zmeier/Backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Zack Meier
2026-04-15 15:45:50 -05:00
commit 1d304511b8
613 changed files with 140998 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/Disable-ITDADUser.ps1
+49
View File
@@ -0,0 +1,49 @@
function Disable-ITDADUser
{
[CmdletBinding()]
Param
(
[string]
$Identity,
[PSCredential]
$Credential
)
Begin
{
Write-Verbose "Validate credentials, stop script if invalid."
If($Credential -eq "" -or $Credential -eq $null)
{
$Credential = Get-Credential -Message "Enter domain/OU administrator credentials. User name must be entered as a SAMAccountName (DOMAIN\username) or as a User Principal Name (username@domain.com)" -UserName $Credential
If($Credential -eq "" -or $Credential -eq $null)
{
Write-Warning "credentials missing - stopping script"
break
}
If((Test-ADCredential -Credential $Credential -ErrorAction Stop) -eq $false)
{
Write-Warning "Invalid credentials or locked account."
break
}
}
Import-Module ActiveDirectory
}
Process
{
$OUdestination = "OU=DisabledAccounts,OU=USERS,OU=ITD,DC=ND,DC=GOV"
ForEach($username in $Identity)
{
Write-Verbose "[$Username]:Processing"
$object = Get-ADUser -Identity $username
Write-Verbose "[$Username]:Disabling Object"
$object | Set-ADuser -Enabled $false -Credential $Credential
Write-Verbose "[$Username]:Moving Object"
$object | Move-ADObject -TargetPath $OUdestination -Credential $Credential
}
}
End
{
}
}
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/Get-ITDADActiveServer.ps1
+27
View File
@@ -0,0 +1,27 @@
function Get-ITDADActiveServer
{
[CmdletBinding()]
Param
(
[int]
$ExpireAgeDays = 30
)
Begin
{
Import-Module ActiveDirectory
$OUsource = "OU=ITD,DC=ND,DC=GOV"
$ExpireDate = (Get-Date).AddDays((-$ExpireAgeDays))
}
Process
{
Get-ADComputer -SearchBase $OUsource -Filter * -Properties Name,CanonicalName,operatingSystem,operatingSystemServicePack,LastLogonDate,Enabled | `
Where-Object operatingSystem -Like "*Server*" | `
Where-Object LastLogonDate -GT $ExpireDate | `
Where-Object Enabled -EQ $true | `
Select-Object Name,operatingSystem,operatingSystemServicePack,LastLogonDate,CanonicalName
}
End
{
}
}
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/Get-ITDADGroupMember.ps1
+30
View File
@@ -0,0 +1,30 @@
<#
.Synopsis
Short description
.DESCRIPTION
Long description
.EXAMPLE
Example of how to use this cmdlet
.EXAMPLE
Another example of how to use this cmdlet
#>
function Get-ITDADGroupMember
{
[CmdletBinding()]
Param
(
[string]
$Identity
)
Begin
{
}
Process
{
return (Get-ADUser -Identity $Identity -Properties MemberOf).MemberOf
}
End
{
}
}
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/New-ITDADComputerServer.ps1
+68
View File
@@ -0,0 +1,68 @@
<#
.Synopsis
Creates AD Computer object in ITD OUs
.DESCRIPTION
Long description
.EXAMPLE
Example of how to use this cmdlet
.EXAMPLE
Another example of how to use this cmdlet
#>
function New-ITDADComputerServer
{
[CmdletBinding()]
Param
(
[string[]]
$ComputerName,
#[string]
#$AppName,
[PSCredential]
$Credential
)
Begin
{
Write-Verbose "Validate credentials, stop script if invalid."
