ralfk/zettelkasten
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5a108aa2b4
zettelkasten/OneNoteExport/Technik/SQL/02_New-QSCSQLInstanceADObjects.md

820 lines
18 KiB
Markdown
Raw Normal View History

Initial commit
2023-08-17 19:32:37 +02:00
New-QSCSQLInstanceADObjects
Dienstag, 7. Februar 2017
13:45
User und Gruppen für die SQL Installation anlegen im AD
 
\<#
.SYNOPSIS
Create a SQL service user including all necessary AD groups and SPN rights
.DESCRIPTION
> Creates a SQL service user with a cryptic password.
Also it creates the \"SQL_All Servers_SYSADMIN\" and \"SQL_All Servers_PUBLIC\" AD group if not existing.
The service user will gain READ/WRITE access for the service principal name attribute.
The user will be added to all security Deny Zones, except \"Log on as a service\"
According to Technet the following right groups will be added, if present
\* Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
\* Bypass traverse checking (SeChangeNotifyPrivilege)
\* Create global objects (SeCreateGlobalPrivilege)
\* Impersonate a client after authentication (SeImpersonatePrivilege)
\* Lock pages in memory (SeLockMemoryPrivilege)
\* Log on as a service (SeServiceLogonRight)
\* Perform volume maintenance tasks (SeManageVolumePrivilege)
\* Replace a process-level token (SeAssignPrimaryTokenPrivilege)
> Reference: <https://technet.microsoft.com/en-us/library/ms143504(v=sql.120).aspx>
>
> Created by Fabian Bader @ QSC AG 2016
.PARAMETER InstanceName
> Specifies the name of the SQL instance to connect to without hostname
.PARAMETER Zone
Specifies the security Zone.
Valid zones are: ADM, DOM, RED, BLUE
.PARAMETER Domain
Specifies the name of the domain (optional)
Default is the current users domain.
.PARAMETER UseGroupManagedServiceAccount
If present a groupManagedServiceAccount will be created instead of a normal service account
Fully support with SQL 2016 and above
.PARAMETER Computername
Specifies the name of the computer on which SQL is installed (optional).
The ServerRightsOU will be autodiscovered if set.
Default is null.
.PARAMETER ServerRightsOU
Specifies the DN of the SQL server OU without the domain (DC=EXAMPLE,DC=COM) (optional)
e.g. \"OU=SQL,OU=SYS,OU=RIGHTS,OU=GROUPS,OU=CENTRAL\"
.PARAMETER SQLRightsOU
Specifies the DN of the SQL rights OU without the domain (DC=EXAMPLE,DC=COM) (optional)
Default is: \"OU=SQL,OU=RIGHTS,OU=GROUPS,OU=CENTRAL\"
.PARAMETER ManagementDomain
Specifies the name of the management domain (optional)
Only applies to the Pure Enterprise Cloud
Default is \'service.pure-enterprise-cloud.de\'
.PARAMETER SharePointGroups
If specified the rights groups for a sharepoint instance will be created
.EXAMPLE
.\\New-QSCSQLInstanceADObjects.ps1 -InstanceName QSCDBP01J
#\>
Param (
\[Parameter(Mandatory=\$true)\]
\[ValidateScript({
if (\$\_ -match \"\[J-Zj-z\]\$\")
{
return \$true
}
throw \"Instance name is invalid \'\$\_\'\`n\`tDoes not end with one of the following chacters J,K,L,M,N,O,P,Q,R,T,U,V,W,X,Y,Z\"
})\]
\$InstanceName,
\[Parameter(Mandatory=\$true)\]
\[ValidateSet(\"ADM\",\"DOM\",\"RED\",\"BLUE\")\]
\$Zone,
\$Domain=\$env:USERDNSDOMAIN,
 
\[switch\]\$UseGroupManagedServiceAccount,
\[ValidateScript({
if (\$\_ -match \"\^\[\\w-\]+\$\")
{
return \$true
}
throw \"Instance name is invalid\"
})\]
\$Computername,
\[ValidateScript({
if (\$\_ -notmatch \"DC=\" -and \$\_ -match \"\^OU=\")
{
return \$true
}
throw \"OU dn is invalid \'\$\_\'\"
})\]
\$ServerRightsOU=\"OU=SQL,OU=SYS,OU=RIGHTS,OU=GROUPS,OU=CENTRAL\",
 
\[ValidateScript({
if (\$\_ -notmatch \"DC=\" -and \$\_ -match \"\^OU=\")
{
return \$true
}
throw \"OU dn is invalid \'\$\_\'\"
})\]
\$SQLRightsOU=\"OU=SQL,OU=RIGHTS,OU=GROUPS,OU=CENTRAL\",
\[switch\] \$SharePointGroups,
\$ManagementDomain=\"service.pure-enterprise-cloud.de\"
)
 
