-
Notifications
You must be signed in to change notification settings - Fork 0
/
New-GMSAAccount
137 lines (99 loc) · 4.69 KB
/
New-GMSAAccount
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
Function New-GMSAAccount () {
<#
.SYNOPSIS
Create Group Manged Service Account and set PrincipalsAllowedToRetrieveManagedPassword
.DESCRIPTION
Create Group Manged Service Account and set PrincipalsAllowedToRetrieveManagedPassword
.REQUIREMENTS
Active Directory module installed and permissions to create and change Group Managed Service Accounts
.PARAMETER OU
DistinguishedName of organizational unit
.PARAMETER VerboseOutput
Turn Verbose console information on or off. Default is off.
.PARAMETER UserName
Name of Group Managed Service Account.
.PARAMETER PrincipalsAllowedToRetrieveManagedPassword
Array of computer, or group objects
.EXAMPLE
1. New-GmsaAccount -UserName gMSA-Name -PrincipalsAllowedToRetrieveManagedPassword server1, server2, group01
2. New-GmsaAccount -UserName gMSA-Name -PrincipalsAllowedToRetrieveManagedPassword server1
3. New-GmsaAccount -UserName gMSA-Name -PrincipalsAllowedToRetrieveManagedPassword server1, server2
.AUTHOR
Rickard Warfvinge
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory=$false,
HelpMessage = "Enter DistinguishedName to organizational unit (OU)")]
[ValidateNotNullOrEmpty()]
[ValidateScript(
{$OU = $_
If (Get-ADObject -Filter "DistinguishedName -eq '$OU'" | Select-Object -ExpandProperty DistinguishedName) {
$True
}
Else {
Throw "'$OU' has incorrect syntax or doesn't exist in Active Directory"
}
}
)]
[string]$OU,
[Parameter(Mandatory=$false,
HelpMessage = "Turn verbose console output ON or OFF")]
[ValidateSet('ON','OFF')]
[String]$VerboseOutput = 'OFF',
[Parameter(Mandatory=$true,
HelpMessage = "Enter the name of the Group Managed Service Account you want to create.")]
[ValidateNotNullOrEmpty()]
[ValidateLength(1,15)]
[ValidateScript(
{$UserName = $_
If(Get-ADObject -Filter "Name -eq '$UserName'") {
Throw "Group Managed Service Account '$UserName' already exist in Active Directory."
}
Else {
$true
}
}
)]
[String]$UserName,
[Parameter(Mandatory=$true,
HelpMessage = "Enter computer(s) and/or group(s) to give permission to retrieve the password for the Group Managed Service Account")]
[ValidateNotNullOrEmpty()]
[ValidateScript(
{$PrincipalsAllowedToRetrieveManagedPassword = $_
If(Get-ADObject -Filter "Name -eq '$PrincipalsAllowedToRetrieveManagedPassword'" | Where-Object {$_.ObjectClass -eq 'Computer' -or $_.ObjectClass -eq 'Group'}) {
$true
}
Else {Throw "'$PrincipalsAllowedToRetrieveManagedPassword' is a disallowed object type for Group Managed Service Accounts"}
}
)]
[String[]]$PrincipalsAllowedToRetrieveManagedPassword
)
# Turn verbose output on for console output
If ($VerboseOutput -eq 'on') {$VerbosePreference = 'Continue'}
Try {
# Array for storing adjusted object names for $PrincipalsAllowedToRetrieveManagedPassword. Computer objects need to get a trailing '$' character
$Principals = @()
Foreach ($Item in $PrincipalsAllowedToRetrieveManagedPassword)
{
$Object = Get-ADObject -Filter "Name -eq '$Item'"
If ($Object.ObjectClass -eq 'Computer') {
$Principals += "$($Object.Name)$"
}
Else {
$Principals += $Object.Name
}
}
# Group managed service account is created
New-ADServiceAccount -Name $UserName -Enabled $true -DNSHostName "$UserName.$env:USERDNSDOMAIN" -Path $OU -ErrorAction Stop
# Verbose output to user
Write-Verbose "Group managed service account '$UserName' created in '$OU'"
# Set PrincipalsAllowedToRetrieveManagedPassword on Group managed service account
Set-ADServiceAccount -Identity $UserName -PrincipalsAllowedToRetrieveManagedPassword $Principals
# Verbose output to user
Write-Verbose "PrincipalsAllowedToRetrieveManagedPassword is set to objects: $PrincipalsAllowedToRetrieveManagedPassword"
}
Catch {
Write-Error $Error[0]
}
}