-
Notifications
You must be signed in to change notification settings - Fork 0
/
MoveSafeMembersToOtherSafe.ps1
108 lines (87 loc) · 4.16 KB
/
MoveSafeMembersToOtherSafe.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
param (
[string]$DomainName = "kaj.local"
)
## THIS IS A SCRATCHFILE FROM MY LAB
$cred = Get-Credential -Message "$(get-date) CyberArk PowerShell"
New-PASSession -Credential $cred -BaseURI "https://pvwa1.kaj.local"
#REGION provision environment
Add-PASSafe -SafeName "FT-Pending accounts" -ManagingCPM "PasswordManager" -NumberOfVersionsRetention 5 -UseGen1API
1..10 | foreach {
$splat = @{
"SecretType" = "Password"
"secret" = ("Cyberark1" | ConvertTo-SecureString -AsPlainText -Force)
"platformAccountProperties" = @{"LOGONDOMAIN" = $DomainName }
"automaticManagementEnabled" = $true
"SafeName" = "FT-Pending accounts"
"PlatformId" = "WIN-ADM-LCL-30"
"Address" = "KAJ-Server$(Get-Random -Maximum 999).$DomainName"
"Username" = "sysman"
}
Add-PASAccount @splat
}
#ENDREGION
#REGION add safes
$sysmanAccounts = Get-PASAccount -search "sysman"
$sysmanAccounts | convertto-csv -Delimiter "," -NoTypeInformation | out-file c:\temp\sysmanAccounts.csv
foreach ($sysman in $sysmanAccounts) {
#create safe
$null = $sysman.address -match "(.*)\.$DomainName"; $hostname = $matches[1]
$safename = "FT-S-SRV-$hostname"
Add-PASSafe -SafeName $safename -ManagingCPM "PasswordManager" -NumberOfVersionsRetention 5 -UseGen1API
#add safe members
$safeMemberSplat1 = @{
"SafeName" = $SafeName
"MemberName" = "CyberArk Vault Admins"
"SearchIn" = "Vault"
"UseAccounts" = $true
"RetrieveAccounts" = $true
"ListAccounts" = $true
"AddAccounts" = $true
"UpdateAccountContent" = $true
"UpdateAccountProperties" = $true
"InitiateCPMAccountManagementOperations" = $true
"SpecifyNextAccountContent" = $true
"RenameAccounts" = $true
"DeleteAccounts" = $true
"UnlockAccounts" = $true
"ManageSafe" = $true
"ManageSafeMembers" = $true
"BackupSafe" = $true
"ViewAuditLog" = $true
"ViewSafeMembers" = $true
"AccessWithoutConfirmation" = $true
"CreateFolders" = $true
"DeleteFolders" = $true
"MoveAccountsAndFolders" = $true
}
Add-PASSafeMember @safeMemberSplat1 -UseGen1API
}
#ENDREGION
$sysmanSafes = foreach ($sysman in $sysmanAccounts) {
$null = $sysman.address -match "(.*)\.$DomainName"; $hostname = $matches[1]
$safename = "FT-S-SRV-$hostname"
Get-PASSafe -SafeName $SafeName -UseGen1API
}
$sysmanSafes | convertto-csv -Delimiter "," -NoTypeInformation | out-file c:\temp\sysmanSafes.csv
#REGION swap membership
foreach ($sysman in $sysmanAccounts) {
Remove-PASAccount -AccountID $sysman.id -UseGen1API -Verbose
}
foreach ($sysman in $sysmanAccounts) {
$null = $sysman.address -match "(.*)\.$DomainName"; $hostname = $matches[1]
$safename = "FT-S-SRV-$hostname"
$splat = @{
"SecretType" = $sysman.secretType
"secret" = ("Cyberark1" | ConvertTo-SecureString -AsPlainText -Force)
"platformAccountProperties" = @{"LOGONDOMAIN" = $hostname }
"SafeName" = $safename
"PlatformId" = $sysman.platformId
"Address" = $sysman | select -ExpandProperty Address #fejler ved $sysman.address
"Username" = $sysman.userName
}
Add-PASAccount @splat
}
#remove safes
foreach ($safe in $sysmanSafes) {
Remove-PASSafe -SafeName $safe.SafeName -UseGen1API
}