Eliminate .csv's; Draft dynamic pw provisioning
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
2244bea32a
commit
b6c7475673
@ -1,16 +0,0 @@
|
|||||||
"DistinguishedName","Description"
|
|
||||||
"OU=Computer accounts",""
|
|
||||||
"OU=Clients,OU=Computer accounts",""
|
|
||||||
"OU=Desktops,OU=Clients,OU=Computer accounts",""
|
|
||||||
"OU=Laptops,OU=Clients,OU=Computer accounts",""
|
|
||||||
"OU=Servers,OU=Computer accounts",""
|
|
||||||
"OU=Groups",""
|
|
||||||
"OU=Resources,OU=Groups",""
|
|
||||||
"OU=Roles,OU=Groups",""
|
|
||||||
"OU=User accounts",""
|
|
||||||
"OU=Privileged,OU=User accounts",""
|
|
||||||
"OU=Administrators,OU=Privileged,OU=User accounts",""
|
|
||||||
"OU=Service accounts,OU=Privileged,OU=User accounts",""
|
|
||||||
"OU=Non-privileged,OU=User accounts",""
|
|
||||||
"OU=Employees,OU=Non-privileged,OU=User accounts",""
|
|
||||||
"OU=Contractors,OU=Non-privileged,OU=User accounts",""
|
|
|
@ -7,11 +7,34 @@ Param(
|
|||||||
# Only executed on primary or standalone Domain Controller
|
# Only executed on primary or standalone Domain Controller
|
||||||
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
||||||
$GetContentSplat = @{
|
$GetContentSplat = @{
|
||||||
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".csv")
|
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".yml")
|
||||||
|
Raw = $True
|
||||||
}
|
}
|
||||||
$CSVImport = (Get-Content @GetContentSplat) | ConvertFrom-Csv
|
$RawContent = Get-Content @GetContentSplat
|
||||||
|
$ConvertFromYamlSplat = @{
|
||||||
|
Yaml = $RawContent
|
||||||
|
AllDocuments = $True
|
||||||
|
}
|
||||||
|
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
|
||||||
|
|
||||||
ForEach ($OU in $CSVImport) {
|
# Check if the respective .yml file declared substitutions which need to be parsed
|
||||||
|
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
|
||||||
|
ForEach ($Pattern in $YamlDocuments[-1].Variables) {
|
||||||
|
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
|
||||||
|
}
|
||||||
|
# Perform conversion to Yaml again, now with parsed file contents
|
||||||
|
$ConvertFromYamlSplat = @{
|
||||||
|
Yaml = $RawContent
|
||||||
|
AllDocuments = $True
|
||||||
|
}
|
||||||
|
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
|
||||||
|
$Entries = $YamlDocuments[0..($YamlDocuments.Count - 2)]
|
||||||
|
}
|
||||||
|
Else {
|
||||||
|
$Entries = $YamlDocuments
|
||||||
|
}
|
||||||
|
|
||||||
|
ForEach ($OU in $Entries.OrganizationalUnits) {
|
||||||
$OUName, $OUPath = $OU.DistinguishedName -split ',', 2
|
$OUName, $OUPath = $OU.DistinguishedName -split ',', 2
|
||||||
If ($OUPath.Length -ne 0) {
|
If ($OUPath.Length -ne 0) {
|
||||||
$OUPath += ','
|
$OUPath += ','
|
||||||
@ -19,7 +42,7 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
|||||||
|
|
||||||
$NewADOrganizationalUnitSplat = @{
|
$NewADOrganizationalUnitSplat = @{
|
||||||
Name = $OUName.Substring(3)
|
Name = $OUName.Substring(3)
|
||||||
Path = $OUPath + 'DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
|
Path = $OUPath + (Get-ADRootDSE).rootDomainNamingContext
|
||||||
Description = $OU.Description
|
Description = $OU.Description
|
||||||
ProtectedFromAccidentalDeletion = $False
|
ProtectedFromAccidentalDeletion = $False
|
||||||
ErrorAction = 'SilentlyContinue'
|
ErrorAction = 'SilentlyContinue'
|
||||||
|
33
scripts/ADDS/payload/scripts/01.Organizational units.yml
Normal file
33
scripts/ADDS/payload/scripts/01.Organizational units.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
OrganizationalUnits:
|
||||||
|
- DistinguishedName: OU=Computer accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Clients,OU=Computer accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Desktops,OU=Clients,OU=Computer accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Servers,OU=Computer accounts
|
||||||
|
Description: ''
|
||||||
|
|
||||||
|
- DistinguishedName: OU=Groups
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Resources,OU=Groups
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Roles,OU=Groups
|
||||||
|
Description: ''
|
||||||
|
|
||||||
|
- DistinguishedName: OU=User accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Privileged,OU=User accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Administrators,OU=Privileged,OU=User accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Service accounts,OU=Privileged,OU=User accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Non-privileged,OU=User accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Employees,OU=Non-privileged,OU=User accounts
