Eliminate .csv's; Draft dynamic pw provisioning
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Danny Bessems 2021-02-22 16:11:09 +01:00
parent 2244bea32a
commit b6c7475673
9 changed files with 179 additions and 44 deletions

View File

@ -1,16 +0,0 @@
"DistinguishedName","Description"
"OU=Computer accounts",""
"OU=Clients,OU=Computer accounts",""
"OU=Desktops,OU=Clients,OU=Computer accounts",""
"OU=Laptops,OU=Clients,OU=Computer accounts",""
"OU=Servers,OU=Computer accounts",""
"OU=Groups",""
"OU=Resources,OU=Groups",""
"OU=Roles,OU=Groups",""
"OU=User accounts",""
"OU=Privileged,OU=User accounts",""
"OU=Administrators,OU=Privileged,OU=User accounts",""
"OU=Service accounts,OU=Privileged,OU=User accounts",""
"OU=Non-privileged,OU=User accounts",""
"OU=Employees,OU=Non-privileged,OU=User accounts",""
"OU=Contractors,OU=Non-privileged,OU=User accounts",""
1 DistinguishedName Description
2 OU=Computer accounts
3 OU=Clients,OU=Computer accounts
4 OU=Desktops,OU=Clients,OU=Computer accounts
5 OU=Laptops,OU=Clients,OU=Computer accounts
6 OU=Servers,OU=Computer accounts
7 OU=Groups
8 OU=Resources,OU=Groups
9 OU=Roles,OU=Groups
10 OU=User accounts
11 OU=Privileged,OU=User accounts
12 OU=Administrators,OU=Privileged,OU=User accounts
13 OU=Service accounts,OU=Privileged,OU=User accounts
14 OU=Non-privileged,OU=User accounts
15 OU=Employees,OU=Non-privileged,OU=User accounts
16 OU=Contractors,OU=Non-privileged,OU=User accounts

View File

@ -7,11 +7,34 @@ Param(
# Only executed on primary or standalone Domain Controller # Only executed on primary or standalone Domain Controller
If (@('primary','standalone') -contains $Parameter['deployment.type']) { If (@('primary','standalone') -contains $Parameter['deployment.type']) {
$GetContentSplat = @{ $GetContentSplat = @{
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".csv") Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".yml")
Raw = $True
} }
$CSVImport = (Get-Content @GetContentSplat) | ConvertFrom-Csv $RawContent = Get-Content @GetContentSplat
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
ForEach ($OU in $CSVImport) { # Check if the respective .yml file declared substitutions which need to be parsed
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
ForEach ($Pattern in $YamlDocuments[-1].Variables) {
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
}
# Perform conversion to Yaml again, now with parsed file contents
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
$Entries = $YamlDocuments[0..($YamlDocuments.Count - 2)]
}
Else {
$Entries = $YamlDocuments
}
ForEach ($OU in $Entries.OrganizationalUnits) {
$OUName, $OUPath = $OU.DistinguishedName -split ',', 2 $OUName, $OUPath = $OU.DistinguishedName -split ',', 2
If ($OUPath.Length -ne 0) { If ($OUPath.Length -ne 0) {
$OUPath += ',' $OUPath += ','
@ -19,7 +42,7 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
$NewADOrganizationalUnitSplat = @{ $NewADOrganizationalUnitSplat = @{
Name = $OUName.Substring(3) Name = $OUName.Substring(3)
Path = $OUPath + 'DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=') Path = $OUPath + (Get-ADRootDSE).rootDomainNamingContext
Description = $OU.Description Description = $OU.Description
ProtectedFromAccidentalDeletion = $False ProtectedFromAccidentalDeletion = $False
ErrorAction = 'SilentlyContinue' ErrorAction = 'SilentlyContinue'

