****The following process is not supported by Microsoft! This directly updates data in the Orchestrator database! Use at your own risk!****
While migrating policies from Opalis to Orchestrator or between Orchestrator environments, you may run into the issue where Invoke Runbook activities magically get updated w/ the "Invoke by path" property set to True (or checked).
This occurs when a runbook targets another runbook that was not included in the export file. Orchestrator attempts to keep the relationship chain by specifying the path to the target runbook since the runbook id guid is no longer valid.
To find all active Invoke Runbook activities that have this property set to true, you can execute the following SQL query to identify them.
The first query will group the target runbooks so you know how many are affected (we'll use these individual values later....).
Select TRIGGER_POLICY.PolicyPath AS TargetRunbookPath
From TRIGGER_POLICY
INNER JOIN OBJECTS ON TRIGGER_POLICY.UniqueID = OBJECTS.UniqueID
INNER JOIN POLICIES ON OBJECTS.ParentID = POLICIES.UniqueID
Where TRIGGER_POLICY.TriggerByPolicyPath != 0 and OBJECTS.Deleted != 1 and POLICIES.Deleted != 1
Group By TRIGGER_POLICY.PolicyPath
Order By TRIGGER_POLICY.PolicyPath
Select POLICIES.UniqueID, POLICIES.Name AS SourceRunbook, TRIGGER_POLICY.PolicyObjectID AS TargetRunbookID, TRIGGER_POLICY.PolicyPath AS TargetRunbookPath, TRIGGER_POLICY.TriggerByPolicyPath, TRIGGER_POLICY.TargetActionServers
From TRIGGER_POLICY
INNER JOIN OBJECTS ON TRIGGER_POLICY.UniqueID = OBJECTS.UniqueID
INNER JOIN POLICIES ON OBJECTS.ParentID = POLICIES.UniqueID
Where TRIGGER_POLICY.TriggerByPolicyPath != 0 and OBJECTS.Deleted != 1 and POLICIES.Deleted != 1
Order By TRIGGER_POLICY.PolicyPath
Now if you have a loooot of individual activities that have this property set (shown from the 2nd query above), you can update to update them by target runbook in mass rather than tediously going to each and every activity and updating the target runbook, unchecking the invoke by path property, and updating any parameters if applicable.
From the first query above, you can copy the target runbook name and paste it into the highlighted section below.
**Note the query below will only SELECT the rows that will be ultimately updated. You'll need to comment out the 'Select' line and remove the comments from the 'Update', and two Set cmds.
Declare @TargetPath varchar(250)
Declare @UpdatedID varchar(250)
Set @TargetPath = 'Policies\Path_To_Runbook'
Set @UpdatedID = (Select '{' + CAST(Resources.UniqueId as varchar(250)) + '}'
From [Microsoft.SystemCenter.Orchestrator.Internal].Resources AS Resources
Where Resources.Path = SUBSTRING(@TargetPath,CHARINDEX('\Globals',@TargetPath,0),len(@TargetPath)))
Select POLICIES.UniqueID, POLICIES.Name, @UpdatedID, TRIGGER_POLICY.PolicyPath, TRIGGER_POLICY.TriggerByPolicyPath
--Update TRIGGER_POLICY
--Set TRIGGER_POLICY.PolicyObjectID = @UpdatedID
-- ,TRIGGER_POLICY.TriggerByPolicyPath = 0
From TRIGGER_POLICY
INNER JOIN OBJECTS ON TRIGGER_POLICY.UniqueID = OBJECTS.UniqueID
INNER JOIN POLICIES ON OBJECTS.ParentID = POLICIES.UniqueID
Where TRIGGER_POLICY.TriggerByPolicyPath != 0 and OBJECTS.Deleted != 1 and POLICIES.Deleted != 1 and TRIGGER_POLICY.PolicyPath = @TargetPath
Showing posts with label guid. Show all posts
Showing posts with label guid. Show all posts
Tuesday, December 4, 2012
Tuesday, September 11, 2012
Audit Jobs started from Orchestration Console (Who Started It)
This post I'll explain how to setup a runbook that runs a daily audit report of runbook jobs started from the Orchestration Console (OC). As more end users and external applications get access to start runbooks, it's important to know who started a runbook at any given time.
The runbook itself is fairly simple.