|
||||||
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Contractors,OU=Non-privileged,OU=User accounts
|
||||||
|
Description: ''
|
@ -1,6 +0,0 @@
|
|||||||
"DistinguishedName","Description"
|
|
||||||
"CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups",""
|
|
||||||
"CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups",""
|
|
||||||
"CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups",""
|
|
||||||
"CN=Hypervisor administrators,OU=Roles,OU=Groups",""
|
|
||||||
"CN=Firewall administrators,OU=Roles,OU=Groups",""
|
|
|
@ -7,19 +7,54 @@ Param(
|
|||||||
# Only executed on primary or standalone Domain Controller
|
# Only executed on primary or standalone Domain Controller
|
||||||
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
||||||
$GetContentSplat = @{
|
$GetContentSplat = @{
|
||||||
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".csv")
|
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".yml")
|
||||||
|
Raw = $True
|
||||||
}
|
}
|
||||||
$CSVImport = (Get-Content @GetContentSplat) | ConvertFrom-Csv
|
$RawContent = Get-Content @GetContentSplat
|
||||||
|
$ConvertFromYamlSplat = @{
|
||||||
|
Yaml = $RawContent
|
||||||
|
AllDocuments = $True
|
||||||
|
}
|
||||||
|
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
|
||||||
|
|
||||||
ForEach ($Group in $CSVImport) {
|
# Check if the respective .yml file declared substitutions which need to be parsed
|
||||||
|
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
|
||||||
|
ForEach ($Pattern in $YamlDocuments[-1].Variables) {
|
||||||
|
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
|
||||||
|
}
|
||||||
|
# Perform conversion to Yaml again, now with parsed file contents
|
||||||
|
$ConvertFromYamlSplat = @{
|
||||||
|
Yaml = $RawContent
|
||||||
|
AllDocuments = $True
|
||||||
|
}
|
||||||
|
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
|
||||||
|
$Entries = $YamlDocuments[0..($YamlDocuments.Count - 2)]
|
||||||
|
}
|
||||||
|
Else {
|
||||||
|
$Entries = $YamlDocuments
|
||||||
|
}
|
||||||
|
|
||||||
|
ForEach ($Group in $Entries.SecurityGroups) {
|
||||||
$NewADGroupSplat = @{
|
$NewADGroupSplat = @{
|
||||||
Name = ($Group.DistinguishedName -split ',', 2)[0].Substring(3)
|
Name = ($Group.DistinguishedName -split ',', 2)[0].Substring(3)
|
||||||
Path = ($Group.DistinguishedName -split ',', 2)[1] + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
|
Path = ($Group.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
|
||||||
Description = $Group.Description
|
Description = $Group.Description
|
||||||
GroupCategory = 'Security'
|
GroupCategory = 'Security'
|
||||||
GroupScope = 'Global'
|
GroupScope = $Group.Scope
|
||||||
|
PassThru = $True
|
||||||
ErrorAction = 'SilentlyContinue'
|
ErrorAction = 'SilentlyContinue'
|
||||||
}
|
}
|
||||||
New-ADGroup @NewADGroupSplat
|
$NewADGroup = New-ADGroup @NewADGroupSplat
|
||||||
|
|
||||||
|
If ([boolean]$Group.MemberOf) {
|
||||||
|
ForEach ($ParentGroup in $Group.MemberOf) {
|
||||||
|
$AddADGroupMemberSplat = @{
|
||||||
|
Identity = $ParentGroup + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
|
||||||
|
Members = $NewADGroup.DistinguishedName
|
||||||
|
ErrorAction = 'SilentlyContinue'
|
||||||
|
}
|
||||||
|
Add-ADGroupMember @AddADGroupMemberSplat
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
28
scripts/ADDS/payload/scripts/02.Groups.yml
Normal file
28
scripts/ADDS/payload/scripts/02.Groups.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
SecurityGroups:
|
||||||
|
# Role groups
|
||||||
|
- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups
|
||||||
|
Description: ''
|
||||||
|
Scope: 'Global'
|
||||||
|
MemberOf: []
|
||||||
|
- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups
|
||||||
|
Description: ''
|
||||||
|
Scope: 'Global'
|
||||||
|
MemberOf: []
|
||||||
|
|
||||||
|
# Resource groups
|
||||||
|
- DistinguishedName: CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
|
||||||
|
Description: ''
|
||||||
|
Scope: 'DomainLocal'
|
||||||
|
MemberOf:
|
||||||
|
- CN=Hypervisor administrators,OU=Roles,OU=Groups
|
||||||
|
- CN=Firewall administrators,OU=Roles,OU=Groups
|
||||||
|
- DistinguishedName: CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
|
||||||
|
Description: ''
|
||||||
|
Scope: 'DomainLocal'
|
||||||
|
MemberOf:
|
||||||
|
- CN=Hypervisor administrators,OU=Roles,OU=Groups
|
||||||
|
- DistinguishedName: CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
|
||||||
|
Description: ''
|
||||||
|