.
2023-08-25 23:29:11 +02:00
\#region Import modules
Initial commit
2023-08-17 19:32:37 +02:00
If ( ! (Get-module ActiveDirectory ) ) {
Import-Module -Name ActiveDirectory -ErrorAction SilentlyContinue
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#Check domains
Initial commit
2023-08-17 19:32:37 +02:00
.
2023-08-25 23:29:11 +02:00
\#Get AD information
Initial commit
2023-08-17 19:32:37 +02:00
try {
if (!(\$ActiveDomainController)) {
> \$ActiveDomainController = Get-ADDomainController -DomainName \$Domain -Discover -ForceDiscover -Writable
>
> \$ActiveDomainController = \$ActiveDomainController.HostName\[0\]
Write-Output \"\[AD_CONTROLLER\]\`t\`tUsing discovered ADDC: \$(\$ActiveDomainController)\"
} else {
Write-Output \"\[AD_CONTROLLER\]\`t\`tUsing static ADDC: \$(\$ActiveDomainController)\"
}
\$ActiveDirectory = Get-ADDomain \$Domain -Server \$ActiveDomainController
} catch {
Write-Error \"\$Domain is not reachable\"
Exit
}
 
\$TrustedDomains = Get-ADObject -Server \$Domain -Filter {ObjectClass -eq \"trustedDomain\"} -Properties \*
if (\$TrustedDomains.trustPartner -like \$ManagementDomain) {
Write-Output \"\[AD_TRUST\]\`t\`t\`tFound management domain \$ManagementDomain in trusted domains\"
\$ManagementActiveDirectory = Get-ADDomainController -DomainName \$ManagementDomain -Discover -ForceDiscover -Writable
> \$ManagementActiveDirectory = \$ManagementActiveDirectory.HostName\[0\]
\$AddToMgmt = \$True
} else {
Write-Verbose \"\[AD_TRUST\]\`t\`t\`tManagement domain \$ManagementDomain not found in trusted domains\"
\$AddToMgmt = \$False
}
\#
 
.
2023-08-25 23:29:11 +02:00
\#Validate Sercurity Zone
Initial commit
2023-08-17 19:32:37 +02:00
try {
> Get-ADGroup -ErrorAction SilentlyContinue -Identity \"\$Zone SECURITY ZONE\" -Server \$ActiveDomainController \| Out-Null
} catch {
Write-Host -ForegroundColor Red \"The Security Zone \$Zone does not exist\" -ErrorAction SilentlyContinue
Exit
}
 
.
2023-08-25 23:29:11 +02:00
\#region Autodiscover computer OU
Initial commit
2023-08-17 19:32:37 +02:00
try {
if (\$Computername) {
> \$ComputerDN = Get-ADComputer -Filter { Name -eq \$Computername} -Server \$ActiveDomainController
>
> \$ComputerDN = \$ComputerDN.DistinguishedName -replace \"CN=\[\\w-\]+,\", \'\'
\$ComputerDN = \$ComputerDN -replace \"OU=SERVERS\",\"OU=SYS,OU=RIGHTS,OU=GROUPS\"
\$ServerRightsOU = \$ComputerDN -replace \",DC=.\*\$\", \'\'
Write-Output \"\[COMPUTER_OU\]\`t\`tUsing discovered OU: \$(\$ServerRightsOU)\"
} else {
Write-Output \"\[COMPUTER_OU\]\`t\`tUsing static OU: \$(\$ServerRightsOU)\"
}
 
