Introduction
I've been tasked with creating a user management PowerShell script to be used for one of our customers so that we can easily manage users and automate a lot of our user creation processes.
The Issue
Our customer is insisting on using login scripts over GPO for mapping drives for users. I have added a login script builder to the script, however I cannot for the life of me figure out how to specify which drives actually need adding to the login script.
How Drive Mappings Are Managed
The way drive mappings are managed at our customer's network, is based on job role + Active Directory groups. They request on an E-Form which drives need to be mapped, and we then look through the Active Directory to see which group has permissions to access the requested drives. We then add these groups.
What I Need Help With
I've managed to figure out what code I need to use, however groups aren't being added to the user at all. I can't get it working.
Current Code
Note: This may not all be in order, there may be code in-between on the actual script. This is just relevant code.
Group Assignment
$GroupAssignment = $zzeveryone,$safebootdu,$infosecdrive,$mgmtboarddrive,$anaestheticsdrive,
$adverseirdrive,$breastcancersecsdrive,$bookwisedrive,$patientassessmentdrive,
$clinicaleducationdrive,$clinicaldevdrive,$clinicalauddrive,$CDUdrive,
$CBLettersdrive,$commsdrive,$colorectalscdrive,$colorectaldrive,
$codingdrive,$clinicalsupportdrive,$clinicalstddrive,$dietitiansdrive,
$dermatologydrive,$csudrive,$complaintsdrive,$entdrive,$emudrive,
$ElderlyCaredrive,$dischargedrive,$financedrive,$familyplanningdrive,
$GeneralSurgdrive,$gastrodrive,$infectiondrive,$infoptdrive,
$InfoMangtdrive,$MedStaffingdrive,$MedPhotodrive,$legaldrive,
$MedicalEquipdrive,$orthopticsdrive,$Orthopaedicsdrive,$OccHealthdrive,
$palsdrive,$Pharmacydrive,$Pathologydrive,$PostGraddrive,
$Podiatrydrive,$Respiratorydrive
Add-ADPrincipalGroupMembership -Identity $SAMAccountName -MemberOf $GroupAssignment
Example Group Assignment
$wcservicesdrive = if ($User.'Drives (Seperate with a ;)' -Contains 'women and childrens servicesdomain w&c services') {
Write-Output "domain w&c services"
}
Else {
Write-Output ""
}
$GroupAssignment should cause this to output to the Add-ADPrincipalGroupMembership, however it doesn't.
Any ideas?
Related
I have built an onboarding Powershell script to help our IT team simplify onboarding process. Script will add in some necessary AD fields, assign a mailbox and add in Security groups. After creating user, I have following code to add in user's officephone, street address and so on, those are based on which office they are going work in -
switch ($Office){
'office 1'{
// add in officephone and other fields
$Code = "O1"
}
'office 2'{
// add in officephone and other fields
$Code = "O2"
}
}
The $Code is used to assign Security groups as some SG names are based on office name. For example, if the user's role is maintenance officer in office O1, then a SG named MaintenanceOfficer_O1 needs to be added to this user. So the code looks like following -
Switch ($Role){
'Maintenance Officer'{
Add-ADGroupMember -Identity ("MaintenanceOffice_{0}" -f $Code) -Members $SAN
}
}
The script works fine, but we have quite a lot of roles and new roles will be created in future, so I was thinking to create some text files for our IT Support so they can add in more roles themselves. It will be something like -
get-content -path .\$role
// do a foreach loop for add-adgroupmember
Then in $role.txt file, there are AD groups for this role. So our IT support will be able to add in text file to the folder without needing access to script.
But you can see there is a problem as some SG group name requires $code.....
This is more like a logical problem than a technical one, please share any thoughts or let me know if you are confused with anything.
Thanks,
Raeb
Make your text file of roles a CSV file with two fields. The second field contains true or false to indicate if $code needs to be appended to the group name.
Edit 1:
If you want to keep the file simple you could test for the existence of the group as it appears in the file and if it doesn't exist test for the existence of the group with the variable appended.
I use Powershell to pull in data about user accounts, some of which includes details about an user's home folder.
I have been using get-item on folders to get the ACL to make sure an user has proper access to their home folder.
An example of my code is:
((get-item C:\exampleFolder).GetAccessControl('access')).Access
This provided me the list I needed and works great. However, if an user's username changes, it can take some time (like 5- 10 minutes) before Powershell can see the change even though viewing the folder's properties reflects the changes nearly instantaneously.
I am just seeing if there is a better way to pull the ACL data so that what I see in folder property page is what Powershell gets.
first world issue for me really, just trying to make my code a little bit more efficient.
Edit: This is a change in a username on a domain though Active Directory, not a username on a local machine.
There is the Get-ACL Cmdlet. This will output an object with an Access property listing all users with Access and their Access Level.
If you want to, you could use this to make a function to get more explicit data like this:
function Get-Permissions ($folder) {
(get-acl $folder).access | select `
#{Label="Identity";Expression={$_.IdentityReference}}, `
#{Label="Right";Expression={$_.FileSystemRights}}, `
#{Label="Access";Expression={$_.AccessControlType}}, `
#{Label="Inherited";Expression={$_.IsInherited}}, `
#{Label="Inheritance Flags";Expression={$_.InheritanceFlags}}, `
#{Label="Propagation Flags";Expression={$_.PropagationFlags}}
}
This you could easily pipe on to a | Format-Table -Auto or however you wish to visually consume your output.