If($Credential -eq "" -or $Credential -eq $null)
{
$Credential = Get-Credential -Message "Enter domain/OU administrator credentials. User name must be entered as a SAMAccountName (DOMAIN\username) or as a User Principal Name (username@domain.com)" -UserName $Credential
If($Credential -eq "" -or $Credential -eq $null)
{
Write-Warning "credentials missing - stopping script"
break
}
If((Test-ADCredential -Credential $Credential -ErrorAction Stop) -eq $false)
{
Write-Warning "Invalid credentials or locked account."
break
}
}
Import-Module ActiveDirectory
$OUdefault = "OU=Prod,OU=All-General,OU=Windows,OU=SERVERS,OU=COMPUTERS,OU=ITD,DC=ND,DC=GOV"
}
Process
{
ForEach($c in $ComputerName)
{
$Hostname=($c.split(".")[0]).ToUpper()
#If($AppName)
#{
#}
#Else
#{
$OUdestination = $OUdefault
#}
New-ADComputer -Name $Hostname -Path $OUdestination -Credential $Credential
}
}
End
{
}
}
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/New-ITDADGroup.ps1
+93
View File
@@ -0,0 +1,93 @@
<#
.Synopsis
Create AD group within ITD GROUPS OU
.DESCRIPTION
Create Active Directory group within the ITD\ITD GROUPS OU, ability to add group members if needed
.EXAMPLE
New-ITDADGroup -SamAccountName ITD-GROUP-1 -Description "Sales group"
.EXAMPLE
New-ITDADGroup -SamAccountName ITD-GROUP-1 -Description "Sales group" -Members username1,username2,username3
#>
function New-ITDADGroup
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[string]
$SamAccountName,
[Parameter(Mandatory=$true)]
[string]
$Description,
[string[]]
$Members,
[PSCredential]
$Credential
)
Begin
{
Write-Verbose "Validate credentials, stop script if invalid."
If($Credential -eq "" -or $Credential -eq $null)
{
$Credential = Get-Credential -Message "Enter domain/OU administrator credentials. User name must be entered as a SAMAccountName (DOMAIN\username) or as a User Principal Name (username@domain.com)" -UserName $Credential
If($Credential -eq "" -or $Credential -eq $null)
{
Write-Warning "credentials missing - stopping script"
break
}
If((Test-ADCredential -Credential $Credential -ErrorAction Stop) -eq $false)
{
Write-Warning "Invalid credentials or locked account."
break
}
}
Import-Module ActiveDirectory
}
Process
{
Write-Verbose "verify group object does not already exist, if it does, stop script"
$groupexists = Get-ADGroup -Filter {sAMAccountName -eq $SamAccountName}
If($groupexists)
{
Write-Warning "$SamAccountName already exists"
break
}
Write-Verbose "fix description if needed"
If($Description -like "*1120*")
{
Write-Verbose "no change to description"
}
Else
{
Write-Verbose "adding '1120 - ' to description"
$Description = "1120 - " + $Description
}
$OUdestination = "OU=ITDGROUPS,OU=GROUPS,OU=ITD,DC=ND,DC=GOV"
Write-Verbose "create group in AD"
New-ADGroup -Name $SamAccountName `
-SamAccountName $SamAccountName `
-Description $Description `
-DisplayName $SamAccountName `
-GroupScope Global `
-GroupCategory Security `
-Path $OUdestination `
-Credential $Credential
Write-Verbose "Adding group members if applicable"
If($Members)
{
Add-ADGroupMember -Identity $SamAccountName -Members $Members -Credential $Credential
}
}
End
{
}
}
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/New-ITDADServiceAccount.ps1
+123
View File
@@ -0,0 +1,123 @@
<#
.SYNOPSIS
A short one-line action-based description, e.g. 'Tests if a function is valid'
.DESCRIPTION
A longer description of the function, its purpose, common use cases, etc.
.NOTES
Information or caveats about the function e.g. 'This function is not supported in Linux'
.LINK
Specify a URI to a help page, this will show when Get-Help -Online is used.