} catch {
Write-Error \"\$Computername not found in \$Domain\"
Exit
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region Test OUs
Initial commit
2023-08-17 19:32:37 +02:00
try {
\$ServerRightsOUDN = \"\$(\$ServerRightsOU),\$(\$ActiveDirectory.DistinguishedName)\"
Get-ADObject \$ServerRightsOUDN -Server \$ActiveDomainController \| Out-Null
Write-Output \"\[VALID_OU\]\`t\`tServer rights OU:\`t\$ServerRightsOUDN\"
} catch {
Write-Error \"Could not find \$ServerRightsOUDN\"
Exit
}
try {
\$SQLRightsOUDN = \"\$(\$SQLRightsOU),\$(\$ActiveDirectory.DistinguishedName)\"
Get-ADObject \$SQLRightsOUDN -Server \$ActiveDomainController \| Out-Null
Write-Output \"\[VALID_OU\]\`t\`tSQL rights OU:\`t\`t\$SQLRightsOUDN\"
} catch {
Write-Error \"Could not find \$SQLRightsOUDN\"
Exit
}
if (\$UseGroupManagedServiceAccount.IsPresent) {
\$gMSARightsOU=\"OU=GMSA,OU=RIGHTS,OU=GROUPS,OU=CENTRAL,\$(\$ActiveDirectory.DistinguishedName)\"
try {
Get-ADObject \$gMSARightsOU -Server \$ActiveDomainController \| Out-Null
Write-Output \"\[VALID_OU\]\`t\`tGMSA rights OU:\`t\`t\$gMSARightsOU\"
} catch {
Write-Warning \"Could not find \$gMSARightsOU\"
Exit
}
 
