Understanding scripts in PowerShell Orchestrator:

A script in PowerShell Orchestrator consists of:

• The PowerShell code to execute on the target endpoint or against Entra ID
• The target endpoint or cloud target the script runs against
• A schedule defining when and how often the script runs
• Optional alert linkage that triggers the script automatically in response to a security event

Scripts are stored centrally in LT Auditor ^MP and pushed to the relevant endpoint at execution time. Output from each script run is captured and forwarded to the LT Auditor ^MP server as structured assessment data.

Accessing the script library:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to Configure → PowerShell Orchestrator → Scripts
3. The script library displays all saved scripts with their name, target, schedule status, and last run time

Creating a new script:

1. Click Add New Script
2. Configure the script details:
   • Script Name — a clear, descriptive name (e.g., “AD Privileged Group Membership Assessment”)
   • Description — the purpose of the script and what it assesses
   • Target Type — select either a managed endpoint or an Entra ID cloud target
   • Target — select the specific endpoint or cloud target from the configured list
3. Enter or paste your PowerShell script code in the script editor:

# Example: List all members of the Domain Admins group

Get-ADGroupMember -Identity “Domain Admins” -Recursive |

Select-Object Name, SamAccountName, DistinguishedName |

ConvertTo-Json

4. Configure output settings:
   • Output Format — JSON is recommended for structured data forwarding to LT Auditor ^MP
   • Max Output Size — set a limit to prevent excessively large outputs
5. Click Save

[Your administrator should populate the script library with assessment scripts relevant to your environment. Blue Lance may provide a default set of assessment scripts — refer to the Blue Lance documentation at https://www.bluelance.com/docs for details.]

Recommended assessment scripts to create:

[Your administrator should adjust this list based on your organization’s specific assessment requirements and compliance frameworks.]

Scheduling a script:

1. Open the script configuration
2. Navigate to the Schedule tab
3. Click Add Schedule
4. Configure the schedule:
   • Frequency — Daily, Weekly, Monthly, or a custom interval
   • Day and Time — when the script should run
   • Time Zone — the timezone for schedule execution
5. Click Save

The script will run automatically at the configured time and forward its output to the LT Auditor ^MP server.

Stagger script schedules to avoid running multiple assessment scripts simultaneously, particularly against the same domain controller. Concurrent assessments can impact domain controller performance.

Running a script on demand:

To run a script immediately without waiting for the scheduled time:

1. Open the script from the script library
2. Click Run Now
3. Monitor the execution progress in Configure → PowerShell Orchestrator → Execution Log
4. When complete, navigate to View in the Web UI to see the assessment results

Editing an existing script:

1. Open the script from the script library
2. Click the Edit icon
3. Make the necessary changes to the script code, target, or schedule
4. Click Save

Changes to a script take effect on the next scheduled run or the next time the script is run manually. Any currently running execution of the script will complete using the previous version.

Duplicating a script:

To create a similar script quickly without starting from scratch:

1. Select the script from the script library
2. Click Duplicate
3. Modify the name, target, or code as needed
4. Click Save

This is useful when you need to run the same assessment against multiple different endpoints.

Enabling and disabling scripts:

To temporarily suspend a script without deleting it:

1. Open the script configuration
2. Toggle the Active switch to off
3. The script will not run on its schedule until re-enabled

Deleting a script:

1. Select the script from the script library
2. Click the Delete icon
3. Confirm the deletion

Deleting a script removes it and its schedule permanently. Historical execution results and assessment data already forwarded to LT Auditor ^MP are retained and are not affected.

Best practices:

• Use descriptive script names and descriptions so other administrators understand the purpose of each assessment without needing to read the code
• Always test new scripts with Run Now before activating their schedule to confirm they produce the expected output
• Use JSON output format wherever possible for clean, structured data forwarding to LT Auditor ^MP
• Stagger schedules across scripts and endpoints to avoid performance impacts during peak hours
• Store scripts in source control outside of LT Auditor ^MP as a backup, especially for complex assessments
• Review the script library regularly and remove or update scripts that are no longer relevant
• Use the least privilege principle for the service account — scripts should only have the read access they need

[Your administrator should document the purpose and expected output of each script in the library so the team can interpret assessment results correctly.]