First, we need to query the database for the jobs table ([Microsoft.SystemCenter.Orchestrator.Runtime].Jobs) which holds most of the data for the jobs. One key to both queries is to flatten the data which we will later break back out into multi-valued data.
Select POLICIES.Name, Jobs.CreatedBy, Jobs.CreationTime, Jobs.Status
From [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs AS Jobs
INNER JOIN POLICIES ON Jobs.RunbookId = POLICIES.UniqueID
Where Jobs.CreatedBy != 'S-1-5-500' and datediff(HOUR, Jobs.CreationTime, SYSUTCDATETIME ()) <= 24
Order By Jobs.CreationTime Desc
You can also extract parameters, runbook servers specified, etc... from the query if you like. I joined the POLICIES table onto Jobs to get the name of the runbook from the guid. Since this is a daily report, I selected jobs created in the past 24 hours. I've also filtered out jobs started by the SID - "S-1-5-500". This will narrow our results down to the OC. Jobs started from the designer console or "internally" to SCOrch will have that SID. Jobs created from the OC will show the SID of the user that started the job.
Next, we run almost the same query just to get the SIDs of the users we need to translate.
Select Jobs.CreatedBy
From [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs AS Jobs
Where Jobs.CreatedBy != 'S-1-5-500' and datediff(HOUR, Jobs.CreationTime, SYSUTCDATETIME ()) <= 24
Group By Jobs.CreatedBy
Now to the script that puts it all together. You'll notice from this screenshot where I've used the published data to parse.
Here is the script (I've left out the published data alphabet soup since it would be translated to the guid).
$RawResults = ""
$MyObjectCol = @()
$Regex = [regex] '/*__%__'
$Results = $Regex.Split("$RawResults")
ForEach($Data in $Results)
{
If ($Data.Split(";")[0].Length -ne 0) {
$Field1 = $Data.Split(";")[0]}
Else {$Field1 = $null}
If ($Data.Split(";")[1].Length -ne 0) {
$Field2 = $Data.Split(";")[1]}
Else {$Field2 = $null}
If ($Data.Split(";")[2].Length -ne 0) {
$Field3= $Data.Split(";")[2]}
Else {$Field3 = $null}
If ($Data.Split(";")[3].Length -ne 0) {
$Field4= $Data.Split(";")[3]}
Else {$Field4 = $null}
$MyObject = new-object psobject
$MyObject | add-member -MemberType noteproperty -name RunbookName -value $Field1
$MyObject | add-member -MemberType noteproperty -name InvokedBy -value $Field2
$MyObject | add-member -MemberType noteproperty -name Date -value $Field3
$MyObject | add-member -MemberType noteproperty -name JobStatus -value $Field4
$MyObjectCol += $MyObject
}
#Remove Empty Objects
$MyObjectCol = @($MyObjectCol | Where-Object {$_.RunbookName -ne $null})
#Convert SID to Username
$Users = @()
$SIDs = ""
$SIDs = $SIDs.Split("__%__")
ForEach ($SID in $SIDs) {
If ($SID.Length -ne 0) {
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$User = $objUser.Value
ForEach ($Object in $MyObjectCol) {
$Object.InvokedBy = $Object.InvokedBy -Replace("$SID","$User")
}
}
}
#Convert UTC to Local Time
$strCurrentTimeZone = (Get-WmiObject win32_timezone).StandardName
$TZ = [System.TimeZoneInfo]::FindSystemTimeZoneById($strCurrentTimeZone)
ForEach ($Object in $MyObjectCol) {
$Object.Date = [System.TimeZoneInfo]::ConvertTimeFromUtc($Object.Date, $TZ)
}
$MyObjectCol = $MyObjectCol | Sort Date -Desc | ft -AutoSize | Out-String -Width 4096 -Stream | %{ $_.Trim() }
$MyObjectCol | Out-File -FilePath "C:\Temp\JobAudit.txt"
I create a hash table to save the end results in. The script converts the SIDs to usernames and also converts the time from UTC to local. It then saves the output to a txt file which we'll email as an attachment. I chose to do it this way so the data would be saved in columns and formatted cleanly to read. You could also format it as a list to put directly into the body of the email.
Finally, just for housekeeping, the txt file is deleted.
The runbook itself is fairly simple.
