functions/Test-DbaJobOwner.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
function Test-DbaJobOwner {
    <#
  .SYNOPSIS
   Checks SQL Agent Job owners against a login to validate which jobs do not match that owner.
 
  .DESCRIPTION
   This function checks all SQL Agent Jobs on an instance against a SQL login to validate if that login owns those SQL Agent Jobs or not.
 
   By default, the function checks against 'sa' for ownership, but the user can pass a specific login if they use something else.
    
   Only SQL Agent Jobs that do not match this ownership will be displayed, but if the -Detailed switch is set all SQL Agent Jobs will be returned.
 
   Best practice reference: http://sqlmag.com/blog/sql-server-tip-assign-ownership-jobs-sysadmin-account
 
  .PARAMETER SqlInstance
   Specifies the SQL Server instance(s) to scan.
    
  .PARAMETER SqlCredential
   Allows you to login to servers using SQL Logins instead of Windows Authentication (AKA Integrated or Trusted). To use:
 
   $scred = Get-Credential, then pass $scred object to the -SqlCredential parameter.
 
   Windows Authentication will be used if SqlCredential is not specified. SQL Server does not accept Windows credentials being passed as credentials.
 
   To connect as a different Windows user, run PowerShell as that user.
 
  .PARAMETER Job
   Specifies the job(s) to process. Options for this list are auto-populated from the server. If unspecified, all jobs will be processed.
   
  .PARAMETER ExcludeJob
   Specifies the job(s) to exclude from processing. Options for this list are auto-populated from the server.
   
  .PARAMETER Login
   Specifies the login that you wish check for ownership. This defaults to 'sa' or the sysadmin name if sa was renamed. This must be a valid security principal which exists on the target server.
 
  .PARAMETER Detailed
   If this switch is enabled, a list of all jobs and whether or not their owner matches Login is returned.
 
  .PARAMETER EnableException
   By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
   This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
   Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
    
  .NOTES
   Tags: Agent, Job, Owner
   Author: Michael Fal (@Mike_Fal), http://mikefal.net
 
   Website: https://dbatools.io
   Copyright: (C) Chrissy LeMaire, clemaire@gmail.com
   License: GNU GPL v3 https://opensource.org/licenses/GPL-3.0
 
  .LINK
   https://dbatools.io/Test-DbaJobOwner
 
  .EXAMPLE
   Test-DbaJobOwner -SqlInstance localhost
 
   Returns all databases where the owner does not match 'sa'.
 
  .EXAMPLE
   Test-DbaJobOwner -SqlInstance localhost -Login DOMAIN\account
 
   Returns all databases where the owner does not match DOMAIN\account. Note
   that Login must be a valid security principal that exists on the target server.
 #>

    [CmdletBinding()]
    [OutputType('System.Object[]')]
    param (
        [parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [Alias("ServerInstance", "SqlServer")]
        [DbaInstanceParameter[]]$SqlInstance,
        [PSCredential]$SqlCredential,
        [Alias("Jobs")]
        [object[]]$Job,
        [object[]]$ExcludeJob,
        [Alias("TargetLogin")]
        [string]$Login,
        [switch]$Detailed,
        [switch][Alias('Silent')]$EnableException
    )

    begin {
        #connect to the instance and set return array empty
        $return = @()
    }
    process {
        foreach ($servername in $SqlInstance) {
            #connect to the instance
            Write-Message -Level Verbose -Message "Connecting to $servername."
            $server = Connect-SqlInstance $servername -SqlCredential $SqlCredential

            #Validate login
            if ($Login -and ($server.Logins.Name) -notcontains $Login) {
                if ($SqlInstance.count -eq 1) {
                    Stop-Function -Message "Invalid login: $Login."
                    return
                }
                else {
                    Write-Message -Level Warning -Message "$Login is not a valid login on $servername. Moving on."
                    continue
                }
            }
            if ($Login -and $server.Logins[$Login].LoginType -eq 'WindowsGroup') {
                Stop-Function -Message "$Login is a Windows Group and can not be a job owner."
                return
            }

            #sql2000 id property is empty -force target login to 'sa' login
            if ($Login -and ( ($server.VersionMajor -lt 9) -and ([string]::IsNullOrEmpty($Login)) )) {
                $Login = "sa"
            }
            # dynamic sa name for orgs who have changed their sa name
            if ($Login -eq "sa") {
                $Login = ($server.Logins | Where-Object { $_.id -eq 1 }).Name
            }

            #Get database list. If value for -Job is passed, massage to make it a string array.
            #Otherwise, use all jobs on the instance where owner not equal to -TargetLogin
            Write-Message -Level Verbose -Message "Gathering jobs to check."
            if ($Job) {
                $jobCollection = $server.JobServer.Jobs | Where-Object { $Job -contains $_.Name }
            }
            elseif ($ExcludeJob) {
                $jobCollection = $jobCollection | Where-Object { $ExcludeJob -notcontains $_.Name }
            }
            else {
                $jobCollection = $server.JobServer.Jobs
            }

            #for each database, create custom object for return set.
            foreach ($j in $jobCollection) {
                Write-Message -Level Verbose -Message "Checking $j"
                $row = [ordered]@{
                    Server       = $server.Name
                    Job          = $j.Name
                    CurrentOwner = $j.OwnerLoginName
                    TargetOwner  = $Login
                    OwnerMatch   = ($j.OwnerLoginName -eq $Login)

                }
                #add each custom object to the return array
                $return += New-Object PSObject -Property $row
            }
        }
    }
    end {
        #return results
        if ($Detailed) {
            Write-Message -Level Verbose -Message "Returning detailed results."
            return $return
        }
        else {
            Write-Message -Level Verbose -Message "Returning default results."
            return ($return | Where-Object { $_.OwnerMatch -eq $false })
        }
    }

}