-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from exchange12rocks/master
Main script refactoring
- Loading branch information
Showing
1 changed file
with
71 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,133 +1,132 @@ | ||
| #requires -version 3 -RunAsAdministrator | ||
| #Requires -Version 3 -RunAsAdministrator | ||
| #Requires -Modules ActiveDirectory, GroupPolicy | ||
|
|
||
| param ([string]$ComputerOU, | ||
| [string]$OrgUnitRead, | ||
| [string]$OrgUnitReset, | ||
| [CmdletBinding()] | ||
| param ([string[]]$ComputerOU, | ||
| [string[]]$OrgUnitRead, | ||
| [string[]]$OrgUnitReset, | ||
| [string]$SecGroupRead, | ||
| [string]$SecGroupReset, | ||
| [string]$GPOName | ||
| [string]$WorkFolderPath = (Join-Path -Path $env:homedrive -ChildPath 'Shadow\LAPS'), | ||
| [string]$SMBShareName = 'LAPS$', | ||
| [string]$TranscriptFileName = 'Script.log', | ||
| [string]$InstallLogFileName = 'Install.log', | ||
| [string]$GPOName = 'Deploy-LAPS', | ||
| [string]$DownloadURL = 'https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi', | ||
| [string]$DistributiveFileName = 'LAPSx64.msi' | ||
| ) | ||
|
|
||
| # Find Netbios name of domain. | ||
| # Find NetBIOS and FQDN names of the domain. | ||
| $NetBIOSName = (Get-ADDomain).NetBIOSName | ||
| $FQDN = (Get-ADDomain).DNSRoot | ||
|
|
||
|
|
||
| IF (!(Test-Path $env:homedrive\Shadow\LAPS)) | ||
| IF (!(Test-Path -Path $WorkFolderPath)) | ||
| { | ||
| New-Item "$env:homedrive\Shadow\LAPS" -ItemType Directory -Force | ||
| New-Item -Path $WorkFolderPath -ItemType Directory -Force | ||
| } | ||
|
|
||
| # Start a transcipt of the script. | ||
| Start-Transcript "C:\Shadow\LAPS\Script.log" | ||
| Start-Transcript -Path (Join-Path -Path $WorkFolderPath -ChildPath $TranscriptFileName) | ||
|
|
||
| # Create share on the DC for the software. Add domain computers read access to share. | ||
| New-SmbShare -Name "LAPS$" -Path "$env:homedrive\Shadow\LAPS\" -ReadAccess "$NetBIOSName\Domain computers" -FullAccess "$NetBIOSName\Domain Admins" | ||
| # Create a share on the DC for the software. Add read access for domain computers to the share. | ||
| New-SmbShare -Name $SMBShareName -Path $WorkFolderPath -ReadAccess "$NetBIOSName\Domain Computers" -FullAccess "$NetBIOSName\Domain Admins" | ||
|
|
||
| IF (!(Test-Path $env:homedrive\Shadow\LAPS)) | ||
| IF (Test-Path -Path $WorkFolderPath) | ||
| { | ||
| Copy-Item -Path .\ -Destination "$env:homedrive\Shadow\LAPS" -Recurse | ||
| } | ||
|
|
||
| IF (!($GPOName)) | ||
| { | ||
| $GPOName = "Deploy-LAPS" | ||
| Copy-Item -Path .\ -Destination $WorkFolderPath -Recurse | ||
| } | ||
|
|
||
|
|
||
| # Download and install the MS LAPS software. | ||
| $url = "https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi" | ||
| $output = "$env:homedrive\Shadow\LAPS\LAPSx64.msi" | ||
| $start_time = Get-Date | ||
| # Download and install MS LAPS software. | ||
| $InstallationFilePath = (Join-Path -Path $WorkFolderPath -ChildPath $DistributiveFileName) | ||
| $DownloadStartTime = Get-Date | ||
|
|
