Fix usercreation;Fix GPO

2021-03-12 14:55:04 +01:00 · 2021-03-12 14:55:04 +01:00 · a578ec5ae5
parent a1b63ef568
commit a578ec5ae5
3 changed files with 22 additions and 12 deletions
--- a/scripts/ADDS/payload/scripts/03.Users.ps1
+++ b/scripts/ADDS/payload/scripts/03.Users.ps1
@ -35,13 +35,17 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
    }

    ForEach ($User in $Entries.Users) {
+        $UserName = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
+        $SanitizedUPN = ($UserName -replace "[^a-zA-Z0-9'\.-_!#\^~]").Trim('.')
+
        # Create new user
        $NewADUserSplat = @{
-            Name            = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
-            Path            = ($User.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
-            AccountPassword = ConvertTo-SecureString $User.Password -AsPlainText -Force
-            PassThru        = $True
-            ErrorAction     = 'SilentlyContinue'
+            Name              = $UserName
+            UserPrincipleName = "$($SanitizedUPN)@$((Get-ADDomain).DNSRoot)"
+            Path              = ($User.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
+            AccountPassword   = ConvertTo-SecureString $User.Password -AsPlainText -Force
+            PassThru          = $True
+            ErrorAction       = 'SilentlyContinue'
        }
        $NewADUser = New-ADUser @NewADUserSplat
        # Add user to group(s)
--- a/scripts/ADDS/payload/scripts/03.Users.yml
+++ b/scripts/ADDS/payload/scripts/03.Users.yml
@ -6,7 +6,7 @@ Users:
  Password: "{{ password.johndoe }}"
  MemberOf: []
 - DistinguishedName: CN=admJaneD,OU=Administrators,OU=Privileged,OU=User accounts
-  Password: "{{ password.amdjaned }}"
+  Password: "{{ password.admjaned }}"
  MemberOf: []
 - DistinguishedName: CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts
  Password: "{{ password.zzldap }}"
@ -20,9 +20,9 @@ Variables:
 - Name: password.johndoe
  Expression: |
    & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'johndoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
- Name: password.amdjaned
+- Name: password.admjaned
  Expression: |
-    & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'amdjaned' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
+    & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'admjaned' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
 - Name: password.zzldap
  Expression: |
    & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'zzldap' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
--- a/scripts/ADDS/payload/scripts/11.GPO+GPP.Disable
+++ b/scripts/ADDS/payload/scripts/11.GPO+GPP.Disable
@ -1,9 +1,15 @@
-Name: 'COMP: Loopback processing (Merge)'
+Name: 'COMP: Disable Server Manager at Logon'
 Type: Object
-LinkedOUs: OU=Servers,OU=Computer accounts
+LinkedOUs:
+- OU=Servers,OU=Computer accounts
+- OU=Domain Controllers
 WMIFilters: []
 RegistryEntries:
- Key: HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager
+- Key: HKLM\Software\Microsoft\ServerManager
  Type: Dword
-  ValueName: DoNotOpenAtLogon
+  ValueName: DoNotOpenAtServerManagerAtLogon
+  Value: 1
+- Key: HKLM\Software\Microsoft\ServerManager
+  Type: Dword
+  ValueName: DoNotPopWACConsoleAtSMLaunch
  Value: 1