why PowerShell sucks so badly

Here, I attempt to answer the rhetoric question, “Why does Microsoft PowerShell suck so badly?” Where to begin…? It has such promise, it’s clear that someone has spent much time coding everything. Ultimately, there appears to be power under that shell and it’s probably truthful to its name. But if you can’t use the tool in the real world, it should be renamed to Microsoft PowerlessShell.

“But if you can’t use the tool in the real world, it should be renamed to Microsoft PowerlessShell.”

It’s almost like a group of scientists in a desert setting somewhere—think “Manhattan Project”—created a collection of methods useful for annihilating the planet and then as almost an afterthought, enough preventive controls were placed upon its use that literally nobody could in fact blow anything up.

Today’s task is to automate the creation of a VPN button for Windows 10—based remote users here at the office. End-users then in theory can just double-click a PowerShell script that I’ve placed on a SharePoint server.  I would then individually share the link with them which would remotely install the new VPN profile. Sounds easy enough.  In fact, it sounds much easier than the two-page long tutorial in a Word document which attempts to educate them how to do all this manually.  Have you ever seen how long an L2TP shared key phase can be?  It’s pretty bad.  Just think of all the support calls I’m going to get if I can’t script this.

Is the PowerShell documentation easy to use? Hell no, it’s not. I’ve just spent a full hour trying to piece together the script required from this hobbled-together documentation on Add-VpnConnection. Does my script work under a test rig? I wish I knew, because at the moment I can’t actually run the script in any form or fashion because Microsoft doesn’t want me to.

“Does my script work under a test rig? I wish I knew, because at the moment I can’t actually run the script in any form or fashion because Microsoft doesn’t want me to.”

Now granted, I’m an Administrative user on my newly-upgraded Windows 10 laptop. The script fails with some terse error message which suggests that I need to run the PowerShell command as Administrator.  Well, that would foil things here in the real world because I’m trying to have the end-users run this script remotely so that I—the administrator—don’t have to be there in the first place.

So I doggedly trudge ahead and end my session and open up PowerShell by right-mouse clicking it and choosing Run As Administrator.  And yet, this still doesn’t work.  This time it fails with another terse error message which suggests that Set-ExecutionPolicy might help.  I then research this to find that “Unrestricted” is the probable attribute but when attempting to run this, I get another terse error message suggesting that I can’t change the policy.  Seriously?

I could now go back to my earlier research and re-learn how to digitally sign a script so that I can run it.  But the process to create and to troubleshoot a script usually requires multiple iterations before the script works perfectly.  And this is especially true since nobody yet on the Internet has provided a good example for creating a VPN tunnel to a SonicWall over L2TP/Ipsec with a pre-shared secret and authenticating to the firewall instead of the domain controller.  Designing a script like this takes trial and error.  Adding a signing phase between each script attempt effectively means:  I’m not going to do this.

“Adding a signing phase between each script attempt effectively means:  I’m not going to do this.”

In short, this is why Microsoft PowerShell sucks.  If you have to sign scripts just to run them while testing then it’s not worth the effort.  Why not include a button in the PowerShell IDE which allows me to “Sign & Execute” my script attempt?  And if I don’t have a digital certificate then open a dialog box to gather the information to magically make this happen.  Or even better, just allow me to create and run scripts without all the nonsense.  How about a big toggle that says “Unsafe Mode” versus “Safe Mode”?

Advertisements

4 thoughts on “why PowerShell sucks so badly”

  1. a) You don’t have to sign your scripts to run them. “Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass” can be used while you test
    b) UAC requires you to run elevated processes if you want to change/read certain system properties (that should be obvious – it’s been like that since Vista)

    In general PS’ execution policy is a means to decide whether you can only run signed scripts [Signed), run your own local scripts but not scripts from the internet [RemoteSigned] or all scripts [Unrestricted] (or just ignore all of that [Bypass])

    That’s 10 minutes of google research.

    Like

    1. You might have managed to find something that worked within ten minutes. Great. Personally, I’d suggest that Microsoft could default their currently terse error response system to make that suggestion.

      I believe I did eventually that day find this solution and eventually then managed to finish a script process that’s about as kludgey as they come: 1) a batch file copies a registry file locally, 2) runs the registry file locally, 3) runs the script with similar arguments, 4) put everything back to normal and clean up. And yet, this feels like something a hacker would have to do to get around security, not something an administrator should have to do to test something.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s