||
| Invoke-WebRequest -Uri $url -OutFile $output | ||
| Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" | ||
| Invoke-WebRequest -Uri $DownloadURL -OutFile $InstallationFilePath | ||
| Write-Verbose -Message ('Time taken: {0} second(s)' -f ((Get-Date) - $DownloadStartTime).Seconds) | ||
|
|
||
| # Install mgmt software on DC and write a verbose log of the install. | ||
| msiexec /i "$env:homedrive\Shadow\LAPS\LAPSx64.msi" /passive /l*v "$env:homedrive\Shadow\LAPS\Install.log" ADDDEFAULT=ALL | ||
| # Install management software on the DC and write a verbose log of the install. | ||
| Start-Process -FilePath 'msiexec' -ArgumentList ('/i {0} /passive /l*v "{1}" ADDDEFAULT=ALL' -f $InstallationFilePath, (Join-Path -Path $WorkFolderPath -ChildPath $InstallLogFileName)) | ||
|
|
||
| # Import the new powershell cmdlets. | ||
| # Update the AD schema to accomodate the new field for the password. | ||
|
|
||
| Import-Module AdmPwd.PS | ||
| # Import required PowerShell cmdlet. | ||
| # Update AD schema to accomodate the new fields to store password data. | ||
| Import-Module -Name AdmPwd.PS | ||
| Update-AdmPwdADSchema | ||
|
|
||
| # Get the default computer OU. | ||
| # Reference https://support.microsoft.com/en-us/kb/324949 | ||
| $OUQuery = [adsisearcher]'(&(objectclass=domain))' | ||
| $OUQuery.SearchScope = 'base' | ||
| $OUQuery.FindOne().properties.wellknownobjects | ForEach-Object { | ||
| if ($_ -match '^B:32:AA312825768811D1ADED00C04FD8D5CD:(.*)$') | ||
| { | ||
| $Matches[1] | ||
| } | ||
| } | ||
|
|
||
|
|
||
| # Check if a computer OU was provided by the parameter and act accordingly. | ||
| if (!$ComputerOU) | ||
| { | ||
| Set-AdmPwdComputerSelfPermission -OrgUnit $Matches[1] | ||
| # Get the default computer OU. | ||
| # Reference https://support.microsoft.com/en-us/kb/324949 | ||
| $OUQuery = [adsisearcher]'(&(objectclass=domain))' | ||
| $OUQuery.SearchScope = 'base' | ||
| $OUQuery.FindOne().properties.wellknownobjects | ForEach-Object { | ||
| if ($_ -match '^B:32:AA312825768811D1ADED00C04FD8D5CD:(.*)$') | ||
| { | ||
| $ComputerOU = $Matches[1] | ||
| Write-Verbose -Message $ComputerOU | ||
| } | ||
| } | ||
| } | ||
| else | ||
| foreach ($OrgUnit in $ComputerOU) | ||
| { | ||
| Set-AdmPwdComputerSelfPermission -OrgUnit $ComputerOU | ||
| Set-AdmPwdComputerSelfPermission -Identity $OrgUnit | ||
| } | ||
|
|
||
| # Configure who can read the attribute. By default only domain/enterprise admins can. | ||
| if ($OrgUnitRead) | ||
| # Configure who can read the password. By default only domain/enterprise admins can. | ||
| if (!$OrgUnitRead) | ||
| { | ||
| Set-AdmPwdReadPasswordPermission -OrgUnit $OrgUnitRead | ||
| $OrgUnitRead = $ComputerOU | ||
| } | ||
| if ($SecGroupRead) | ||
| { | ||
| Set-AdmPwdReadPasswordPermission -AllowedPrincipals $SecGroupRead | ||
| if ($SecGroupRead) { | ||
| foreach ($OrgUnit in $OrgUnitRead) | ||
| { | ||
| Set-AdmPwdReadPasswordPermission -Identity $OrgUnit -AllowedPrincipals $SecGroupRead | ||
| } | ||
| } | ||
|
|
||
