Why PS7 Changes Everything for SysAdmins

The headline feature for infrastructure work is ForEach-Object -Parallel. In PowerShell 5.1, looping over hundreds of servers to run a command was sequential — painfully slow when each operation involves a network call. In PS7, adding -Parallel to your ForEach-Object pipeline runs iterations concurrently (up to a configurable throttle limit), collapsing a 10-minute sequential run to under a minute. Combined with the -ThrottleLimit parameter, you get controlled parallelism without overwhelming your network or target systems.

PowerShell 7 also ships with null-coalescing operators (?? and ??=), pipeline chain operators (&& and ||), ternary expressions, and significantly improved error handling. The Get-Error cmdlet provides structured, detailed error information that makes debugging complex scripts far easier. Module compatibility has improved too — most PS 5.1 modules work in PS7 via a compatibility shim, though a handful of modules that rely on Windows-only COM components remain PS5.1-only.

Bulk AD User Management

Managing Active Directory users at scale through the GUI is tedious and error-prone. PowerShell with the ActiveDirectory module makes bulk operations straightforward and auditable. Common tasks like disabling accounts for departed employees, resetting passwords, updating department attributes for an org restructure, or moving users between OUs all lend themselves to one-liners or short scripts that you can test in a non-production OU first.

The script below processes a CSV file of user updates — useful when HR sends over a spreadsheet of 200 employees who need their department and manager attributes updated after a reorg. Run it with -WhatIf first to preview changes without applying them, then remove the switch for the actual run.

# BulkUpdateADUsers.ps1 — Update AD attributes from CSV
# CSV columns: SamAccountName, Department, Manager, Title
#Requires -Modules ActiveDirectory

param(
    [Parameter(Mandatory)][string]$CsvPath,
    [switch]$WhatIf
)

$users = Import-Csv -Path $CsvPath
$results = [System.Collections.Concurrent.ConcurrentBag[object]]::new()

$users | ForEach-Object -Parallel {
    $bag = $using:results
    $whatIf = $using:WhatIf
    try {
        $params = @{
            Identity   = $_.SamAccountName
            Department = $_.Department
            Title      = $_.Title
            Manager    = (Get-ADUser $_.Manager).DistinguishedName
            WhatIf     = $whatIf.IsPresent
        }
        Set-ADUser @params
        $bag.Add([pscustomobject]@{ User=$_.SamAccountName; Status="OK" })
    } catch {
        $bag.Add([pscustomobject]@{ User=$_.SamAccountName; Status="FAIL: $_" })
    }
} -ThrottleLimit 20

$results | Export-Csv -Path ".\update-results.csv" -NoTypeInformation
Write-Host "Done. Results at .\update-results.csv"

Automated Patch Reporting

Keeping track of patch status across a fleet of Windows servers is a common pain point. WSUS gives you a dashboard, but exporting useful reports for management or auditors is clunky. A PowerShell script that queries hotfix history across multiple servers and generates a clean report is something every Windows admin should have. The script below uses PS7’s parallel foreach to query multiple servers simultaneously, dramatically reducing the time it takes to gather data.

Combine this with a scheduled task or Azure Automation runbook to generate weekly patch compliance reports automatically. Export to CSV for easy import into Excel or your ITSM tool, or format as HTML for email distribution. Adding logic to flag servers that haven’t received updates in more than 30 days gives you an actionable compliance metric for your next audit.