\$gMSAOU=\"CN=Managed Service Accounts,\$(\$ActiveDirectory.DistinguishedName)\"
try {
Get-ADObject \$gMSAOU -Server \$ActiveDomainController \| Out-Null
Write-Output \"\[VALID_OU\]\`t\`tGMSA OU:\`t\`t\$gMSAOU\"
} catch {
Write-Warning \"Could not find \$gMSAOU\"
Exit
}
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region Create global groups
Initial commit
2023-08-17 19:32:37 +02:00
\$GlobalGroups = @(\"SQL_All Servers_SYSADMIN\",\"SQL_All Servers_PUBLIC\")
foreach (\$GroupName in \$GlobalGroups) {
\$SecurityGroup = Get-ADGroup -Filter { Name -eq \$GroupName } -Server \$ActiveDomainController
if ( (\$SecurityGroup \| Measure-Object).Count -ne 0 ) {
Write-Output \"\[GLOBAL_GROUP\]\`t\`t\`\'\$GroupName\`\' already exists\"
\$GroupNesting=\$false
} else {
try {
New-ADGroup -Name \$GroupName -GroupCategory Security -GroupScope DomainLocal -Path \$SQLRightsOUDN -Description \"Global SQL rights group\" -Server \$ActiveDomainController -EA Stop
Write-Output \"\[GLOBAL_GROUP\]\`t\`t\`\'\$GroupName\`\' created\"
\$GroupNesting=\$true
} catch {
Write-Warning \"\[GLOBAL_GROUP\]\`t\`tFailed to create \`\'\$GroupName\`\'.\`tError: \$(\$(\$\_.Exception).Message)\"
Exit
}
}
.
2023-08-25 23:29:11 +02:00
\#region Nest the global groups from the management domain
Initial commit
2023-08-17 19:32:37 +02:00
if (\$AddToMgmt) {
try {
\# Add management group to local group to allow join computer to domain
\$ManagementDomainGroup = \$GroupName -replace \"SQL\_\", \"SQL_CUSTOMER\_\"
\$ManagementDomainGroup = Get-ADGroup \$ManagementDomainGroup -Server \$ManagementActiveDirectory
Add-ADGroupMember \$GroupName -Members \$ManagementDomainGroup -Server \$ActiveDomainController
Write-Output \"\[AddADGroupMember\]\`tAdded \`\"\$ManagementDomainGroup\`\" to \`\"\$GroupName\`\"\"
} catch {
Write-Warning \"\[AddADGroupMember\]\`tCould not add \`\"\$ManagementDomainGroup\`\" Failed for \`\"\$GroupName\`\"\`n\`tError: \$(\$(\$\_.Exception).Message)\"
}
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region Create the necessary AD groups
Initial commit
2023-08-17 19:32:37 +02:00
if (\$SharePointGroups.IsPresent) {
\$SQLSuffixes=\"DBCREATOR\",\"SECURITYADMIN\",\"SYSADMIN\",\"MSDB-SQLAgentOperator\", \"MODEL-db_datareader\", \"MASTER-Brent_Tools_Execute\", \"MODEL-db_owner\", \"View-Server-State\", \"PROCESSADMIN\", \"VIEW-ANY-DATABASE\", \"MODEL-db_backupoperator\", \"ALTER-ANY-AVAILABILITY-GROUP\",\"MSDB-sp_delete_database_backuphistory_Exec\",\"MASTER-DBAExecuteRole_sp_changedbowner\"
} else {
\$SQLSuffixes=\"DBCREATOR\",\"DBO\",\"EDIT\",\"READ\",\"SECURITYADMIN\",\"SERVERADMIN\",\"SYSADMIN\"
}
foreach (\$SQLSuffix in \$SQLSuffixes) {
try {
New-ADGroup -Path \$SQLRightsOUDN -Name \"SQL\_\$(\$InstanceName)\_\$(\$SQLSuffix)\" -Description \"SQL Instance: \$InstanceName\" -GroupScope DomainLocal -GroupCategory Security -Server \$ActiveDomainController
Write-Output \"\[NEWADGROUP\]\`t\`tCreated AD Group SQL\_\$(\$InstanceName)\_\$(\$SQLSuffix)\"
} catch {
Write-Warning \"\[NEWADGROUP\]\`t\`tCould not create AD Group SQL\_\$(\$InstanceName)\_\$(\$SQLSuffix)\"
}
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region Variables for user GMSA group
Initial commit
2023-08-17 19:32:37 +02:00
if (\$UseGroupManagedServiceAccount.IsPresent) {
\$Username = \"svc\_\$(\$InstanceName)\"
\# Maximum of 15 characters
\$Username = \$Username.Substring(0,\[System.Math\]::Min(15, \$Username.Length))
} else {
\$Username = \"svc\_\$(\$InstanceName)\_SQL\"
\$DisplayName = \"\$(\$InstanceName)\_SQL Service\"
\# Maximum of 20 characters
\$Username = \$Username.Substring(0,\[System.Math\]::Min(20, \$Username.Length))
}
\# Rights Group
\$GroupName = \"GMSA\_\$(\$Username)\"
\$Description = \"Serviceuser for SQL instance: \$InstanceName\"
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region GMSA rights group and members
Initial commit
2023-08-17 19:32:37 +02:00
if (\$UseGroupManagedServiceAccount.IsPresent) {
try {
\$SecurityGroup = Get-ADGroup -Filter { Name -eq \$GroupName } -Server \$ActiveDomainController
if ( (\$SecurityGroup \| Measure-Object).Count -ne 0 ) {
Write-Output \"\[NEWADGROUP\]\`t\`t\$GroupName already exists\"
} else {
New-ADGroup -Name \$GroupName -GroupCategory Security -GroupScope DomainLocal -Path \$gMSARightsOU -Description \"Permission to use group managed service account \$UserName\" -Server \$ActiveDomainController
\$SecurityGroup = Get-ADGroup -Filter { Name -like \$GroupName } -Server \$ActiveDomainController
Write-Output \"\[NEWADGROUP\]\`t\`tCreated AD Group \$(\$GroupName)\"
}
} catch {
Write-Error \"\[NEWGROUP\]\`t\`tCould not create \$(\$GroupName). Error: \$(\$(\$\_.Exception).Message)\"
Exit
}
\# Add computers objects to GMSA Rights group
\# Build searchfilter
\$Filter = \$InstanceName -replace \"\\w\$\",\'\*\'
Write-Verbose \"\[AddADGroupMember\]\`tSearchfilter: \$Filter\"
\$Computers = Get-ADComputer -Filter { Name -like \$Filter} -Server \$ActiveDomainController \| Where-Object { \$\_.Name -match \"\^\\w+\\d+\[\\d\\w\]\$\"}
if ( \$Computers ) {
if (\$Computers -is \[system.array\]) {
Write-Verbose \"\[AddADGroupMember\]\`tComputers found: \$(\$Computers.Count)\"
foreach (\$Computer in \$Computers) {
try {
Add-ADGroupMember \$GroupName -Members \$Computer.DistinguishedName -Server \$ActiveDomainController
