MID Server PowerShell files

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server PowerShell files

    This documentation describes the use of PowerShell script and module files (.ps1 and .psm1) by the ServiceNow MID Server to execute orchestration activities across various systems such as Active Directory, Exchange, and SCCM. The main PowerShell script,PSScript.ps1, leverages credential testing and password encryption modules to securely execute commands on remote hosts. The guidance focuses on how credentials are tested and selected, the logging utilities available for debugging, and the use of specific module files tailored to different activity packs.

    Show full answer Show less

    PowerShell Credential Testing and Selection

    The MID Server uses the credential.psm1 module to test access to target hosts by iterating through stored Windows credentials. Each PowerShell activity may specify a credType that determines which credential test function to run. If no credType is specified, the MID Server defaults to testing with the WMI method.

    • Credential Types and Test Functions:
      • WMI: Uses Get-WMI object to test access.
      • Active Directory (AD): Uses DirectoryEntry object.
      • Exchange: Uses PowerShell remoting with WinRM configured.
      • SCCM: Uses PowerShell remoting with WinRM configured.
    • If all credentials fail, the MID Server runs the PowerShell command under the MID Server service account.
    • If the target host is the MID Server itself, credentials in the Credentials table are bypassed and the MID Server service account is used directly.

    Exit Codes from PSScript.ps1

    The PSScript.ps1 script returns specific exit codes that are logged by the MID Server, providing insight into the success or failure of command execution:

    • 0: Command/script ran successfully.
    • 1: Test succeeded but command/script failed to execute.
    • 2: Incorrect syntax passed to the script.
    • 3: All credentials including the MID Server service account failed.
    • 4: Command executed but returned an error (e.g., user not found).

    PowerShell Diagnostic Utilities

    The DiagnosticsUtil.psm1 module provides utilities to enhance logging and debugging of PowerShell orchestration activities:

    • SNCLog-DebugInfo: Logs debug messages.
    • SNCLog-ParameterInfo: Logs function parameter values for better traceability.
    • SNCObfuscate-Value: Encrypts sensitive values in logs to maintain security.

    Activity Pack Module Files

    Separate module files contain specific functions for each orchestration activity pack, allowing the MID Server to execute relevant PowerShell commands:

    • ActiveDirectory.psm1: Functions for Active Directory activities.
    • Exchange.psm1: Functions for Exchange activities.
    • SCCM.psm1: Functions for SCCM activities.

    These modules are invoked by the associated PowerShell scripts included in the activity packs, ensuring that credentials and commands are properly handled for each target system type.

    PowerShell functions are stored in script files (*.ps1) that use a PowerShell Script module (*.psm1) file name extension.

    The PowerShell functions are used by the PowerShell MID Server script files included in these activity packs:
    • Active Directory
    • Exchange
    • SCCM
    • PowerShell

    PSScript.ps1

    This script performs a few tasks, such as credential testing, password encryption, and the execution of scripts configured in the Orchestration Activity Designer or in MID Script Files. However, this document focuses on how PSScript.ps1 uses the credential.psm1 module for testing access to remote hosts.

    The PowerShell variables are generally used directly in the PowerShell execution command or as arguments in the MID Server script file you specify. There are special variables that are passed to PSScript.ps1, such as credType.
    Figure 1. Using credType in execution parameters
    Using credType in execution parameters

    PowerShell credTypes

    The PowerShell credential types:

    Type Description
    WMI testCredentialWMI
    Exchange testCredentilExchange
    AD testCredentilAD
    SCCM testCredentilSCCM

    If no credential type is passed to the PSScrip.ps1 script, the MID Server defaults to the WMI test function to test access to the target host. If there is a credential type used, the MID Server runs the corresponding test function for that credential type.

    Exit codes

    These exit codes are returned from the PSScript.ps1 script and logged in the MID Server log file.

    Table 1. PSScript.ps1 exit codes
    Type Test function
    0 PowerShell command/script ran successfully.
    1 Test finished successfully, but the command/script failed to execute.
    2 Incorrect syntax passed to script.
    3 All credentials including MID Server service account failed to execute the command/script.
    4 Passed test and executed the activity, but an error was returned. Example user cannot be found.

    DiagnosticsUtil.psm1

    The MID Server uses this module file to perform PowerShell logging that assists debugging any Orchestration activity using PowerShell scripting. You can also add debugging statements directly to custom scripts.
    Table 2. PowerShell diagnostic utilities
    Utility Description
    SNCLog-DebugInfo Log a debug message for a PowerShell script or PowerShell Orchestration activity. Examples:
    • SNCLog-DebugInfo -message "My debug message..."
    • SNCLog-DebugInfo "My debug message"
    SNCLog-ParameterInfo Log a function parameter value. For "function getHostName{ param( [String] $target )", the first value to the PowerShell hashtable is a string to indicate which function executes, and the values for each of the function parameters. Examples:
    • Function with single parameter: SNCLog-ParameterInfo @("Running getHostName", $target)
      Note:
      The debug message shows, 'Running getHostName $target:[actual value of $target]'.
    • Function with multiple parameters: SNCLog-ParameterInfo @("Running functionName", $param1, $param2, $param3)
    SNCObfuscate-Value Use this utility to encrypt values for security purposes. The function displays "$variableName":***, where *** is the obfuscated value. Example:
    SNCObfuscate-Value $password
    Note:
    The debug message reads: "$password : ***".

    Credentials.psm1

    The MID Server uses this module file to test access to a target host. The MID Server loops through all Windows credentials stored in its credentials table using the following access type functions, unless the PowerShell activity has a credential type (credType) defined. All ServiceNow® authored PowerShell activities are hard-coded to use a specific credential type. As a result, the MID Server only tests credential access against the designated function.
    Table 3. PowerShell test functions
    Function Description
    testCredentialWMI Tests the given user and password on the target host using the Get-WMI object.
    testCredentilAD Tests the given user and password on the target host using the built-in DirectoryEntry object.
    testCredentialExchange Tests the given user and password to create a session on an Exchange host. This test uses the built-in PowerShell remoting feature on a remote host. WinRM is configured on Exchange servers by default.
    testCredentialSCCM Tests the given user and password to create a session on an SCCM server. This test uses the built-in PowerShell remoting feature on a remote host. This test requires WinRM to be configured.
    testNoCredentialAccessWMI Tests the given user and password on the target host, using the Get-WMI object. This test is used when no credType is used.
    Note:
    If the test passes using one of these functions, that credential is used to run the PowerShell script/command. If the tests fail to access the target host using these functions, the MID Server runs the PowerShell script/command under the account of the MID Server service.

    This diagram illustrates the dependency of the credential selection behavior on the host being targeted by the PowerShell activity. If the target host is the IP address or host name of the MID Server, the MID Server bypasses all credentials in the Credentials table and uses the account of the MID Server service. If the target host is not the MID Server, then all Windows credentials are used first. If all credentials in the Credentials table are unsuccessful in running the PowerShell activity, then the MID Server uses the MID Server service account.

    Figure 2. PowerShell credential selection criteria
    PowerShell credential selection criteria

    ActiveDirectory.psm1

    This module file stores the functions used by the PowerShell scripts shipped with the Active Directory activity pack.

    Exchange.psm1

    This module file stores the functions used by the PowerShell scripts shipped with the Exchange activity pack.

    SCCM.psm1

    This module file stores the functions used by the PowerShell scripts shipped with the SCCM activity pack.