View File

@ -0,0 +1,33 @@
OrganizationalUnits:
- DistinguishedName: OU=Computer accounts
Description: ''
- DistinguishedName: OU=Clients,OU=Computer accounts
Description: ''
- DistinguishedName: OU=Desktops,OU=Clients,OU=Computer accounts
Description: ''
- DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts
Description: ''
- DistinguishedName: OU=Servers,OU=Computer accounts
Description: ''
- DistinguishedName: OU=Groups
Description: ''
- DistinguishedName: OU=Resources,OU=Groups
Description: ''
- DistinguishedName: OU=Roles,OU=Groups
Description: ''
- DistinguishedName: OU=User accounts
Description: ''
- DistinguishedName: OU=Privileged,OU=User accounts
Description: ''
- DistinguishedName: OU=Administrators,OU=Privileged,OU=User accounts
Description: ''
- DistinguishedName: OU=Service accounts,OU=Privileged,OU=User accounts
Description: ''
- DistinguishedName: OU=Non-privileged,OU=User accounts
Description: ''
- DistinguishedName: OU=Employees,OU=Non-privileged,OU=User accounts
Description: ''
- DistinguishedName: OU=Contractors,OU=Non-privileged,OU=User accounts
Description: ''

View File

@ -1,6 +0,0 @@
"DistinguishedName","Description"
"CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups",""
"CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups",""
"CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups",""
"CN=Hypervisor administrators,OU=Roles,OU=Groups",""
"CN=Firewall administrators,OU=Roles,OU=Groups",""
1 DistinguishedName Description
2 CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
3 CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
4 CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
5 CN=Hypervisor administrators,OU=Roles,OU=Groups
6 CN=Firewall administrators,OU=Roles,OU=Groups

View File

@ -7,19 +7,54 @@ Param(
# Only executed on primary or standalone Domain Controller # Only executed on primary or standalone Domain Controller
If (@('primary','standalone') -contains $Parameter['deployment.type']) { If (@('primary','standalone') -contains $Parameter['deployment.type']) {
$GetContentSplat = @{ $GetContentSplat = @{
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".csv") Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".yml")
Raw = $True
} }
$CSVImport = (Get-Content @GetContentSplat) | ConvertFrom-Csv $RawContent = Get-Content @GetContentSplat
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
ForEach ($Group in $CSVImport) { # Check if the respective .yml file declared substitutions which need to be parsed
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
ForEach ($Pattern in $YamlDocuments[-1].Variables) {
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
}
# Perform conversion to Yaml again, now with parsed file contents
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
$Entries = $YamlDocuments[0..($YamlDocuments.Count - 2)]
}
Else {
$Entries = $YamlDocuments
}
ForEach ($Group in $Entries.SecurityGroups) {
$NewADGroupSplat = @{ $NewADGroupSplat = @{
Name = ($Group.DistinguishedName -split ',', 2)[0].Substring(3) Name = ($Group.DistinguishedName -split ',', 2)[0].Substring(3)
Path = ($Group.DistinguishedName -split ',', 2)[1] + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=') Path = ($Group.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
Description = $Group.Description Description = $Group.Description
GroupCategory = 'Security' GroupCategory = 'Security'
GroupScope = 'Global' GroupScope = $Group.Scope
PassThru = $True
ErrorAction = 'SilentlyContinue' ErrorAction = 'SilentlyContinue'
} }
New-ADGroup @NewADGroupSplat $NewADGroup = New-ADGroup @NewADGroupSplat
If ([boolean]$Group.MemberOf) {
ForEach ($ParentGroup in $Group.MemberOf) {
$AddADGroupMemberSplat = @{
Identity = $ParentGroup + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
Members = $NewADGroup.DistinguishedName
ErrorAction = 'SilentlyContinue'
}
Add-ADGroupMember @AddADGroupMemberSplat
}
}
} }
} }

