![First Power Bi](.\images\dbachecks-logo.png )
# dbachecks - Configurations

You can use dbachecks on the command line as we have seen in the previous notebook but you will not always want to have the default settings for the checks

You can alter any of the configurations using the `Set-DbcConfig` command.

This configuration will be the configuration that is used until `Reset-DbcConfig` is run or the configuration is changed.
This configuration will be used for the user who has run the code.

Again, this notebook requires that you have the containers set up from the Notebook 00 - Setting up the containers for the rest of the containers.ipynb

If you have altered the folder path you will need to alter it below.






# Setting the SqlInstances and ComputerNames

A useful configuration to set is the list of SQL Instances and Computer Names that you want the checks to run against. There are two configurations that will do that.

- app.sqlinstance will set the list of SQL Instances
- app.computername will set the list of ComputerNames

## Setting a configuration

You set a configuration using the `Set-DbcConfig` command. You provide the name (which will auto-complete) and the value

```powershell
Set-DbcConfig -Name ConfigName -Value ConfigValue
```

For the app.sqlinstance you could even set this from your registerd server list or CMS

`$Production = (Get-DbaRegisteredServer -SqlInstance CMSServer -Group "Production").ServerName`   
`Set-DbcConfig -Name app.sqlinstance -Value $Production   `
You can set the SqlInstance and the ComputerName for the checks in this notebook






In [1]:
cd C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks
ipmo .\dbachecks.psd1
# Just in case the config has been altered
$null = Reset-DbcConfig
$SqlInstances = 'localhost,15592','localhost,15593'
Set-DbcConfig -Name app.sqlinstance -Value $SqlInstances
Set-DbcConfig -Name app.computername -Value $SqlInstances
$FolderPath = $Env:USERPROFILE + '\Documents\dbachecks\'
$SqlCredential = Import-Clixml -Path $FolderPath\sqladmin.cred


Name             Value                              Description
----             -----                              -----------
app.sqlinstance  {localhost,15592, localhost,15593} List of SQL Server instances that SQL-based te…
app.computername {localhost,15592, localhost,15593} List of Windows Servers that Windows-based tes…



and you will no longer need to specify them when calling `Invoke-DbcCheck`

## Invalid Database Owners

You may want to check that databases are not owned by certain accounts.

By default the `InvalidDatabaseOwner` checks that the databases are not owned by the sa account. When we run this check against the containers we pass all of the checks

In [2]:
Invoke-DbcCheck -SqlCredential $SqlCredential  InvalidDatabaseOwner

[97m    ____            __
   / __ \___  _____/ /____  _____
  / /_/ / _ \/ ___/ __/ _ \/ ___/
 / ____/  __(__  ) /_/  __/ /
/_/    \___/____/\__/\___/_/
Pester v4.9.0
Executing all tests in 'C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1' with Tags InvalidDatabaseOwner[0m

[92mExecuting script C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1[0m

[92m  Describing Invalid Database Owner[0m

[92m    Context Testing Database Owners on localhost,15592[0m
[32m      [+] Database AdventureWorks2017 - owner thebeard should Not be in this list ( sa ) on localhost,15592[0m[90m 66ms[0m
[32m      [+] Database Northwind - owner thebeard should Not be in this list ( sa ) on localhost,15592[0m[90m 4ms[0m
[32m      [+] Database pubs - owner thebeard should Not be in this list ( sa ) on localhost,15592[0m[90m 7ms[0m

[92m  Describing Invalid Database Owner[0m

[92m    Context Testing Database Owners on localhost,15593[0m


If our organistation requirements are that no databases should be owned by members of the DBA Team user accounts, we can alter the configuration to check for that. 

To find out which configuration we need to change we can use `Get-DbcCheck`

In [3]:
Get-DbcCheck -Pattern InvalidDatabaseOwner | Format-List


Group       : Database
Type        : Sqlinstance
UniqueTag   : InvalidDatabaseOwner
AllTags     : InvalidDatabaseOwner, Medium, Database
Config      : app.sqlinstance policy.invaliddbowner.name policy.invaliddbowner.excludedb 
Description : Tests that the Database Owner is NOT in the specified (default blank) list




We can see that there are 3 configurations that this check will use
- app.sqlinstance
- policy.invaliddbowner.name 
- policy.invaliddbowner.excludedb 

We can get further information about the checks with `Get-DbcConfig`

In [4]:
Get-DbcConfig -Name policy.invaliddbowner.name | Format-List


Name        : policy.invaliddbowner.name
Value       : sa
Description : The database owner account should not be this user




We can change the value of that configuration item using `Set-DbcConfig`. We will set it to the members of the DBA Team AD Group

