PowerShell Management

Once a working MCE cluster is deployed (a one-box or multi-node cluster) the management of the running cluster can be performed by leveraging the MCE Windows PowerShell Administration module to:

  • Configure the enabled users
  • Configure the available Security Contexts

Deployment#

The MCE PowerShell Administration module communicates with the MCE administration cluster via a GraphQL HTTP service, secured with TLS. The service is stateless, which means that it can be deployed behind a load balancer.

The MCE PowerShell Administration module is distributed as a separate installer that must be installed on a machine with direct network access to at least one MCE cluster node.

Currently the MCE administration services perform no authentication and authorization and so it is recommended that it be deployed on the same machine as an MCE cluster node.

Walkthrough#

The following section details an example walkthrough for configuring MCE via PowerShell.

1. Importing the MCE administration module#

The MCE administration module is provided under the name MceAdmin and can be imported into a running PowerShell session using the following command:

Import-Module MceAdmin

2. Connecting to the MCE cluster#

Once the module is imported you can start to configure MCE via PowerShell by connecting to the MCE cluster using the Connect-MceSession commandlet.

Connect-MceSession -ServerAddress https://mce.domain.com

The MCE cluster uses the same port and security configuration as MindLink Anywhere.

A successful connection will return no errors, while any issue communicating with the MCE services will return an error record. Once connected, further MCE commands will use the same connected session.

3. Enabling users#

The next step to providing access to MCE for users is to enable those users using the New-MceUser commandlet. As MCE synchronizes user attributes from Active Directory the objectGUID of the Active Directory User object is required when enabling a user. To make life simpler, the commandlet accepts a pipelined input from the AD PowerShell module, however the current implementation incorrectly forwards the display name and so a for-each pipeline operation is recommended.

Get-AdUser -Filter 'samAccountName -eq "User"' | % { New-MceUser -DisplayName $_.Name -ObjectGuid $_.ObjectGuid -IsEnabled $true }

If you do not specify the -IsEnabled $true property the users are created as disabled. They can be re-enabled using the Enable-MceUser command.

Get-MceUser -SearchTerm "User" | Enable-MceUser

4. Testing user connectivity#

Once a user is enabled their security attributes will be synchronized and they will be enabled on the underlying MCE system.

This means that a user should be able to log-in to an MCE MindLink Anywhere session.