# Get-PatchReport.ps1 — Query hotfix status across multiple servers
param([string[]]$Servers = @("SRV01","SRV02","SRV03"))

$report = $Servers | ForEach-Object -Parallel {
    $server = $_
    try {
        $hotfixes = Get-HotFix -ComputerName $server -ErrorAction Stop |
            Sort-Object InstalledOn -Descending |
            Select-Object -First 1
        [pscustomobject]@{
            Server       = $server
            LastPatch    = $hotfixes.HotFixID
            InstalledOn  = $hotfixes.InstalledOn
            DaysSince    = (New-TimeSpan -Start $hotfixes.InstalledOn -End (Get-Date)).Days
            Status       = "Online"
        }
    } catch {
        [pscustomobject]@{ Server=$server; LastPatch="N/A"; InstalledOn="N/A"; DaysSince=999; Status="Error: $_" }
    }
} -ThrottleLimit 10

$report | Sort-Object DaysSince -Descending | Format-Table -AutoSize
$report | Export-Csv ".\patch-report-$(Get-Date -f yyyyMMdd).csv" -NoTypeInformation

Calling REST APIs from PowerShell

Invoke-RestMethod is PowerShell’s built-in REST client, and it’s surprisingly capable. It automatically deserializes JSON responses into PowerShell objects, handles common authentication schemes, and supports all HTTP methods. Combined with PS7’s improved performance and parallelism, you can build lightweight integration scripts between your on-prem tooling and cloud APIs without pulling in external dependencies or standing up middleware.

A common use case: querying your monitoring tool’s API to get a list of alerts, then correlating them with your CMDB API to enrich the data before posting to a Teams channel via the incoming webhook API. Three API calls, all handled with Invoke-RestMethod, tied together in a script that runs every 15 minutes as a scheduled task. It’s not glamorous, but it’s the kind of practical automation that saves your team hours every week.

The post PowerShell 7: 10 Scripts Every SysAdmin Should Have in Their Toolkit appeared first on InfoTech Ninja.

Secured-Core Server: Hardware-Backed Security

Secured-core server is Microsoft’s initiative to leverage modern hardware security features for defense against firmware attacks and privileged code execution. It builds on Dynamic Root of Trust for Measurement (DRTM), which uses the CPU’s built-in security features to establish a trusted boot measurement chain independently of firmware — making it significantly harder for bootkit malware to persist across reboots. Hypervisor-Protected Code Integrity (HVCI) runs the kernel code integrity checks inside a VBS (Virtualization Based Security) hypervisor, protecting against kernel-mode rootkits.

Secured-core server requires compatible hardware — processors with DRTM support (Intel TXT or AMD SKINIT), UEFI firmware, TPM 2.0, and virtualization extensions. Most server hardware shipping in the last three to four years meets these requirements. For organizations running highly sensitive workloads — financial systems, healthcare data, government infrastructure — secured-core provides a meaningful hardware-backed security baseline that software controls alone cannot replicate.

SMB Compression and AES-256 Encryption

Windows Server 2022 introduces SMB compression, which compresses file data in transit between client and server. For workloads transferring compressible data (log files, databases during backup, Office documents) over high-latency or bandwidth-constrained links, compression can dramatically reduce transfer time and network utilization. It’s enabled per-share or globally via PowerShell, and negotiated dynamically between client and server — if either side doesn’t support it, the transfer falls back to uncompressed without error.

On the encryption side, Server 2022 adds AES-256-GCM and AES-256-CCM cipher suites for SMB 3.1.1 encryption. For environments with compliance requirements mandating 256-bit encryption for data in transit, this closes a gap without requiring a third-party file transfer solution. Enable it via PowerShell: Set-SmbServerConfiguration -EncryptionCiphers AES_256_GCM. Note that AES-256 does carry a higher CPU overhead than AES-128 — test performance in your environment before enforcing it cluster-wide.

Storage Spaces Direct: What Changed?

Storage Spaces Direct (S2D) in Server 2022 brings Nested Resiliency improvements and ReFS enhancements. Nested resiliency — first introduced in 2019 — allows two-node S2D clusters to survive a full node failure plus a drive failure simultaneously, which standard two-way mirroring cannot handle. Server 2022 expands nested resiliency support and adds better tooling for managing the resiliency tier.