This is an example - don't run this unless you are connected to THEBEARD.local domain and your DBAs are in a group called SQL_DBAs_The_Cool_Ones :-)

In [19]:
# $DBA_Accounts =  (Get-ADGroup -Identity 'CN=SQL_DBAs_The_Cool_Ones,OU=TheBeardGroups,OU=TheBeard,DC=TheBeard,DC=local' |Get-ADGroupMember).ForEach{"THEBEARD\$($Psitem.SamAccountName)"} # 
Set-DbcConfig -Name policy.invaliddbowner.name -Value $DBA_Accounts


Name                       Value                                                                Description            
----                       -----                                                                -----------            
policy.invaliddbowner.name {THEBEARD\Rob, THEBEARD\DBA, THEBEARD\wdurkin, THEBEARD\gsartori...} The database owner a...




# Altering a Configuration
This is how you can alter a check to test the values that YOU want by setting a configuration.  
We have renamed the sa acccount and disabled it in the containers. There is a sysadmin account called `sysadmin` created.  
Perhaps we do not want our databases owned by the new sysadmin account `sqladmin` We can set that value in the configuration and run the test

In [5]:
Set-DbcConfig -Name policy.invaliddbowner.name -Value sqladmin
Invoke-DbcCheck -SqlCredential $SqlCredential -Check InvalidDatabaseOwner


[97m    ____            __
   / __ \___  _____/ /____  _____
  / /_/ / _ \/ ___/ __/ _ \/ ___/
 / ____/  __(__  ) /_/  __/ /
/_/    \___/____/\__/\___/_/
Pester v4.9.0
Executing all tests in 'C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1' with Tags InvalidDatabaseOwner[0m

[92mExecuting script C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1[0m

[92m  Describing Invalid Database Owner[0m

[92m    Context Testing Database Owners on localhost,15592[0m
[32m      [+] Database AdventureWorks2017 - owner thebeard should Not be in this list ( sqladmin ) on localhost,15592[0m[90m 5ms[0m
[32m      [+] Database Northwind - owner thebeard should Not be in this list ( sqladmin ) on localhost,15592[0m[90m 3ms[0m
[32m      [+] Database pubs - owner thebeard should Not be in this list ( sqladmin ) on localhost,15592[0m[90m 7ms[0m

[92m  Describing Invalid Database Owner[0m

[92m    Context Testing Database Owners on lo

## Running a test, fixing the errors and re-running

Ah

We had better have a word with that fellow Rob and alter all of those database owners!! 

This is how we could ask our junior DBA to do this and test they have done so correctly

We could change the owner with `Get-DbaDatabase -SqlInstance sql2016n1 -ExcludeSystem -Owner THEBEARD\Rob | Set-DbaDbOwner -TargetLogin THEBEARD\DatabaseOwner`

We can also set a confiuguration for our desired database owner and test for that. With dbachecks we can check for both Valid and Invalid database owner accounts.

The code below will 
- Get all databases owned by sysadmin and set the owner to be thebeard
- Run the check to ensure that no databases are owned by sysadmin because we set that configuration above
- Set a configuration for the database owner we expect to thebeard
- Run the check to ensure that the databases are owned by the thebeard



In [6]:
# Set the correct owner
$null = Get-DbaDatabase -SqlInstance $SqlInstances -SqlCredential $SqlCredential -ExcludeSystem -Owner sqladmin | Set-DbaDbOwner -TargetLogin thebeard
# Check that we do not have any databases owned by the unexpected accounts
Invoke-DbcCheck -SqlCredential $SqlCredential -Check InvalidDatabaseOwner
# Set the value for expected database owner
Set-DbcConfig -Name policy.validdbowner.name -Value thebeard
# Check our databases  are owned by the correct account
Invoke-DbcCheck -SqlCredential $SqlCredential -Check ValidDatabaseOwner 

[97m    ____            __
   / __ \___  _____/ /____  _____
  / /_/ / _ \/ ___/ __/ _ \/ ___/
 / ____/  __(__  ) /_/  __/ /
/_/    \___/____/\__/\___/_/
Pester v4.9.0
Executing all tests in 'C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1' with Tags InvalidDatabaseOwner[0m

[92mExecuting script C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1[0m

[92m  Describing Invalid Database Owner[0m

[92m    Context Testing Database Owners on localhost,15592[0m
[32m      [+] Database AdventureWorks2017 - owner thebeard should Not be in this list ( sqladmin ) on localhost,15592[0m[90m 14ms[0m
[32m      [+] Database Northwind - owner thebeard should Not be in this list ( sqladmin ) on localhost,15592[0m[90m 6ms[0m
[32m      [+] Database pubs - owner thebeard should Not be in this list ( sqladmin ) on localhost,15592[0m[90m 5ms[0m

[92m  Describing Invalid Database Owner[0m

[92m    Context Testing Database Owners on lo

## Ensuring Databases exist

You might want to test that a particular database exists on your instance. This could be your DBA database or perhaps you have a check for your companies software system that you want to run on a clients estate and your software requires certain databases to exist 

You can run the default `DatabaseExists` which will check that the system databases exist as you did in the quick examples notebook.

