Fix usercreation;Fix GPO

scripts/ADDS/payload/scripts/03.Users.ps1

@@ -35,13 +35,17 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
     }
 
     ForEach ($User in $Entries.Users) {
+        $UserName = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
+        $SanitizedUPN = ($UserName -replace "[^a-zA-Z0-9'\.-_!#\^~]").Trim('.')
+
         # Create new user
         $NewADUserSplat = @{
-            Name            = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
+            Name              = $UserName
-            Path            = ($User.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
+            UserPrincipleName = "$($SanitizedUPN)@$((Get-ADDomain).DNSRoot)"
-            AccountPassword = ConvertTo-SecureString $User.Password -AsPlainText -Force
+            Path              = ($User.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
-            PassThru        = $True
+            AccountPassword   = ConvertTo-SecureString $User.Password -AsPlainText -Force
-            ErrorAction     = 'SilentlyContinue'
+            PassThru          = $True
+            ErrorAction       = 'SilentlyContinue'
         }
         $NewADUser = New-ADUser @NewADUserSplat
         # Add user to group(s)

scripts/ADDS/payload/scripts/03.Users.yml

@@ -6,7 +6,7 @@ Users:
   Password: "{{ password.johndoe }}"
   MemberOf: []
 - DistinguishedName: CN=admJaneD,OU=Administrators,OU=Privileged,OU=User accounts
-  Password: "{{ password.amdjaned }}"
+  Password: "{{ password.admjaned }}"
   MemberOf: []
 - DistinguishedName: CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts
   Password: "{{ password.zzldap }}"
@@ -20,9 +20,9 @@ Variables:
 - Name: password.johndoe
   Expression: |
     & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'johndoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
-- Name: password.amdjaned
+- Name: password.admjaned
   Expression: |
-    & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'amdjaned' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
+    & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'admjaned' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
 - Name: password.zzldap
   Expression: |
     & ".\Provision-VaultPassword.ps1" -VaultSecret $Parameter['vault.secret'] -Username 'zzldap' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']

scripts/ADDS/payload/scripts/11.GPO+GPP.Disable Server Manager.yml

@@ -1,9 +1,15 @@
-Name: 'COMP: Loopback processing (Merge)'
+Name: 'COMP: Disable Server Manager at Logon'
 Type: Object
-LinkedOUs: OU=Servers,OU=Computer accounts
+LinkedOUs:
+- OU=Servers,OU=Computer accounts
+- OU=Domain Controllers
 WMIFilters: []
 RegistryEntries:
-- Key: HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager
+- Key: HKLM\Software\Microsoft\ServerManager
   Type: Dword
-  ValueName: DoNotOpenAtLogon
+  ValueName: DoNotOpenAtServerManagerAtLogon
+  Value: 1
+- Key: HKLM\Software\Microsoft\ServerManager
+  Type: Dword
+  ValueName: DoNotPopWACConsoleAtSMLaunch
   Value: 1