[v10] Make Desktop Acess setup script idempotent (#23174)

* Make Desktop Acess setup script idempotent

* Remove unnecessary comment

* Remove unnecessary calls to Get-GPO

lib/web/scripts/desktop/configure-ad.ps1

@@ -13,21 +13,27 @@ $SAM_ACCOUNT_NAME="svc-teleport"
 $DOMAIN_NAME=(Get-ADDomain).DNSRoot
 $DOMAIN_DN=$((Get-ADDomain).DistinguishedName)
 
-# Generate a random password that meets the "Password must meet complexity requirements" security policy setting.
-# Note: if the minimum complexity requirements have been changed from the Windows default, this part of the script may need to be modified.
-Add-Type -AssemblyName 'System.Web'
-do {
-   $PASSWORD=[System.Web.Security.Membership]::GeneratePassword(15,1)
-} until ($PASSWORD -match '\d')
-$SECURE_STRING_PASSWORD=ConvertTo-SecureString $PASSWORD -AsPlainText -Force
-
-New-ADUser -Name $AD_USER_NAME -SamAccountName $SAM_ACCOUNT_NAME -AccountPassword $SECURE_STRING_PASSWORD -Enabled $true
-
+try {
+  Get-ADUser -Identity $SAM_ACCOUNT_NAME
+}
+catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
+{
+  Add-Type -AssemblyName 'System.Web'
+  do {
+    $PASSWORD=[System.Web.Security.Membership]::GeneratePassword(15,1)
+  } until ($PASSWORD -match '\d')
+  $SECURE_STRING_PASSWORD=ConvertTo-SecureString $PASSWORD -AsPlainText -Force
+  New-ADUser -Name $AD_USER_NAME -SamAccountName $SAM_ACCOUNT_NAME -AccountPassword $SECURE_STRING_PASSWORD -Enabled $true
+}
 
 # Create the CDP/Teleport container.
-# If the command fails with "New-ADObject : An attempt was made to add an object to the directory with a name that is already in use",
-# it means the object already exists and you can move on to the next step.
-New-ADObject -Name "Teleport" -Type "container" -Path "CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,$DOMAIN_DN"
+try {
+  Get-ADObject -Identity "CN=Teleport,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,$DOMAIN_DN"
+}
+catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
+{
+  New-ADObject -Name "Teleport" -Type "container" -Path "CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,$DOMAIN_DN"
+}
 
 # Gives Teleport the ability to create LDAP containers in the CDP container.
 dsacls "CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,$DOMAIN_DN" /I:T /G "$($SAM_ACCOUNT_NAME):CC;container;"
@@ -44,9 +50,15 @@ $SAM_ACCOUNT_SID=(Get-ADUser -Identity $SAM_ACCOUNT_NAME).SID.Value
 
 
 # Step 2/7. Prevent the service account from performing interactive logins
-
 $BLOCK_GPO_NAME="Block teleport-svc Interactive Login"
-New-GPO -Name $BLOCK_GPO_NAME | New-GPLink -Target $DOMAIN_DN
+try {
+  $BLOCK_GPO = Get-GPO -Name $BLOCK_GPO_NAME
+}
+catch [System.ArgumentException]
+{
+  $BLOCK_GPO = New-GPO -Name $BLOCK_GPO_NAME
+  $BLOCK_GPO | New-GPLink -Target $DOMAIN_DN
+}
 
 $DENY_SECURITY_TEMPLATE=@'
 [Unicode]
@@ -59,15 +71,22 @@ SeDenyInteractiveLogonRight=*{0}
 '@ -f $SAM_ACCOUNT_SID
 
 
-$BLOCK_POLICY_GUID=((Get-GPO -Name $BLOCK_GPO_NAME).Id.Guid).ToUpper()
+$BLOCK_POLICY_GUID=$BLOCK_GPO.Id.Guid.ToUpper()
 $BLOCK_GPO_PATH="$env:SystemRoot\SYSVOL\sysvol\$DOMAIN_NAME\Policies\{$BLOCK_POLICY_GUID}\Machine\Microsoft\Windows NT\SecEdit"
-New-Item -Type Directory -Path $BLOCK_GPO_PATH
-New-Item -Path $BLOCK_GPO_PATH -Name "GptTmpl.inf" -ItemType "file" -Value $DENY_SECURITY_TEMPLATE
+New-Item -Force -Type Directory -Path $BLOCK_GPO_PATH
+New-Item -Force -Path $BLOCK_GPO_PATH -Name "GptTmpl.inf" -ItemType "file" -Value $DENY_SECURITY_TEMPLATE
 
 
 # Step 3/7. Configure a GPO to allow Teleport connections
 $ACCESS_GPO_NAME="Teleport Access Policy"
-New-GPO -Name $ACCESS_GPO_NAME | New-GPLink -Target $DOMAIN_DN
+try {
+  $ACCESS_GPO = Get-GPO -Name $ACCESS_GPO_NAME
+}
+catch [System.ArgumentException]
+{
+  $ACCESS_GPO = New-GPO -Name $ACCESS_GPO_NAME
+  $ACCESS_GPO | New-GPLink -Target $DOMAIN_DN
+}
 
 
 $CERT = [System.Convert]::FromBase64String($TELEPORT_CA_CERT_BLOB_BASE64)
@@ -105,11 +124,12 @@ $COMMENT_XML=@'
 '@
 
 
-$ACCESS_POLICY_GUID=((Get-GPO -Name $ACCESS_GPO_NAME).Id.Guid).ToUpper()
+$ACCESS_POLICY_GUID=$ACCESS_GPO.Id.Guid.ToUpper()
 $ACCESS_GPO_PATH="$env:SystemRoot\SYSVOL\sysvol\$DOMAIN_NAME\Policies\{$ACCESS_POLICY_GUID}\Machine\Microsoft\Windows NT\SecEdit"
-New-Item -Type Directory -Path $ACCESS_GPO_PATH
-New-Item -Path $ACCESS_GPO_PATH -Name "GptTmpl.inf" -ItemType "file" -Value $ACCESS_SECURITY_TEMPLATE
-New-Item -Path "$env:SystemRoot\SYSVOL\sysvol\$DOMAIN_NAME\Policies\{$ACCESS_POLICY_GUID}\Machine" -Name "comment.cmtx" -ItemType "file" -Value $COMMENT_XML
+
+New-Item -Force -Type Directory -Path $ACCESS_GPO_PATH
+New-Item -Force -Path $ACCESS_GPO_PATH -Name "GptTmpl.inf" -ItemType "file" -Value $ACCESS_SECURITY_TEMPLATE
+New-Item -Force -Path "$env:SystemRoot\SYSVOL\sysvol\$DOMAIN_NAME\Policies\{$ACCESS_POLICY_GUID}\Machine" -Name "comment.cmtx" -ItemType "file" -Value $COMMENT_XML
 
 # Firewall
 $FIREWALL_USER_MODE_IN_TCP = "v2.31|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|"
@@ -201,5 +221,4 @@ Write-Output $OUTPUT
 # cleanup files that were created during execution of this script
 Remove-Item $TeleportPEMFile -Recurse
 Remove-Item $WindowsDERFile -Recurse
-Remove-Item $WindowsPEMFile -Recurse
-
+Remove-Item $WindowsPEMFile -Recurse