ReFS (Resilient File System) improvements in 2022 include faster mirror-accelerated parity writes and improved block cloning performance — particularly relevant for Hyper-V environments where differencing disk operations and checkpoint handling benefit significantly. For administrators running S2D-based Hyper-V clusters, upgrading the cluster OS to 2022 can deliver measurable I/O improvements for checkpoint-heavy workloads without any hardware changes.

Upgrade Decision: WS2019 to WS2022

Windows Server 2019 reaches end of mainstream support in January 2024 and end of extended support in January 2029 — so there’s no immediate compliance pressure driving a 2022 upgrade if you’re still on 2019. The upgrade justification comes down to whether the specific 2022 capabilities address real gaps in your environment. If you’re running secured-core-capable hardware and handle sensitive data, the firmware-level security improvements are compelling. If you run large Hyper-V S2D clusters, the ReFS and nested resiliency improvements have direct operational value.

In-place upgrade from Server 2019 to 2022 is supported and generally smooth for standalone servers, though Microsoft and most practitioners recommend a fresh deployment with application migration for production workloads — particularly domain controllers and SQL servers. For Hyper-V clusters, a rolling cluster upgrade (upgrading nodes one at a time while VMs continue running on remaining nodes) works well and minimizes downtime. Test your applications and roles in a non-production environment before committing production systems to the upgrade.

The post Windows Server 2022 Core Features Every Admin Needs to Know appeared first on InfoTech Ninja.

Variables, Input, and Output

Bash variables are untyped strings by default. Assign without spaces around the equals sign, and reference with a dollar sign prefix. Double-quote your variable references to prevent word splitting on values that contain spaces. Use $(command) syntax (command substitution) to capture command output into a variable. The readonly keyword makes a variable immutable — useful for constants in your scripts.

The read builtin captures user input interactively. For scripts that shouldn’t be interactive, pass values via positional parameters ($1, $2, etc.) or environment variables. Always validate input: check that required arguments were provided, that file paths exist before operating on them, and that numeric values are actually numeric. Failing fast with a clear error message is far better than letting a script proceed with bad input and silently corrupt data.

#!/usr/bin/env bash
# Variables and I/O basics
set -euo pipefail   # exit on error, undefined vars, pipe failures

# Variables
SCRIPT_NAME="$(basename "$0")"
LOG_DIR="/var/log/myscripts"
DATESTAMP="$(date +%Y%m%d_%H%M%S)"
readonly LOG_DIR

# Positional arguments with default
TARGET_HOST="${1:-localhost}"
PORT="${2:-80}"

# Validate numeric
if ! [[ "$PORT" =~ ^[0-9]+$ ]]; then
    echo "ERROR: PORT must be a number, got: $PORT" >&2
    exit 1
fi

# Read from user interactively
read -rp "Enter backup label: " LABEL
echo "Backing up $TARGET_HOST:$PORT labeled '$LABEL' at $DATESTAMP"

Conditionals and File Tests

Bash conditionals use the test command or its synonym [[ ]] (prefer the double-bracket form — it handles empty strings and special characters more safely). File tests are especially useful in sysadmin scripts: -f tests for a regular file, -d for a directory, -r for readable, -w for writable, -x for executable, and -s for non-empty. Combining tests with && and || inside [[ ]] avoids spawning subshells for each test.

Always check for file existence before operating on it, check for required commands before assuming they’re available, and check return codes after operations that can fail. The command -v pattern checks whether a command exists in PATH without executing it. Exit codes matter: 0 is success, anything else is failure. Functions should return meaningful exit codes so callers can react appropriately.