Write-Output \"\[AddADGroupMember\]\`tAdded \`\"\$(\$Computer.DNSHostName)\`\" to \`\"\$GroupName\`\"\"
} catch {
Write-Warning \"\[AddADGroupMember\]\`tCould not add \`\"\$(\$Computer.DNSHostName)\`\" Failed for \`\"\$GroupName\`\"\`n\`tError: \$(\$(\$\_.Exception).Message)\"
}
}
} else {
Write-Verbose \"\[AddADGroupMember\]\`tComputers found: 1\"
try {
Add-ADGroupMember \$GroupName -Members \$Computers.DistinguishedName -Server \$ActiveDomainController
Write-Output \"\[AddADGroupMember\]\`tAdded \`\"\$(\$Computers.DNSHostName)\`\" to \`\"\$GroupName\`\"\"
} catch {
Write-Warning \"\[AddADGroupMember\]\`tCould not add \`\"\$(\$Computers.DNSHostName)\`\" Failed for \`\"\$GroupName\`\"\`n\`tError: \$(\$(\$\_.Exception).Message)\"
}
}
} else {
Write-Warning \"\[AddADGroupMember\]\`tFound no computers to add to \`\"\$GroupName\`\"\"
}
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region Create Serviceuser
Initial commit
2023-08-17 19:32:37 +02:00
try {
if (\$UseGroupManagedServiceAccount.IsPresent) {
New-ADServiceAccount -name \$Username -DNSHostName \"\$(\$ActiveDirectory.DNSRoot)\" -PrincipalsAllowedToRetrieveManagedPassword \$GroupName -Server \$ActiveDomainController
Write-Output \"\[NEWADUSER\]\`t\`tGroupManagedServiceAccount created:\`t\`\"\$Username\`\"\"
} else {
\$UserPath = \"OU=SVC,OU=ACCOUNTS,OU=CENTRAL,\$(\$ActiveDirectory.DistinguishedName)\"
\# Add assembly to generate random password
Add-Type -AssemblyName System.Web -ErrorAction SilentlyContinue
\# Generate random password with 25 characters and 3 non alphanumeric characters
\$Password = \[System.Web.Security.Membership\]::GeneratePassword(25,3)
New-ADUser -Name \$Username -UserPrincipalName \"\$(\$Username)@\$(\$ActiveDirectory.DNSRoot)\" -SamAccountName \$Username -DisplayName \$DisplayName -AccountPassword (\$Password \| ConvertTo-SecureString -AsPlainText -Force) -Description \$Description -Enabled:\$true -Path \$UserPath -PasswordNeverExpires \$true -Server \$ActiveDomainController
Write-Output \"\[NEWADUSER\]\`t\`tUser created:\`t\`\"\$Username\`\"\"
Write-Output \"\[NEWADUSER\]\`t\`tGenerated password:\`t\$Password\"
}
} catch {
Write-Error \"\[NEWADUSER\]\`t\`tFailed. Error: \$(\$(\$\_.Exception).Message)\"
Exit
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region
Initial commit
2023-08-17 19:32:37 +02:00
try {
\$UserObject = Get-ADObject -Filter { name -eq \$UserName } -Server \$ActiveDomainController
\$UserObject \| Set-ADObject -Replace \@{\"msDS-SupportedEncryptionTypes\" = \'24\'} -Server \$ActiveDomainController
Write-Output \"\[MODUSER\]\`t\`tDisabled RC4 for \$Username\"
} catch {
Write-Error \"\[MODUSER\]\`t\`tFailed. Error: \$(\$(\$\_.Exception).Message)\"
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region Add serviceuser to right groups
Initial commit
2023-08-17 19:32:37 +02:00
\$PrivilegeRights = @(
\"Adjust memory quotas for a Process\",
\"Bypass traverse checking\",
\"Create global objects\",
\"Impersonate a client after authentication\",
\"Lock pages in memory\"
\"Log on as a service\",
\"Perform volume maintenance tasks\",
\"Replace a process level token\"
)
\$ADRightsGroups = Get-ADObject -SearchBase \$ServerRightsOUDN -SearchScope OneLevel -Filter { ObjectClass -eq \"Group\" } -Server \$ActiveDomainController
foreach (\$ADRightsGroup in \$ADRightsGroups) {
if (\$PrivilegeRights -match (\$ADRightsGroup.Name -replace \"SYS\_.\[\^ \]\* \",\'\') ) {
try {
Add-ADGroupMember \$ADRightsGroup.Name -Members \$UserObject -Server \$ActiveDomainController
Write-Output \"\[GROUPMEMBER\]\`t\`tAdded user \`\'\$Username\`\' to \`\'\$(\$ADRightsGroup.Name)\`\'.\"
} catch {
Write-Warning \"\[GROUPMEMBER\]\`t\`tFailed to add user to \`\'\$(\$ADRightsGroup.Name)\`\'. Error: \$(\$(\$\_.Exception).Message)\"
}
}
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region Add serviceuser to Zone group and Deny groups
Initial commit
2023-08-17 19:32:37 +02:00
try {
\$SearchFilter = \"SYS\_\$(\$Zone) Deny\*\"
\$DenyGroups = Get-ADGroup -Filter {Name -like \$SearchFilter}
\$SearchFilter = \"SYS\_\$(\$Zone) Deny log on as a service\"
\$DenyGroups = \$DenyGroups \| Where-Object { \$\_.Name -notlike \$SearchFilter}
\$SecurityZoneGroup = Get-ADGroup -ErrorAction SilentlyContinue -Identity \"\$Zone SECURITY ZONE\" -Server \$ActiveDomainController
} catch {
Write-Warning \"\[DENY_GROUPS\]\`t\`t\`tCould not find Deny groups for \$(\$Zone) Security Zone\"
}
foreach (\$DenyGroup in \$DenyGroups) {
try {
Add-ADGroupMember \$DenyGroup.Name -Members \$UserObject -Server \$ActiveDomainController
Write-Output \"\[GROUPMEMBER\]\`t\`tAdded user \`\'\$Username\`\' to \`\'\$(\$DenyGroup.Name)\`\'.\"
} catch {
Write-Warning \"\[GROUPMEMBER\]\`t\`tFailed to add user to \`\'\$(\$DenyGroup.Name)\`\'. Error: \$(\$(\$\_.Exception).Message)\"
}
}
try {
Add-ADGroupMember \$SecurityZoneGroup.Name -Members \$UserObject -Server \$ActiveDomainController
Write-Output \"\[GROUPMEMBER\]\`t\`tAdded user \`\'\$Username\`\' to \`\'\$(\$SecurityZoneGroup.Name)\`\'.\"
} catch {
Write-Warning \"\[GROUPMEMBER\]\`t\`tFailed to add user to \`\'\$(\$SecurityZoneGroup.Name)\`\'. Error: \$(\$(\$\_.Exception).Message)\"
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Initial commit
2023-08-17 19:32:37 +02:00
 
