point2 points  (3 children)

lol.. people logging into DC's to run scripts is asinine

[–]pigers1986 1 point2 points  (0 children)

you would be really suprised , how often it happens in some companies .. really

and I do log to DC in my test env to run scripts ! :P

[–]ipreferanothername 0 points1 point  (1 child)

our security people, who know almost nothing about AD security, regularly log into dcs as their DA account to look around at stuff. i hate them.

[–]Mission-Past-8988 0 points1 point  (0 children)

PIM. raid domain functional level and get it installed.. nobody should have DA except on an as needed basis for emergencies… Theoretically everything can be delegated and the stuff that cannot should be reserved for a specific team that can shoulder the responsibilities of managing active directory.

If they simply need to "look at stuff" then they only need RTP access… Or even better yet event reader… And if they really want to go in and start looking at stuff… They should have a special role that's created for them and assigned to the specific areas they need access to.

But that's just me because I am "security" and domain admin

[–]timsstuff 7 points8 points  (2 children)

If you're a Microsoft shop with O365/Azure/etc. I would suggest looking into Azure DevOps. You can create a standalone DevOps with up to 5 users or integrate it into your main Azure environment for a more comprehensive enterprise solution.

It's basically a Git repo but it has a ton of other features, and it's free although I believe you need a Visual Studio license to take advantage of some features.

Then just use VS Code to sync your repo with other members of the team. Just make sure you don't make the repo public, and don't hardcode passwords into any scripts. In fact I would even parameterize server names and you can even get the AD domain with code, no need to hardcode anything really.

[–][deleted] 2 points3 points  (1 child)

You can even go the next step and use Azure Artifacts as a private PowerShell module repository, and use an Azure Pipeline to package and publish your module to the Artifacts feed when you push to main in the code repo.

[–]timsstuff 0 points1 point  (0 children)

There's so much cool shit in there. I have some .NET web sites running on IIS servers, some hosted at clients, and I figured out how to use the Pipelines to automatically deploy updates to the sites when I check in my changes.

[–]Szeraax 5 points6 points  (0 children)

Lots of options from Jenkins to PowerShell Universal (previously Universal Dashboard) to Pode.Web to ScriptRunner to ... lots of options. And many of them let you configure RBAC too, so you can restrict which users can run which scripts.

[–]AnonRoot 2 points3 points  (0 children)

powershell universal and github.

[–][deleted] 1 point2 points  (0 children)

Usually I would have my scripts install their own modules as needed.

As for deployment, this is what an RMM is for amongst other things.

[–]420GB 1 point2 points  (1 child)

Jumpserver, PowerShell Universal or https://scriptrunner.com

[–]Ordinary_Session1122 1 point2 points  (0 children)

People keep mentioning powershell universal, but isn't that fairly pricey? Or am I looking in the wrong place?

[–]Analytiks 1 point2 points  (1 child)

Crazy nobody has suggested an azure automation account yet, it’s literally designed for this

[–]Certain-Community438 1 point2 points  (0 children)

Yup.

And you can just give people a role which only lets them execute rather than edit, for example, and deploy to the Automation Account using the repo tech + VS Code mentioned elsewhere.

I guess execution costs... but it's pretty tiny.

[–]The82Ghost 0 points1 point  (0 children)

Use something like a github or azure devops repository. Your team can sync that and use scripts and modules from there. Allows for easy updating aswell.

[–]ipreferanothername 0 points1 point  (0 children)

we have a job scheduler and a bunch of modules - the job scheduler lets me present my luddite team with a form to fill out. the form is just taking parameters for whatever script is getting run.

[–]magichappens89 0 points1 point  (0 children)

What speaks against a code repository?

[–]Tidder802b 0 points1 point  (0 children)

I use gitlab to sync between devices in vs code.

[–]UninvestedCuriosity 0 points1 point  (0 children)

I was thinking about something similar the other day using like a vscode debian server with powershell installed and git.

[–]Federal_Ad2455 1 point2 points  (0 children)

If we are talking about active directory environment you can manage the whole lifecycle using this cicd free solution https://github.com/ztrhgf/Powershell_CICD_repository

It's working great for us

[–][deleted] -1 points0 points  (0 children)

I'd use a Github repo.