Invoke admu from jcagent
The JumpCloud Agent can help admins migrate Domain accounts to Local Accounts by invoking the ADMU remotely. As with any automation task, information about systems needs to be gathered prior to running any scripts. In order to automate the process of migrating users across multiple systems, the JumpCloud agent must first be installed on the systems you wish to migrate. The agent will remotely gather user data from the systems to migrate.
There are three steps to the remote migration process.
- Setup and Discovery: Searching for and recording data about the systems
- Investigation: Collecting the data, and deciding what users to migrate
- Remote Invocation: Remotely trigger the ADMU on systems to migrate their intended users.
Each step requires the corresponding script to be run. Further instructions for each step are detailed below:
In order to gather data about systems, a location to store data is required. In these scripts data will be written back to a private GitHub Repository. In order to write data to a private github repository, a personal access token with full repo access is required.
Within GitHub create a private repository called "JumpCloud-ADMU-Discovery". This repository name can be changed as long as the $GHRepoName variable is updated to match the repository name.
On the JumpCloud Console, create a new command containing the discovery script
Populate the variables:
$GHUsername - This is your GitHub account username.
$GHToken - This is the generated GitHub token with required rights.
$GHRepoName - This is the name that will be used when creating the GitHub repo.
If you want to modify where the script output is saved you can change:
$newjsonoutputdir
$workingdir
By default the script will populate user data and store it in the /Windows/Temp directory.
Run the cmd through the JumpCloud command portal on a group of systems that you want to collect profile information from.
As the command runs on scoped systems files named COMPUTERNAME.json will be added to the "JumpCloud-ADMU-Discovery" repository. These json files, will contain the following values:
SID
LocalPath
LocalComputerName
LocalUsername
JumpCloudUserNameThe LocalUserName field will display a username unless the system secure channel is broken, in which case the account SID will be displayed.
If the script is run multiple times on the same system it will overwrite the json file with the latest domain profile data.
Once the discovery script/command has been run on required systems and the COMPUTERNAME.json files have been populated in the GitHub repository. The next step is to collate all the json files into a single .CSV file.
The script for this step should collect all .Json files on the repository, copy them to your local system and create a single CSV.
Populate the variables:
$GHUsername
$GHToken
$GHRepoNameThe collate script will download all the COMPUTERNAME.json files, convert and add all the json files to a single CSV ("jcdiscovery.csv"). This CSV will be outputted in the $discoverycsvlocation
Once created, edit the CSV with each migration user's intended JumpCloud username. Only a single account per system can be migrated at a time, meaning only one entry per system hostname should be present in the CSV.
If using the auto-bind feature, the JumpCloud username entered in this CSV must exist in JumpCloud prior to migration.
Once edited, the CSV should contain one row per system and each row should contain a corresponding JumpCloud username per migration user. Upload the edited CSV to the root directory of the "JumpCloud-ADMU-Discovery" repository - the CSV will be referenced by systems when invoking the ADMU remotely.
To upload the CSV file to the repository, simply drag the file to the root directory of the repository while viewing the repository through a web browser.
The final invoke script will download the jcdiscovery.csv to the system, install the ADMU PowerShell module, search the CSV for a matching system hostname and invoke the ADMU with the values in the corresponding row.
Example CSV:
| SID | LocalPath | LocalComputerName | LocalUsername | JumpCloudUserName |
|---|---|---|---|---|
| S-1-5-21-41106789-669517676-457226549-1065 | C:\Users\tg2gadmin | JOE-61AC71RME1D | JOE-61AC71RME1D\bob.fay | |
| S-1-5-21-156575111-3938707022-2951340204-1159 | C:\Users\bobfay | JOEWORKMAN181C | S-1-5-21-156575111-3938707022-2951340204-1159 | bob.fay |
If for example, the "JOEWORKMAN181C" system ran the invoke script, it would download the entire CSV, compare it's hostname to values in the CSV and in this case attempt to migrate the user SID "S-1-5-21-156575111-3938707022-2951340204-1159" to a local user "bob.fay"
Populate the variables of the script. Refer to the ADMU documentation for parameter behavior
$JumpCloudUserName
$SelectedUserName
$TempPassword
$LeaveDomain
$ForceReboot
$UpdateHomePath
$InstallJCAgent
$AutobindJCUser
$JumpCloudConnectKey
$JumpCloudAPIKeyThe remote invoke script should be run on the same systems the discovery script was run. User accounts will be remotely converted to local accounts and if the auto-bind parameter is set those users will be bound as JumpCloud users to those systems.
It's recommended to change the default timeout command time of this script in the JumpCloud console as some accounts with larger data sets can take more than the default two min timeout to complete migration. There's no harm in increasing the value to 900 seconds (15 mins).