View File

@ -0,0 +1,28 @@
SecurityGroups:
# Role groups
- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups
Description: ''
Scope: 'Global'
MemberOf: []
- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups
Description: ''
Scope: 'Global'
MemberOf: []
# Resource groups
- DistinguishedName: CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
Description: ''
Scope: 'DomainLocal'
MemberOf:
- CN=Hypervisor administrators,OU=Roles,OU=Groups
- CN=Firewall administrators,OU=Roles,OU=Groups
- DistinguishedName: CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
Description: ''
Scope: 'DomainLocal'
MemberOf:
- CN=Hypervisor administrators,OU=Roles,OU=Groups
- DistinguishedName: CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
Description: ''
Scope: 'DomainLocal'
MemberOf:
- CN=Hypervisor administrators,OU=Roles,OU=Groups

View File

@ -1,5 +0,0 @@
"DistinguishedName","Password","MemberOf"
"CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts","Complex42!",""
"CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts","Complex42!",""
"CN=admJaneD,OU=Administrators,OU=Privileged,OU=User accounts","Complex42!",""
"CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts","Complex42!",""
1 DistinguishedName Password MemberOf
2 CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts Complex42!
3 CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts Complex42!
4 CN=admJaneD,OU=Administrators,OU=Privileged,OU=User accounts Complex42!
5 CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts Complex42!

View File

@ -7,25 +7,48 @@ Param(
# Only executed on primary or standalone Domain Controller # Only executed on primary or standalone Domain Controller
If (@('primary','standalone') -contains $Parameter['deployment.type']) { If (@('primary','standalone') -contains $Parameter['deployment.type']) {
$GetContentSplat = @{ $GetContentSplat = @{
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".csv") Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', ".yml")
Raw = $True
} }
$CSVImport = (Get-Content @GetContentSplat) | ConvertFrom-Csv $RawContent = Get-Content @GetContentSplat
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
ForEach ($User in $CSVImport) { # Check if the respective .yml file declared substitutions which need to be parsed
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
ForEach ($Pattern in $YamlDocuments[-1].Variables) {
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
}
# Perform conversion to Yaml again, now with parsed file contents
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
$Entries = $YamlDocuments[0..($YamlDocuments.Count - 2)]
}
Else {
$Entries = $YamlDocuments
}
ForEach ($User in $Entries.Users) {
# Create new user # Create new user
$NewADUserSplat = @{ $NewADUserSplat = @{
Name = ($User.DistinguishedName -split ',', 2)[0].Substring(3) Name = ($User.DistinguishedName -split ',', 2)[0].Substring(3)
Path = ($User.DistinguishedName -split ',', 2)[1] + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=') Path = ($User.DistinguishedName -split ',', 2)[1] + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
AccountPassword = ConvertTo-SecureString $User.Password -AsPlainText -Force AccountPassword = ConvertTo-SecureString $User.Password -AsPlainText -Force
PassThru = $True PassThru = $True
ErrorAction = 'SilentlyContinue' ErrorAction = 'SilentlyContinue'
} }
$NewADUser = New-ADUser @NewADUserSplat $NewADUser = New-ADUser @NewADUserSplat
# Add user to group(s) # Add user to group(s)
If ($User.MemberOf -ne '') { If ([boolean]$User.MemberOf) {
ForEach ($Group in $User.MemberOf.Split('|')) { ForEach ($Group in $User.MemberOf) {
$AddADGroupMemberSplat = @{ $AddADGroupMemberSplat = @{
Identity = $Group + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=') Identity = $Group + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
Members = $NewADUser.DistinguishedName Members = $NewADUser.DistinguishedName
ErrorAction = 'SilentlyContinue' ErrorAction = 'SilentlyContinue'
} }

View File

@ -0,0 +1,20 @@
Users:
- DistinguishedName: CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts
Password: Complex42!
# Password: "{{ password.janedoe }}"
MemberOf: []
- DistinguishedName: CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts
Password: Complex42!
MemberOf: []
- DistinguishedName: CN=admJaneD,OU=Administrators,OU=Privileged,OU=User accounts
Password: Complex42!
MemberOf: []
- DistinguishedName: CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts
Password: Complex42!
MemberOf: []
# ---
# Variables:
# - Name: password.janedoe
# Expression: |
# (Invoke-WebRequest -Uri 'vault' -Body '' | ConvertFrom-Json).Password