#!/usr/bin/env bash
# Conditionals and file tests

config_file="/etc/myapp/config.yaml"
backup_dir="/backup/$(date +%Y%m%d)"

# Check file exists and is readable
if [[ -f "$config_file" && -r "$config_file" ]]; then
    echo "Config found: $config_file"
elif [[ -e "$config_file" ]]; then
    echo "ERROR: Config exists but is not readable" >&2; exit 1
else
    echo "ERROR: Config not found at $config_file" >&2; exit 1
fi

# Create backup dir if missing
[[ -d "$backup_dir" ]] || mkdir -p "$backup_dir"

# Check required command exists
if ! command -v rsync &>/dev/null; then
    echo "ERROR: rsync not installed" >&2; exit 1
fi

# Numeric comparison
disk_used=$(df / | awk 'NR==2 {print $5}' | tr -d '%')
if (( disk_used > 90 )); then
    echo "WARNING: Root partition ${disk_used}% full"
fi

Loops: for, while, until

Bash provides three loop constructs. The for loop iterates over a list or glob expansion — invaluable for processing multiple files, hosts, or values. The while loop continues as long as a condition is true, commonly used with read to process file contents line by line. The until loop is the inverse: it continues until a condition becomes true, useful for polling until a service becomes available or a file appears.

Avoid the common pitfall of for file in $(ls /path/) — it breaks on filenames with spaces. Use glob expansion directly: for file in /path/*.log. When reading files line by line, use the while IFS= read -r line pattern — the IFS= prevents leading/trailing whitespace from being stripped, and -r prevents backslash interpretation. These small details matter when your scripts need to handle real-world filenames and content.

#!/usr/bin/env bash
# Loop examples

# for loop — process multiple servers
servers=("web01" "web02" "db01" "db02")
for server in "${servers[@]}"; do
    echo "Checking $server..."
    if ping -c1 -W2 "$server" &>/dev/null; then
        echo "  $server: ONLINE"
    else
        echo "  $server: OFFLINE" >&2
    fi
done

# Process log file line by line
while IFS= read -r line; do
    if [[ "$line" == *"ERROR"* ]]; then
        echo "Found error: $line"
    fi
done < /var/log/app/app.log

# until loop — wait for a service to respond
port=5432
until nc -z localhost "$port" 2>/dev/null; do
    echo "Waiting for port $port to open..."
    sleep 3
done
echo "Service on port $port is ready."

Building a Disk Monitoring Script

Putting the pieces together: a complete disk monitoring script that checks disk usage across specified mount points, logs warnings when thresholds are exceeded, and sends an email alert when a critical threshold is hit. Schedule it with cron to run every 15 minutes: */15 * * * * /usr/local/bin/disk-monitor.sh.

#!/usr/bin/env bash
# disk-monitor.sh — Check disk usage and alert on threshold breach
set -euo pipefail

# Configuration
WARN_THRESHOLD=80
CRIT_THRESHOLD=90
ALERT_EMAIL="admin@example.com"
LOG_FILE="/var/log/disk-monitor.log"
MOUNT_POINTS=("/" "/var" "/home" "/data")
HOSTNAME="$(hostname -f)"
TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')"

# Function: log a message
log() { echo "[$TIMESTAMP] $*" | tee -a "$LOG_FILE"; }

# Function: send alert email
send_alert() {
    local mount="$1" used="$2"
    echo "CRITICAL: Disk usage on $HOSTNAME:$mount is at ${used}%" | \
        mail -s "[DISK ALERT] $HOSTNAME $mount at ${used}%" "$ALERT_EMAIL"
    log "ALERT sent for $mount at ${used}%"
}

alert_needed=false

for mp in "${MOUNT_POINTS[@]}"; do
    [[ -d "$mp" ]] || { log "SKIP: $mp not found"; continue; }
    used=$(df "$mp" | awk 'NR==2 {print $5}' | tr -d '%')

    if (( used >= CRIT_THRESHOLD )); then
        log "CRITICAL: $mp is at ${used}%"
        send_alert "$mp" "$used"
        alert_needed=true
    elif (( used >= WARN_THRESHOLD )); then
        log "WARNING: $mp is at ${used}%"
    else
        log "OK: $mp is at ${used}%"
    fi
done

$alert_needed && exit 2
exit 0

The post Bash Scripting for Linux SysAdmins: From Beginner to Dangerous appeared first on InfoTech Ninja.