Scope: 'DomainLocal'
|
||||||
|
MemberOf:
|
||||||
|
- CN=Hypervisor administrators,OU=Roles,OU=Groups
|
@ -1,5 +0,0 @@
|
|||||||
"DistinguishedName","Password","MemberOf"
|
|
||||||
"CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts","Complex42!",""
|
|
||||||
"CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts","Complex42!",""
|
|
||||||
"CN=admJaneD,OU=Administrators,OU=Privileged,OU=User accounts","Complex42!",""
|
|
||||||
"CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts","Complex42!",""
|
|
|
@ -7,25 +7,48 @@ Param(
|
|||||||
# Only executed on primary or standalone Domain Controller
|
# Only executed on primary or standalone Domain Controller
|
||||||
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
||||||
$GetContentSplat = @{
|
$GetContentSplat = @{
|
||||||
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".csv")
|
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".yml")
|
||||||
|
Raw = $True
|
||||||
}
|
}
|
||||||
$CSVImport = (Get-Content @GetContentSplat) | ConvertFrom-Csv
|
$RawContent = Get-Content @GetContentSplat
|
||||||
|
$ConvertFromYamlSplat = @{
|
||||||
|
Yaml = $RawContent
|
||||||
|
AllDocuments = $True
|
||||||
|
}
|
||||||
|
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
|
||||||
|
|
||||||
ForEach ($User in $CSVImport) {
|
# Check if the respective .yml file declared substitutions which need to be parsed
|
||||||
|
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
|
||||||
|
ForEach ($Pattern in $YamlDocuments[-1].Variables) {
|
||||||
|
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
|
||||||
|
}
|
||||||
|
# Perform conversion to Yaml again, now with parsed file contents
|
||||||
|
$ConvertFromYamlSplat = @{
|
||||||
|
Yaml = $RawContent
|
||||||
|
AllDocuments = $True
|
||||||
|
}
|
||||||
|
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
|
||||||
|
$Entries = $YamlDocuments[0..($YamlDocuments.Count - 2)]
|
||||||
|
}
|
||||||
|
Else {
|
||||||
|
$Entries = $YamlDocuments
|
||||||
|
}
|
||||||
|
|
||||||
|
ForEach ($User in $Entries.Users) {
|
||||||
# Create new user
|
# Create new user
|
||||||
$NewADUserSplat = @{
|
$NewADUserSplat = @{
|
||||||
Name = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
|
Name = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
|
||||||
Path = ($User.DistinguishedName -split ',', 2)[1] + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
|
Path = ($User.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
|
||||||
AccountPassword = ConvertTo-SecureString $User.Password -AsPlainText -Force
|
AccountPassword = ConvertTo-SecureString $User.Password -AsPlainText -Force
|
||||||
PassThru = $True
|
PassThru = $True
|
||||||
ErrorAction = 'SilentlyContinue'
|
ErrorAction = 'SilentlyContinue'
|
||||||
}
|
}
|
||||||
$NewADUser = New-ADUser @NewADUserSplat
|
$NewADUser = New-ADUser @NewADUserSplat
|
||||||
# Add user to group(s)
|
# Add user to group(s)
|
||||||
If ($User.MemberOf -ne '') {
|
If ([boolean]$User.MemberOf) {
|
||||||
ForEach ($Group in $User.MemberOf.Split('|')) {
|
ForEach ($Group in $User.MemberOf) {
|
||||||
$AddADGroupMemberSplat = @{
|
$AddADGroupMemberSplat = @{
|
||||||
Identity = $Group + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
|
Identity = $Group + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
|
||||||
Members = $NewADUser.DistinguishedName
|
Members = $NewADUser.DistinguishedName
|
||||||
ErrorAction = 'SilentlyContinue'
|
ErrorAction = 'SilentlyContinue'
|
||||||
}
|
}
|
||||||
|
20
scripts/ADDS/payload/scripts/03.Users.yml
Normal file
20
scripts/ADDS/payload/scripts/03.Users.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
Users:
|
||||||
|
- DistinguishedName: CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts
|
||||||
|
Password: Complex42!
|
||||||
|
# Password: "{{ password.janedoe }}"
|
||||||
|
MemberOf: []
|
||||||
|
- DistinguishedName: CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts
|
||||||
|
Password: Complex42!
|
||||||
|
MemberOf: []
|
||||||
|
- DistinguishedName: CN=admJaneD,OU=Administrators,OU=Privileged,OU=User accounts
|
||||||
|
Password: Complex42!
|
||||||
|
MemberOf: []
|
||||||
|
- DistinguishedName: CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts
|
||||||
|
Password: Complex42!
|
||||||
|
MemberOf: []
|
||||||
|
|
||||||
|
# ---
|
||||||
|
# Variables:
|
||||||
|
# - Name: password.janedoe
|
||||||
|
# Expression: |
|
||||||
|
# (Invoke-WebRequest -Uri 'vault' -Body '' | ConvertFrom-Json).Password
|
Loading…
Reference in New Issue
Block a user