First, we need to query the database for the jobs table ([Microsoft.SystemCenter.Orchestrator.Runtime].Jobs) which holds most of the data for the jobs. One key to both queries is to flatten the data which we will later break back out into multi-valued data.
Select POLICIES.Name, Jobs.CreatedBy, Jobs.CreationTime, Jobs.Status
From [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs AS Jobs
INNER JOIN POLICIES ON Jobs.RunbookId = POLICIES.UniqueID
Where Jobs.CreatedBy != 'S-1-5-500' and datediff(HOUR, Jobs.CreationTime, SYSUTCDATETIME ()) <= 24
Order By Jobs.CreationTime Desc
You can also extract parameters, runbook servers specified, etc... from the query if you like. I joined the POLICIES table onto Jobs to get the name of the runbook from the guid. Since this is a daily report, I selected jobs created in the past 24 hours. I've also filtered out jobs started by the SID - "S-1-5-500". This will narrow our results down to the OC. Jobs started from the designer console or "internally" to SCOrch will have that SID. Jobs created from the OC will show the SID of the user that started the job.
Next, we run almost the same query just to get the SIDs of the users we need to translate.
Select Jobs.CreatedBy
From [Microsoft.SystemCenter.Orchestrator.Runtime].Jobs AS Jobs
Where Jobs.CreatedBy != 'S-1-5-500' and datediff(HOUR, Jobs.CreationTime, SYSUTCDATETIME ()) <= 24
Group By Jobs.CreatedBy
Now to the script that puts it all together. You'll notice from this screenshot where I've used the published data to parse.
Here is the script (I've left out the published data alphabet soup since it would be translated to the guid).
$RawResults = ""
$MyObjectCol = @()
$Regex = [regex] '/*__%__'
$Results = $Regex.Split("$RawResults")
ForEach($Data in $Results)
{
If ($Data.Split(";")[0].Length -ne 0) {
$Field1 = $Data.Split(";")[0]}
Else {$Field1 = $null}
If ($Data.Split(";")[1].Length -ne 0) {
$Field2 = $Data.Split(";")[1]}
Else {$Field2 = $null}
If ($Data.Split(";")[2].Length -ne 0) {
$Field3= $Data.Split(";")[2]}
Else {$Field3 = $null}
If ($Data.Split(";")[3].Length -ne 0) {
$Field4= $Data.Split(";")[3]}
Else {$Field4 = $null}
$MyObject = new-object psobject
$MyObject | add-member -MemberType noteproperty -name RunbookName -value $Field1
$MyObject | add-member -MemberType noteproperty -name InvokedBy -value $Field2
$MyObject | add-member -MemberType noteproperty -name Date -value $Field3
$MyObject | add-member -MemberType noteproperty -name JobStatus -value $Field4
$MyObjectCol += $MyObject
}
#Remove Empty Objects
$MyObjectCol = @($MyObjectCol | Where-Object {$_.RunbookName -ne $null})
#Convert SID to Username
$Users = @()
$SIDs = ""
$SIDs = $SIDs.Split("__%__")
ForEach ($SID in $SIDs) {
If ($SID.Length -ne 0) {
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$User = $objUser.Value
ForEach ($Object in $MyObjectCol) {
$Object.InvokedBy = $Object.InvokedBy -Replace("$SID","$User")
}
}
}
#Convert UTC to Local Time
$strCurrentTimeZone = (Get-WmiObject win32_timezone).StandardName
$TZ = [System.TimeZoneInfo]::FindSystemTimeZoneById($strCurrentTimeZone)
ForEach ($Object in $MyObjectCol) {
$Object.Date = [System.TimeZoneInfo]::ConvertTimeFromUtc($Object.Date, $TZ)
}
$MyObjectCol = $MyObjectCol | Sort Date -Desc | ft -AutoSize | Out-String -Width 4096 -Stream | %{ $_.Trim() }
$MyObjectCol | Out-File -FilePath "C:\Temp\JobAudit.txt"
I create a hash table to save the end results in. The script converts the SIDs to usernames and also converts the time from UTC to local. It then saves the output to a txt file which we'll email as an attachment. I chose to do it this way so the data would be saved in columns and formatted cleanly to read. You could also format it as a list to put directly into the body of the email.
Finally, just for housekeeping, the txt file is deleted.
Subscribe to:
Posts (Atom)