In [7]:
Invoke-DbcCheck -SqlCredential $SqlCredential -Check DatabaseExists

[97m    ____            __
   / __ \___  _____/ /____  _____
  / /_/ / _ \/ ___/ __/ _ \/ ___/
 / ____/  __(__  ) /_/  __/ /
/_/    \___/____/\__/\___/_/
Pester v4.9.0
Executing all tests in 'C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1' with Tags DatabaseExists[0m

[92mExecuting script C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1[0m

[92m  Describing Database Exists[0m

[92m    Context Database exists on localhost,15592[0m
[32m      [+] Database master should exist on [0m[90m 200ms[0m
[32m      [+] Database msdb should exist on [0m[90m 190ms[0m
[32m      [+] Database tempdb should exist on [0m[90m 191ms[0m
[32m      [+] Database model should exist on [0m[90m 196ms[0m

[92m  Describing Database Exists[0m

[92m    Context Database exists on localhost,15593[0m
[32m      [+] Database master should exist on [0m[90m 217ms[0m
[32m      [+] Database msdb should exist on [0m[90m 198ms[0m
[32m  

## Finding the configurations for the check

You can find the configurations that you can set for a check with `Get-DbcCheck`

In [14]:
Get-DbcCheck DatabaseExists | Format-List


Group       : Database
Type        : Sqlinstance
UniqueTag   : DatabaseExists
AllTags     : DatabaseExists, Database
Config      : app.sqlinstance database.exists 
Description : Tests that the databases are specified are on the instance (Note - Does not check if 
              they are available - Use DatabaseStatus for that))





## Setting the configuration for a check
You can see that you can set the configuration `database.exists` Note that we are using the `-Append` parameter to add to the configuration instead of replacing it.

In [8]:
Set-DbcConfig -Name database.exists -Value 'pubs','NorthWind','AdventureWorks2017','WideWorldImporters' -Append


Name            Value                          Description
----            -----                          -----------
database.exists {master, msdb, tempdb, model…} The databases we expect to be on the instances



## Run the check with the new configuration
and then we can run the check again and confirm that we have all of the expected databases.

In [9]:
Invoke-DbcCheck -SqlCredential $SqlCredential -Check DatabaseExists

[97m    ____            __
   / __ \___  _____/ /____  _____
  / /_/ / _ \/ ___/ __/ _ \/ ___/
 / ____/  __(__  ) /_/  __/ /
/_/    \___/____/\__/\___/_/
Pester v4.9.0
Executing all tests in 'C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1' with Tags DatabaseExists[0m

[92mExecuting script C:\Users\mrrob\OneDrive\Documents\GitHub\dbachecks\checks\Database.Tests.ps1[0m

[92m  Describing Database Exists[0m

[92m    Context Database exists on localhost,15592[0m
[32m      [+] Database master should exist on [0m[90m 211ms[0m
[32m      [+] Database msdb should exist on [0m[90m 273ms[0m
[32m      [+] Database tempdb should exist on [0m[90m 191ms[0m
[32m      [+] Database model should exist on [0m[90m 205ms[0m
[32m      [+] Database pubs should exist on [0m[90m 215ms[0m
[32m      [+] Database NorthWind should exist on [0m[90m 184ms[0m
[32m      [+] Database AdventureWorks2017 should exist on [0m[90m 200ms[0m
[91m      [-] Databa

## Ensuring the Agent Alerts are as expected

You might want to check that you have all of the expected Agent Alerts. By default dbachecks will check for alerts for Severity 16-25 and messageid 823,824,825

In [17]:
Invoke-DbcCheck -SqlCredential $SqlCredential -Check AgentAlert

[97m    ____            __
   / __ \___  _____/ /____  _____
  / /_/ / _ \/ ___/ __/ _ \/ ___/
 / ____/  __(__  ) /_/  __/ /
/_/    \___/____/\__/\___/_/
Pester v4.9.0
Executing all tests in 'C:\Users\mrrob\Documents\PowerShell\Modules\dbachecks\1.2.24\checks\Agent.Tests.ps1' with Tags AgentAlert[0m

[92mExecuting script C:\Users\mrrob\Documents\PowerShell\Modules\dbachecks\1.2.24\checks\Agent.Tests.ps1[0m

