4 Replies Latest reply on Oct 19, 2016 4:32 PM by jesnyder

    NCM PowerShell examples

    jesnyder

      We recently started rolling NCM out and I have needed to give the Orion Server access to our devices.  As I grant the access I have been making sure that NCM can download the configs successfully by clicking "Download" for Startup and Running in the "Download Config" window on the "CONFIGS" tab of each device.  I thought this would be a good opportunity to test out kicking these downloads off through PowerShell so I tried it on a list of devices but I received an Access denied for "CanDownload" permission.  I have a test script shown below.  What I wanted it to do was use the Connection Profile that already exists on the nodes in question (In this case it is a Cisco device).  I didn't see any mention of providing credentials when using the DownloadConfig verb?  The user I am connecting with can initiate the download of configs through the website using the "Download Config" window mentioned above.  Can someone help me out with a basic example on backing up a config?  Also, if you have other cool things you are doing with NCM through the SDK please feel free to share.

       

       

      $hostname = "ncmserver.jeremy.com"

      $cred = Get-Credential

      $swis = Connect-Swis -host $hostname -cred $cred

      $nodeIdList = New-Object -TypeName "System.Guid[]" 1

      $nodeIdList[0] = '153f4679-8bdc-4478-ba95-403352f5a175'

      Invoke-SwisVerb $swis Cirrus.ConfigArchive DownloadConfig @($nodeIdList, "Running")

       

       

       

      cmdlet Get-Credential at command pipeline position 1

      Supply values for the following parameters:

      Invoke-SwisVerb : Access denied. CanDownload permission required.

      At ...\001-Solarwinds\Scripts\NCM.Test.ps1:6 char:1

      + Invoke-SwisVerb $swis Cirrus.ConfigArchive DownloadConfig @($nodeIdLi ...

      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

          + CategoryInfo          : InvalidOperation: (:) [Invoke-SwisVerb], FaultException`1

          + FullyQualifiedErrorId : SwisError,SwisPowerShell.InvokeSwisVerb

       

      Thanks,

      Jeremy

        • Re: NCM PowerShell examples
          tdanner

          The DownloadConfig verb will use the same connection profile that the website uses for the same operation. Are you use the Orion credentials you provide in $cred are for a user allowed to do downloads? If so this would seem to be some kind of bug.

            • Re: NCM PowerShell examples
              jesnyder

              I am using the Windows user that I use to login to the website with.  I can initiate a download from the configs tab in the website using that user.  However, the user that actually goes and gets the config is set in the Connection Profile for the node using the ${GlobalUserName}, ${GlobalEnableLevel} and other ${Global...} variables. I wanted to replicate the action I was taking on the configs tab with the Windows user.

                • Re: NCM PowerShell examples
                  tdanner

                  I was able to reproduce the behavior you are seeing by changing how I supply the credentials to the powershell script. If I give it a username in the form of "domain\user" then it works correctly. But if I use the "user@domain" syntax, then I get the same error you do: it authenticates correctly, but seems to think I am not authorized in NCM. I also found this log line in C:\ProgramData\SolarWinds\InformationService\v3.0\Orion.InformationService.log:

                   

                  2016-10-19 15:31:50,784 [20] ERROR SolarWinds.Data.Providers.NCM.SecurityHelper - SwisPowerShell (null) NCM.NCMAccount role was not found.

                   

                  Could this be the problem you are hitting? Try giving your username in the "domain\user" form and see if it helps.

                   

                  Background: The NCM role for a user is stored in the WebUserSettings table in the database under the SettingName "NCM.NCMAccountRole". This table is keyed by the AccountID, which for Windows accounts is the account name in "domain\user" form. Most features in the product look up the account in the Accounts table by SID, which allows them to normalize it and removes any syntactic confusion. But this NCM feature is just using the name as supplied for the lookup, which makes it sensitive to syntax.

                    • Re: NCM PowerShell examples
                      jesnyder

                      Yes, that worked!  I backed up some of the nodes I was working on with the following script that I patched together from your example and another thwack post.  I feel that this was much faster/cleaner than creating a new job specifying the nodes and I didn't have to wait for the nightly backup to see the connections were fixed!  I still need to fix the script so it does startup and running at the same time and shows the status like in your example (I was watching the website "Transfer Status" page) but this is what I tested with.  Thank you very much!  I will try an post an updated script so people can fix the problems with it.  If I remember...

                       

                      if (-not (Get-PSSnapin | where {$_.Name -eq "SwisSnapin"})) {

                          Add-PSSnapin "SwisSnapin"

                      }

                      $hostname = "ncmserver.jeremy.com"

                      $cred = Get-Credential

                      $swis = Connect-Swis -host $hostname -cred $cred

                       

                      $Nodes = '162','164','167','168','169','170','174','177','178','180','1895','2830','2844','3130','3566','2797'

                      [GUID[]]$nodeIdList = @()

                      ForEach( $Node in $Nodes){

                      $NodeID = Get-SwisData $swis "SELECT NodeID From Cirrus.Nodes Where CoreNodeID = @CID" @{CID=$Node}

                      $nodeIdList += $NodeID

                      }

                      Invoke-SwisVerb $swis Cirrus.ConfigArchive DownloadConfig @($nodeIdList, "Running") | Out-Null