-
Notifications
You must be signed in to change notification settings - Fork 31
/
Copy pathcreateUsers.ps1
237 lines (179 loc) · 6.39 KB
/
createUsers.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
<#
.DESCRIPTION
This script is ran by the main ARM template as a custom script extension on the domain controller vm to create an AD user group and an AD user (a test user for the WVD environment).
This user then gets synced to Azure Active Directory using the ADSync module.
.PARAMETER domainName
Name of the domain
.PARAMETER targetGroup
Name of the test user group to be created
.PARAMETER artifactsLocation
URL of the GitHub repository
.PARAMETER domainUsername
username of the domain join account
.PARAMETER domainPassword
password of the domain join account. Not stored in any logs.
.PARAMETER devOpsName
Name of the DevOps organization to generate the test user password
#>
[CmdletBinding(SupportsShouldProcess = $true)]
$ConfigurationFileName = "users.parameters.json"
# Parameters below are passed by the main ARM template
$domainName = $args[0]
$targetGroup = $args[1]
$artifactsLocation = $args[2]
$domainUsername = $args[3]
$domainPassword = $args[4]
$devOpsName = $args[5]
#####################################
##########
# Helper #
##########
#region Functions
function LogInfo($message) {
Log "Info" $message
}
function LogError($message) {
Log "Error" $message
}
function LogSkip($message) {
Log "Skip" $message
}
function LogWarning($message) {
Log "Warning" $message
}
function Log {
<#
.SYNOPSIS
Creates a log file and stores logs based on categories with tab seperation
.PARAMETER category
Category to put into the trace
.PARAMETER message
Message to be loged
.EXAMPLE
Log 'Info' 'Message'
#>
Param (
$category = 'Info',
[Parameter(Mandatory = $true)]
$message
)
$date = get-date
$content = "[$date]`t$category`t`t$message`n"
Write-Verbose "$content" -verbose
if (! $script:Log) {
$File = Join-Path $env:TEMP "log.log"
Write-Error "Log file not found, create new $File"
$script:Log = $File
}
else {
$File = $script:Log
}
Add-Content $File $content -ErrorAction Stop
}
function Set-Logger {
<#
.SYNOPSIS
Sets default log file and stores in a script accessible variable $script:Log
Log File name "executionCustomScriptExtension_$date.log"
.PARAMETER Path
Path to the log file
.EXAMPLE
Set-Logger
Create a logger in
#>
Param (
[Parameter(Mandatory = $true)]
$Path
)
# Create central log file with given date
$date = Get-Date -UFormat "%Y-%m-%d %H-%M-%S"
$scriptName = (Get-Item $PSCommandPath ).Basename
$scriptName = $scriptName -replace "-", ""
Set-Variable logFile -Scope Script
$script:logFile = "executionCustomScriptExtension_" + $scriptName + "_" + $date + ".log"
if ((Test-Path $path ) -eq $false) {
$null = New-Item -Path $path -type directory
}
$script:Log = Join-Path $path $logfile
Add-Content $script:Log "Date`t`t`tCategory`t`tDetails"
}
#endregion
## MAIN
#Set-Logger "C:\WindowsAzure\CustomScriptExtension\Log" # inside "executionCustomScriptExtension_$date.log"
Set-Logger "C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension\executionLog\UserConfig" # inside "executionCustomScriptExtension_$scriptName_$date.log"
LogInfo("## 0 - LOAD DATA ##")
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 #Fix for TLS
$url = $($artifactsLocation + "/Modules/ARM/UserCreation/Parameters/users.parameters.json")
Invoke-WebRequest -Uri $url -OutFile "C:\users.parameters.json"
$ConfigurationJson = Get-Content -Path "C:\users.parameters.json" -Raw -ErrorAction 'Stop'
try { $UserConfig = $ConfigurationJson | ConvertFrom-Json -ErrorAction 'Stop' }
catch {
Write-Error "Configuration JSON content could not be converted to a PowerShell object" -ErrorAction 'Stop'
}
Import-Module activedirectory
$adminUsername = $domainName + "\" + $domainUsername
if ((new-object directoryservices.directoryentry "",$adminUsername,$domainPassword).psbase.name -ne $null)
{
LogInfo("Valid domain join credentials")
}
else
{
Write-Error "Invalid domain join credentials entered" -ErrorAction 'Stop'
}
foreach ($config in $UserConfig.userconfig) {
if ($config.createGroup) {
LogInfo("## 1 - Create user group ##")
$userGroupName = $targetGroup
LogInfo("Create user group...")
$existingGroup = Get-ADGroup -Filter "Name -eq '$($userGroupName)'"
if($existingGroup -eq $null) {
New-ADGroup `
-SamAccountName $userGroupName `
-Name "$userGroupName" `
-DisplayName "$userGroupName" `
-GroupScope "Global" `
-GroupCategory "Security" -Verbose
}
else {
LogInfo("User group $userGroupName already exists, using that existing group.")
}
LogInfo("Create user group completed.")
}
if ($config.createUser) {
LogInfo("## 2 - Create user ##")
$userName = $config.userName
$password = $devOpsName.substring(13) + '!'
$existingUser = Get-ADUser -Filter "Name -eq '$($userName)'"
if($existingUser -ne $null) {
LogInfo("Existing user with the username $userName found. Removing that user...")
Set-ADUser -Identity $userName -UserPrincipalName $($userName + "temp@" + $domainName)
Remove-ADUser -Identity $userName -Confirm:$False
Import-Module ADSync -Force
Start-ADSyncSyncCycle -PolicyType Delta -Verbose
Start-Sleep -Seconds 90
LogInfo("Existing user removed.")
}
LogInfo("Creating user...")
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName $($userName + "@" + $domainName) `
-Name "$userName" `
-GivenName $userName `
-Surname $userName `
-Enabled $True `
-ChangePasswordAtLogon $False `
-DisplayName "$userName" `
-AccountPassword (convertto-securestring $password -AsPlainText -Force) -Verbose
LogInfo("Create user completed.")
}
if ($config.assignUsers) {
LogInfo("## 3 - Assign users to group ##")
Add-ADGroupMember -Identity $targetGroup -Members $config.userName
LogInfo("User assignment to group completed.")
}
if ($config.syncAD) {
LogInfo("## 4 - Sync new users & group with AD Sync ##")
Import-Module ADSync -Force
Start-ADSyncSyncCycle -PolicyType Delta -Verbose
}
}