From a578ec5ae5f99e120d0bf3d8bb73d67c91c3f4f5 Mon Sep 17 00:00:00 2001
From: djpbessems <danny@bessems.eu>
Date: Fri, 12 Mar 2021 14:55:04 +0100
Subject: [PATCH] Fix usercreation;Fix GPO

---
 scripts/ADDS/payload/scripts/03.Users.ps1          | 14 +++++++++-----
 scripts/ADDS/payload/scripts/03.Users.yml          |  6 +++---
 .../scripts/11.GPO+GPP.Disable Server Manager.yml  | 14 ++++++++++----
 3 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/scripts/ADDS/payload/scripts/03.Users.ps1 b/scripts/ADDS/payload/scripts/03.Users.ps1
index a5167c2..f608cf6 100644
--- a/scripts/ADDS/payload/scripts/03.Users.ps1
+++ b/scripts/ADDS/payload/scripts/03.Users.ps1
@@ -35,13 +35,17 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
     }
 
     ForEach ($User in $Entries.Users) {
+        $UserName = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
+        $SanitizedUPN = ($UserName -replace "[^a-zA-Z0-9'\.-_!#\^~]").Trim('.')
+
         # Create new user
         $NewADUserSplat = @{
-            Name            = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
-            Path            = ($User.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
-            AccountPassword = ConvertTo-SecureString $User.Password -AsPlainText -Force
-            PassThru        = $True
-            ErrorAction     = 'SilentlyContinue'
+            Name              = $UserName
+            UserPrincipleName = "$($SanitizedUPN)@$((Get-ADDomain).DNSRoot)"
+            Path              = ($User.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
+            AccountPassword   = ConvertTo-SecureString $User.Password -AsPlainText -Force
+            PassThru          = $True
+            ErrorAction       = 'SilentlyContinue'
         }
         $NewADUser = New-ADUser @NewADUserSplat
         # Add user to group(s)
diff --git a/scripts/ADDS/payload/scripts/03.Users.yml b/scripts/ADDS/payload/scripts/03.Users.yml
index 10fd71b..bb03c21 100644
--- a/scripts/ADDS/payload/scripts/03.Users.yml
+++ b/scripts/ADDS/payload/scripts/03.Users.yml
@@ -6,7 +6,7 @@ Users:
   Password: "{{ password.johndoe }}"
   MemberOf: []
 - DistinguishedName: CN=admJaneD,OU=Administrators,OU=Privileged,OU=User accounts
-  Password: "{{ password.amdjaned }}"
+  Password: "{{ password.admjaned }}"
   MemberOf: []
 - DistinguishedName: CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts
   Password: "{{ password.zzldap }}"
@@ -20,9 +20,9 @@ Variables:
 - Name: password.johndoe
   Expression: |
     & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'johndoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
-- Name: password.amdjaned
+- Name: password.admjaned
   Expression: |
-    & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'amdjaned' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
+    & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'admjaned' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
 - Name: password.zzldap
   Expression: |
     & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'zzldap' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
diff --git a/scripts/ADDS/payload/scripts/11.GPO+GPP.Disable Server Manager.yml b/scripts/ADDS/payload/scripts/11.GPO+GPP.Disable Server Manager.yml
index d53d716..e48f1e0 100644
--- a/scripts/ADDS/payload/scripts/11.GPO+GPP.Disable Server Manager.yml	
+++ b/scripts/ADDS/payload/scripts/11.GPO+GPP.Disable Server Manager.yml	
@@ -1,9 +1,15 @@
-Name: 'COMP: Loopback processing (Merge)'
+Name: 'COMP: Disable Server Manager at Logon'
 Type: Object
-LinkedOUs: OU=Servers,OU=Computer accounts
+LinkedOUs:
+- OU=Servers,OU=Computer accounts
+- OU=Domain Controllers
 WMIFilters: []
 RegistryEntries:
-- Key: HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager
+- Key: HKLM\Software\Microsoft\ServerManager
   Type: Dword
-  ValueName: DoNotOpenAtLogon
+  ValueName: DoNotOpenAtServerManagerAtLogon
+  Value: 1
+- Key: HKLM\Software\Microsoft\ServerManager
+  Type: Dword
+  ValueName: DoNotPopWACConsoleAtSMLaunch
   Value: 1