| # Configure who can force a password change. By default only domain/enterprise admins can. | ||
| if ($OrgUnitReset) | ||
| if (!$OrgUnitReset) | ||
| { | ||
| Set-AdmPwdResetPasswordPermission -OrgUnit $OrgUnitReset | ||
| $OrgUnitReset = $ComputerOU | ||
| } | ||
| if ($SecGroupReset) | ||
| { | ||
| Set-AdmPwdResetPasswordPermission -AllowedPrincipals $SecGroupReset | ||
| if ($SecGroupReset) { | ||
| foreach ($OrgUnit in $OrgUnitReset) | ||
| { | ||
| Set-AdmPwdResetPasswordPermission -Identity $OrgUnit -AllowedPrincipals $SecGroupReset | ||
| } | ||
| } | ||
|
|
||
|
|
||
| # Importing the GPO | ||
| # Reference https://gallery.technet.microsoft.com/Migrate-Group-Policy-2b5067d8#content | ||
| Set-Location "$env:homedrive\Shadow\LAPS" | ||
| Import-Module GroupPolicy | ||
| Import-Module ActiveDirectory | ||
| Set-Location -Path $WorkFolderPath | ||
| Import-Module -Name GroupPolicy | ||
| Import-Module -Name ActiveDirectory | ||
|
|
||
| # change variables in the GPO to suit environment using a GPO migration table. | ||
| $Path = "$env:homedrive\Shadow\LAPS\MigrationTable.migtable" | ||
| $XML = [xml] (Get-Content $Path) | ||
| # Change variables in the GPO to suit environment using a GPO migration table. | ||
| $XML = [xml](Get-Content -Path (Join-Path -Path $WorkFolderPath -ChildPath 'MigrationTable.migtable')) | ||
| $Destination = $XML.MigrationTable.Mapping.ChildNodes | ||
|
|
||
| foreach ($node in $Destination) | ||
| { | ||
| if ($node.'#text' -eq "ENTERPRISEADMINS") | ||
| if ($node.'#text' -eq 'ENTERPRISEADMINS') | ||
| { | ||
| $Node.innertext = "Enterprise Admins@$FQDN" | ||
| } | ||
| if ($node.'#text' -eq "DOMAINADMINS") | ||
| if ($node.'#text' -eq 'DOMAINADMINS') | ||
| { | ||
| $Node.innertext = "Domain Admins@$FQDN" | ||
| } | ||
| if ($node.'#text' -eq "\\SERVERNAME\LAPS$") | ||
| if ($node.'#text' -like '\\SERVERNAME\*') | ||
| { | ||
| $Node.innertext = "\\$env:computername\LAPS$\LAPSx64.msi" | ||
| $Node.innertext = Join-Path -Path (Join-Path -Path (Join-Path -Path '\\' -ChildPath $env:computername) -ChildPath $SMBShareName) -ChildPath $DistributiveFileName | ||
| } | ||
| } | ||
| $XML.Save("$env:homedrive\Shadow\LAPS\LAPS.migtable") | ||
|
|
||
|
|
||
|
|
||
|
|
||
| $MigrationTableProcessedFilePath = Join-Path -Path $WorkFolderPath -ChildPath 'LAPS.migtable' | ||
| $XML.Save($MigrationTableProcessedFilePath) | ||
|
|
||
| #Import the actual GPO | ||
| #http://serverfault.com/questions/491505/powershell-copy-gpo-failing-with-hresult-0x8007000d | ||
| #cscript importgpo.wsf "$env:homedrive\Shadow\LAPS\" "{4178CB42-3A58-445C-A46E-9CD8338C9FA5}" /CreateifNeeded /migrationtable:C:\Shadow\LAPS\LAPS.migtable | ||
| Import-GPO -CreateIfNeeded -path $env:homedrive\Shadow\LAPS\ -BackupId "{4178CB42-3A58-445C-A46E-9CD8338C9FA5}" -TargetName $GPOName -MigrationTable "$env:homedrive\Shadow\LAPS\LAPS.migtable" | ||
| Import-GPO -CreateIfNeeded -path $WorkFolderPath -BackupId '{4178CB42-3A58-445C-A46E-9CD8338C9FA5}' -TargetName $GPOName -MigrationTable $MigrationTableProcessedFilePath |