How to Get Started with PowerShell DSC to Control Configuration DriftHow to Get Started with PowerShell DSC to Control Configuration Drift
One of the best tools for ensuring that servers remain configured in a specific way is Microsoft PowerShell DSC.
August 3, 2021
Admins put a great deal of work into meticulously crafting servers’ security configurations, but those configurations inevitably change over time. This is referred to as configuration drift. However, there are some environments in which configuration changes of any kind are unacceptable. One of the best tools for ensuring that your servers remain configured in a specific way is the Microsoft PowerShell Desired State Configuration Tool, or PowerShell DSC).
What Does PowerShell DCS Do?
PowerShell DSC allows you to create a declarative file outlining how one or more servers should be configured. You can then use PowerShell to compare the server’s actual configuration to the configuration that is outlined in the file. If any discrepancies are found, PowerShell DSC will modify the server’s configuration to match that of the file.
PowerShell DSC’s Excessive Complexity
One of the reasons most often cited for not using PowerShell DCS is that the tool is over-complicated. While PowerShell DSC can indeed be complex, it doesn’t have to be. In this article, I will show you a really simple way of getting started with PowerShell DSC.
An Introduction to MOF Files
One of the most important things to understand about PowerShell DSC is that when you create a DSC configuration, that configuration does not get applied directly to the target machine. Instead, the configuration creates a MOF (Managed Object Format) file, and it is this MOF file that is then used to configure the target machine.
A Sample PowerShell DSC Script
Here is an example of a really simple DSC script. This particular script disables a server’s Netlogon service (which is something you should do only on stand-alone, non-domain-joined servers). It is designed to illustrate how PowerShell DSC can be used to control the way that system services are configured.
Configuration NetlogonDisabled {Import-DscResource -ModuleName ‘PSDesiredStateConfiguration’ Node Demo { Service Netlogon{ Name = “Netlogon” StartupType = “Disabled” State = “Stopped” BuiltinAccount = ‘LocalSystem’ }}} NetlogonDisabled -Output C:DSCStart-DSCConfiguration -Force -Wait -Verbose -Path C:DSC
You can see the script and its output in Figure 1.
PowerShell DSC Server Configuration Drift
Figure 1
This is the PowerShell DSC file and its output.
Let’s take a look at how the script works. The very first line of the script defines a configuration called NetlogonDisabled. This configuration is called by the second-to-the-last line of the script. You will notice that this line of code sets the output path to C:DSC. This is the location where the MOF file will be stored. In fact, you can see this folder and the MOF file that was created in the bottom-left portion of Figure 1.
The configuration section is what causes the MOF file to be created. The first line of code within the configuration imports the PSDesiredStateConfiguration PowerShell module. Technically, the script will work without this line of code, but you will get a warning message if you omit it.
The next line of code says Node Demo. The node is the name of the computer. In this case, I am creating a MOF file only for a single computer, but you can list multiple nodes if you want to apply the configuration to several computers.
Next comes the Service Netlogon line. The block of code beneath this section is what defines how the Netlogon service should be configured. As you can see in the figure, the block of code specifies the service name (be sure to use the actual service name rather than its display name), the desired startup type and state, and the built-in account that should be used to control the service.
As previously mentioned, the NetlogonDisabled line calls the Configuration NetlogonDisabled line and builds a MOF file for each computer that is listed as a node. Once this process completes, the script’s last line is what actually applies the configuration to the target node. This line of code (Start-DSCConfiguration) looks to the specified path and locates a MOF file whose filename matches the computer name. It then uses the MOF file’s contents to configure the computer. The most important thing to know about this command is that it will not work without the -Path and the -Force parameters.
Although the script outlined in this article demonstrates the PowerShell DSC tool by configuring a system service, the tool can do much more. For example, it can install or remove roles and features, as well as configuring files and registry settings.
About the Author
You May Also Like