Understanding scripts in PowerShell Orchestrator:

A script in PowerShell Orchestrator consists of:

• The PowerShell code to execute on the target endpoint or against Entra ID
• The target endpoint or cloud target the script runs against
• A schedule defining when and how often the script runs
• Optional alert linkage that triggers the script automatically in response to a security event

Scripts are stored centrally in LT Auditor ^MP and pushed to the relevant endpoint at execution time. Output from each script run is captured and forwarded to the LT Auditor ^MP server as structured assessment data.

Accessing the script library:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to Configure → PowerShell Orchestrator → Scripts
3. The script library displays all saved scripts with their name, target, schedule status, and last run time

Creating a new script:

1. Click Add New Script
2. Configure the script details:
   • Script Name — a clear, descriptive name (e.g., “AD Privileged Group Membership Assessment”)
   • Description — the purpose of the script and what it assesses
   • Target Type — select either a managed endpoint or an Entra ID cloud target
   • Target — select the specific endpoint or cloud target from the configured list
3. Enter or paste your PowerShell script code in the script editor:

# Example: List all members of the Domain Admins group

Get-ADGroupMember -Identity “Domain Admins” -Recursive |

Select-Object Name, SamAccountName, DistinguishedName |

ConvertTo-Json

4. Configure output settings:
   • Output Format — JSON is recommended for structured data forwarding to LT Auditor ^MP
   • Max Output Size — set a limit to prevent excessively large outputs
5. Click Save

[Your administrator should populate the script library with assessment scripts relevant to your environment. Blue Lance may provide a default set of assessment scripts — refer to the Blue Lance documentation at https://www.bluelance.com/docs for details.]

Recommended assessment scripts to create:

[Your administrator should adjust this list based on your organization’s specific assessment requirements and compliance frameworks.]

Scheduling a script:

1. Open the script configuration
2. Navigate to the Schedule tab
3. Click Add Schedule
4. Configure the schedule:
   • Frequency — Daily, Weekly, Monthly, or a custom interval
   • Day and Time — when the script should run
   • Time Zone — the timezone for schedule execution
5. Click Save

The script will run automatically at the configured time and forward its output to the LT Auditor ^MP server.

Stagger script schedules to avoid running multiple assessment scripts simultaneously, particularly against the same domain controller. Concurrent assessments can impact domain controller performance.

Running a script on demand:

To run a script immediately without waiting for the scheduled time:

1. Open the script from the script library
2. Click Run Now
3. Monitor the execution progress in Configure → PowerShell Orchestrator → Execution Log
4. When complete, navigate to View in the Web UI to see the assessment results

Editing an existing script:

1. Open the script from the script library
2. Click the Edit icon
3. Make the necessary changes to the script code, target, or schedule
4. Click Save

Changes to a script take effect on the next scheduled run or the next time the script is run manually. Any currently running execution of the script will complete using the previous version.

Duplicating a script:

To create a similar script quickly without starting from scratch:

1. Select the script from the script library
2. Click Duplicate
3. Modify the name, target, or code as needed
4. Click Save

This is useful when you need to run the same assessment against multiple different endpoints.

Enabling and disabling scripts:

To temporarily suspend a script without deleting it:

1. Open the script configuration
2. Toggle the Active switch to off
3. The script will not run on its schedule until re-enabled

Deleting a script:

1. Select the script from the script library
2. Click the Delete icon
3. Confirm the deletion

Deleting a script removes it and its schedule permanently. Historical execution results and assessment data already forwarded to LT Auditor ^MP are retained and are not affected.

Best practices:

• Use descriptive script names and descriptions so other administrators understand the purpose of each assessment without needing to read the code
• Always test new scripts with Run Now before activating their schedule to confirm they produce the expected output
• Use JSON output format wherever possible for clean, structured data forwarding to LT Auditor ^MP
• Stagger schedules across scripts and endpoints to avoid performance impacts during peak hours
• Store scripts in source control outside of LT Auditor ^MP as a backup, especially for complex assessments
• Review the script library regularly and remove or update scripts that are no longer relevant
• Use the least privilege principle for the service account — scripts should only have the read access they need

[Your administrator should document the purpose and expected output of each script in the library so the team can interpret assessment results correctly.]

Accessing the execution log:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to Configure → PowerShell Orchestrator → Execution Log
3. The execution log displays all script runs with the following information:

Filtering the execution log:

To narrow down the execution log to specific runs:

1. Use the filter bar at the top of the execution log
2. Filter by any combination of:
   • Script Name — view runs for a specific script
   • Target — view runs against a specific endpoint or cloud target
   • Trigger Type — filter by Scheduled, Manual, or Alert
   • Status — filter by Success, Failed, or Running
   • Date Range — limit results to a specific time period
3. Click Apply Filters

Viewing execution details and output:

To view the full details and output of a specific script run:

1. Locate the execution entry in the log
2. Click the entry to open the detail panel
3. The detail panel displays:
   • Execution Status — Success, Failed, or Running
   • Start and End Time — exact timestamps for the run
   • Target — the endpoint or cloud target the script ran against
   • Trigger — what initiated the execution (schedule name, user, or alert rule)
   • Script Output — the full output returned by the script
   • Error Messages — any errors encountered during execution
   • Exit Code — the PowerShell exit code returned by the script

Understanding execution statuses:

Investigating failed executions:

If a script shows a status of Failed, use the following steps to diagnose the issue:

1. Open the failed execution entry in the log
2. Review the Error Messages section for details on what went wrong
3. Check the Exit Code — a non-zero exit code indicates a PowerShell error

Common failure causes:

Viewing assessment results in LT Auditor ^MP:

Script output forwarded to LT Auditor ^MP is available in the View module alongside event data from other modules:

1. Navigate to View in the Web UI
2. Select the environment and category relevant to your assessment (e.g., Active Directory, Entra ID)
3. Set the date range to cover the time of the script execution
4. Filter by:
   • Source — select PowerShell Orchestrator
   • Script Name — filter by the specific script if needed
5. Review the structured assessment data returned by the script

Exporting execution history:

To export the execution log for reporting or audit purposes:

1. Apply your desired filters and date range
2. Click the Export button
3. Choose your format:
   • CSV — for Excel or data analysis
   • Excel — native Excel format
   • PDF — for audit documentation
4. Click Download

Monitoring scheduled script health:

Use the execution log to confirm that scheduled scripts are running as expected:

1. Filter the execution log by Trigger Type — Scheduled
2. Review the most recent run for each scheduled script
3. Confirm:
   • The last run time matches the expected schedule
   • The status shows as Success
   • The output contains the expected assessment data
4. If a scheduled script has not run at its expected time, check:
   • The script is set to Active in the script library
   • The PowerShell Orchestrator service is running
   • The target endpoint is reachable

Best practices:

• Review the execution log at least weekly to confirm all scheduled assessments are running successfully
• Investigate any failed executions promptly — a failing assessment script means a gap in your security posture visibility
• Use the execution log as part of incident response to confirm that alert-linked scripts fired correctly and produced useful output
• Retain execution history exports as supporting evidence for compliance audits
• Set up an alert rule in LT Auditor ^MP to notify your team when a critical assessment script fails so issues are caught quickly rather than discovered during a log review

[Your administrator should define which assessment scripts are considered critical and ensure alert notifications are configured for any failures in those scripts.]