Using Powershell, I can get a separate list of all users or all computer on the domain but how can combine both?
With powershell you can search for users or computers with the following
$search= New-Object DirectoryServices.DirectorySearcher([ADSI]"")
search.Filter = "(&(objectCategory=person)(objectClass=user))"#result=users
OR
$search= New-Object DirectoryServices.DirectorySearcher([ADSI]"")
search.Filter = "("(objectCategory='computers')")"#result=computers
How can I combine the two, so i may know what computer a user is assign to?
You can't get that from Active Directory.
Active directory doesn't record which workstation a user logged on from, and unless the user's logonworkstation attribute has been set to limit where they can log on, there's nothing to prevent them from logging on to any and all workstations in the domain.
I found an amazing PowerShell script by LazyWinAdmin that kind of does what I want - but it is limited to just the current domain. The way our network is set up we have different domains for certain types of accounts.
I am trying to write up a script that simply unlocks a specified user account on a specific domain. Our system uses PowerShell 2.0 which is making this very difficult because I know that the later versions have Active Directory management cmdlets. Trust me, I have requested that we have a newer version of PowerShell installed on our systems but the company flat out refuses to budge.
I feel kind of stupid because I have worked almost exclusively with the newer versions in the past so I got used to the various cmdlets rather than having to manually draft out every single thing I want to do.
You need to specify the search root to search from other domain.
Original code in $buttonUnlock_Click:
# Search for this account in the current domain
$Searcher = [ADSISearcher]"(sAMAccountName=$Name)"
$Results = $Searcher.FindOne()
Also in $buttonCheck_Click (it has no search code but just a comment):
# Search for this account in the current domain
Change both to:
$searcher = New-Object DirectoryServices.DirectorySearcher
$searcher.Filter = "(sAMAccountName=$name)"
$searcher.SearchRoot = New-Object DirectoryServices.DirectoryEntry('LDAP://other.domain', 'user', 'pwd')
$results = $searcher.FindOne()
If current user already has permission to access the other domains, you may simply put [adsi]'LDAP://other.domain' as search root.
How to add ForeignSecurityPrincipals to 'Active Directory Lightweight Directory Services' (AD LDS)? i.e. bringing 'AD security principals (users as well as computer accounts)' to AD LDS? Any script/ps cmdlet/tool?
Adding 'AD' security princials as "ForeingSecurtyPrincipals" to AD LDS using 'ADSI edit'
I know I can bring them by making them members of administrators/readers/users (i.e. in order to define roles for the 'AD users' as readers/users/administrators the foreign security principals need to be added - which makes sense - so ADSI edit is automatically adding the SIDs to foregin security principals container) (please see the attached image
Question (what are different ways of doing it other than assigning roles using adsi edit):
But, I am wondering is there a way without making the security principal as member of one of the roles? especially I don't want to do this way for 'computer accounts' - as they are not categorized as 'administrators' or 'users' or 'roles' - default in AD LDS schema. I think I can extend the schema so that my AD LDS instance understands computer accounts and then add the computers there.
Just curious if there is another way to do it? any other tool or PS script will also do as well as I am pretty sure there are number of 'directory services admin tools'
Regards.
You seem to be asking about two different things, here. The image is showing you grant access to Active Directory security principals to ADLDS. But then you start talking about extending the schema, suggesting you're looking to import objects from AD.
If it's the latter, you could use FIM, ADAMSync or roll your own using e.g. PowerShell.
More help on ADAMSync here
* UPDATE *
According to Dmitri Gavrilov in this post, manually adding FSPs is not possible.
Alternatively, you can use powershell to add the user/computer to one of the built-in groups (my example will use Readers), then immediately remove them. The foreignSecurityPrincipal will remain in the directory. It seems that ADAM/ADLDS is the one actually creating the foreignSecurityPrincipal object on your behalf when you request adding a member by SID.
Get the Readers group in the Configuration partition...
$servername = "myserver:389"
$configPartition = (Get-ADRootDSE -Server $servername).namingContexts | ? { $_ -match "^CN=Configuration" }
$readersGroup = ("CN=Readers,CN=Roles," + $configPartition)
Add the SID (Wrap in <SID=...>) to the Readers group
Set-ADObject -Identity $readersGroup-Add #{member = "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX-XXXXX>"} -Server $servername
Remove the SID from the Readers group
Set-ADObject -Identity $readersGroup-Remove #{member = "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX-XXXXX>"} -Server $servername
Actually it simply turned out to be that I can set 'permissions' on ad lds directory objects without adding to the 'ForeignSecuritypPrincipals' container...
So, I just set 'perms' based on sid (few examples are below, http://greatit.wordpress.com/2012/08/13/dsacls-and-built-in-groups/ )
Examples which grant 'generic all/full control' on AD LDS obect:
dscals "\\{myadldsserver}:{port}\cn=testadldsobect,cn=test,cn=com' /g {sid}:GA
dsacls {DN} /g {domain}/{username}:GA
dsacls {DN} /g {domain}/{machinename}$:GA
Regards.