.
2023-08-25 23:29:11 +02:00
\#region Set read/write for attribute serviceprincipalname to the service account
Initial commit
2023-08-17 19:32:37 +02:00
try {
.
2023-08-25 23:29:11 +02:00
\#NT AUTHORITY\\SELF
Initial commit
2023-08-17 19:32:37 +02:00
\$IdentityReference = New-Object System.Security.Principal.SecurityIdentifier (\'S-1-5-10\')
.
2023-08-25 23:29:11 +02:00
\#ValidatedSPN
Initial commit
2023-08-17 19:32:37 +02:00
\$ObjectType = New-Object -TypeName GUID -ArgumentList \'f3a64788-5306-11d1-a9c5-0000f80367c1\'
\$InheritedObjectType = New-Object -TypeName GUID -ArgumentList \'00000000-0000-0000-0000-000000000000\'
\$AccessControlType = \"Allow\"
\$Inherit = \'None\'
\$ActiveDirectoryRights = \'ReadProperty, WriteProperty\'
\$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(\$IdentityReference,\$ActiveDirectoryRights,\$AccessControlType,\$ObjectType,\$Inherit,\$InheritedObjectType)
 
\$DN = \$UserObject.DistinguishedName
\$ADSI = \[ADSI\]\"LDAP://\$ActiveDomainController/\$DN\"
\$ADSI.psbase.ObjectSecurity.AddAccessRule(\$ACE)
\$ADSI.psbase.commitchanges()
Write-Output \"\[SETSPNRIGHT\]\`t\`tREAD/WRITE access for attribute serviceprincipalname set successfully for SELF on \`\'\$Username\`\'\"
} catch {
Write-Warning \"\[GROUPMEMBER\]\`t\`tFailed to set rights for serviceprincipalname on \`\'\$Username\`\'. Error: \$(\$(\$\_.Exception).Message)\"
}
.
2023-08-25 23:29:11 +02:00
\#endregion
Reference in New Issue Copy Permalink