[92m  Describing Agent Alerts[0m

[92m    Context Testing Agent Alerts Severity exists on localhost,15592[0m
[32m      [+] localhost,15592 should have Severity 16 Alert[0m[90m 36ms[0m
[32m      [+] localhost,15592 should have Severity 16 Alert enabled[0m[90m 4ms[0m
[32m      [+] localhost,15592 should have notification for Severity 16 Alert[0m[90m 7ms[0m
[32m      [+] localhost,15592 should have Severity 17 Alert[0m[90m 2ms[0m
[32m      [+] localhost,15592 should have Severity 17 Alert enabled[0m[90m 4ms[0m
[32m      [+] localhost,15592 should have notif

## Get the configuration items available for the check
You can check the configuration items available for the check

In [18]:
Get-DbcCheck -Pattern AgentAlert | Format-List


Group       : Agent
Type        : Sqlinstance
UniqueTag   : AgentAlert
AllTags     : AgentAlert, Agent
Config      : app.sqlinstance agent.alert.Severity agent.alert.messageid agent.alert.Job 
              agent.alert.Notification 
Description : Tests that there are Agent Alerts set up for the specified (default 16-25) alert 
              severities and ids (default 823-825) and if specified Agent Jobs and/or notifications




The configuration items available are
- app.sqlinstance 
- agent.alert.Severity 
- agent.alert.messageid 
- agent.alert.Job 
- agent.alert.Notification

(Until Rob fixes the code) You can get the configuration values and descriptions for the configuration items

In [19]:
'app.sqlinstance', 'agent.alert.Severity', 'agent.alert.messageid', 'agent.alert.Job', 'agent.alert.Notification' | ForEach-Object {
    Get-DbcConfig -Name $PSItem | Format-List
}


Name        : app.sqlinstance
Value       : {localhost,15592, localhost,15593}
Description : List of SQL Server instances that SQL-based tests will run against



Name        : agent.alert.Severity
Value       : {16, 17, 18, 19…}
Description : Agent alert severity to validate; 
              https://www.brentozar.com/blitz/configure-sql-server-alerts/



Name        : agent.alert.messageid
Value       : {823, 824, 825}
Description : Agent alert messageid to validate; 
              https://www.brentozar.com/blitz/configure-sql-server-alerts/



Name        : agent.alert.Job
Value       : False
Description : Agent alert job notification. Ex job to write to eventlog for SCOM monitoring



Name        : agent.alert.Notification
Value       : True
Description : Agent alert notification




If you use all of the TigerTeams Agent Alerts then you might want to check that they are installed and enabled. You can alter the configuration to do this as follows. This time we have not used the append parameter and have replaced all of the values.

In [20]:
$Ids = '1101','1105','1121','1214','17130','17179','17300','17883','17884','17887','17888','17890','2508','2511','28036','3271','3452','3619','3624','5180','5228','5229','5242','5243','5250','5572','5901','605','701','802','823','824','825','832','833','845','855','856','8966','9002','9100'
Set-DbcConfig -Name agent.alert.messageid -Value $Ids


Name                  Value                     Description
----                  -----                     -----------
agent.alert.messageid {1101, 1105, 1121, 1214…} Agent alert messageid to validate; https://www.bre…



and then you can check for those as well

In [21]:
$FolderPath = $Env:USERPROFILE + '\Documents\dbachecks'
$SqlCredential = Import-Clixml -Path $FolderPath\sqladmin.cred
Invoke-DbcCheck -SqlCredential $SqlCredential -Check AgentAlert

[97m    ____            __
   / __ \___  _____/ /____  _____
  / /_/ / _ \/ ___/ __/ _ \/ ___/
 / ____/  __(__  ) /_/  __/ /
/_/    \___/____/\__/\___/_/
Pester v4.9.0
Executing all tests in 'C:\Users\mrrob\Documents\PowerShell\Modules\dbachecks\1.2.24\checks\Agent.Tests.ps1' with Tags AgentAlert[0m

[92mExecuting script C:\Users\mrrob\Documents\PowerShell\Modules\dbachecks\1.2.24\checks\Agent.Tests.ps1[0m

[92m  Describing Agent Alerts[0m

[92m    Context Testing Agent Alerts Severity exists on localhost,15592[0m
[32m      [+] localhost,15592 should have Severity 16 Alert[0m[90m 5ms[0m
[32m      [+] localhost,15592 should have Severity 16 Alert enabled[0m[90m 3ms[0m
[32m      [+] localhost,15592 should have notification for Severity 16 Alert[0m[90m 4ms[0m
[32m      [+] localhost,15592 should have Severity 17 Alert[0m[90m 5ms[0m
[32m      [+] localhost,15592 should have Severity 17 Alert enabled[0m[90m 5ms[0m
[32m      [+] localhost,15592 should have notifi