.EXAMPLE
Test-MyTestFunction
Explanation of the function or its result. You can include multiple examples with additional .EXAMPLE lines
#>
function New-ITDADServiceAccount {
[CmdletBinding()]
param (
[string]
$SamAccountName,
[Parameter(Mandatory = $true)]
[string]
$Description,
[Parameter(Mandatory = $true)]
[ValidateSet('Office365', 'VMware_Systems', 'CSRC', 'Shared Linux Password List', 'Peoplesoft Share PW', 'Cohesity', 'VDI')]
[string]
$PasswordstateList,
[Parameter(Mandatory = $true)]
[string]
$PasswordstateTitle,
[string]
$PasswordstateNotes,
[pscredential]
$Credential
)
begin {
}
process {
Write-Verbose -Message "Verify if user object already exists in Active Directory"
try {
If (Get-ADUser -Identity $SamAccountName) {
$ADUserExists = $true
}
}
catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
Write-Verbose -Message "Active Directory user object not found"
$ADUserExists = $false
}
catch {
Write-Error -Message "Unable to validate if samaccountname $SamAccountName is available" -ErrorAction $Stop
}
Write-Verbose -Message "ADUser exists $ADUserExists"
switch ($ADUserExists) {
Default {
Write-Error -Message "Unable to validate if samaccountname $SamAccountName is available"
}
$true {
Write-Error -Message "AD user object with $SamAccountName SamAccountName already exists."
}
$false {
Write-Verbose -Message "Create Passwordstate record"
$NewITDPasswordParams = @{
PasswordList = $PasswordstateList;
Title = $PasswordstateTitle;
Description = $Description;
UserName = ("ndgov\$SamAccountName");
Credential = $Credential;
}
switch ($PSBoundParameters.Keys) {
PasswordStateNotes {
$NewITDPasswordParams.Notes = $PasswordstateNotes
}
}
$NewITDPasswordResult = New-ITDPassword @NewITDPasswordParams -ErrorAction Stop
If ($NewITDPasswordResult) {
Write-Verbose -Message "Create AD account"
$OuDestination = "OU=ITD SERVICE,OU=USERS,OU=ITD,DC=ND,DC=GOV"
$DCtoUse = Get-ADDomainController -DomainName nd.gov -Discover -Site "Default-First-Site-Name"
$NewADUserParams = @{
Name = $SamAccountName;
SamAccountName = $SamAccountName;
UserPrincipalName = "$SamAccountName@nd.gov";
Description = "1120 - $Description";
Surname = "$SamAccountName";
DisplayName = "$SamAccountName";
Path = $OuDestination;
AccountPassword = $NewITDPasswordResult.Password;
PasswordNeverExpires = $true;
Enabled = $true;
Credential = $Credential;
Server = $DCtoUse;
}
#try {
Write-Verbose -Message "Attempt New-ADUser"
New-ADUser @NewADUserParams
#}
#catch {
#Write-Error $error[0]
#}
}
}
}
}
end {
}
}
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/New-ITDADServiceAccountOLD.ps1
+118
View File
@@ -0,0 +1,118 @@
<#
.Synopsis
Create new account with random password, save in Passwordstate
.DESCRIPTION
Create new Active Directory user account in the "ITD SERVICE" OU, randomly generate a password, and save it in Passwordstate
.EXAMPLE
New-ITDADServiceAccount -SamAccountName !itdtest01 -Description "app/sql db account" -ComputerName itdtest01.nd.gov -PasswordStateList CSRC -Credential <PSCredential>
#>
function New-ITDADServiceAccountOLD
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[string]
$SamAccountName,
[Parameter(Mandatory=$true)]
[string]
$Description,
[Parameter(Mandatory=$true)]
[string]
$ComputerName,
[Parameter(Mandatory=$true)]
[ValidateSet("CSRC","CND","Linux","Office365","VMware","ZTEST")]
[string]
$PasswordstateList,
[PSCredential]
$Credential
)
Begin
{
Write-Verbose "Validate credentials, stop script if invalid."
If($Credential -eq "" -or $Credential -eq $null)
{
$Credential = Get-Credential -Message "Enter domain/OU administrator credentials. User name must be entered as a SAMAccountName (DOMAIN\username) or as a User Principal Name (username@domain.com)" -UserName $Credential
If($Credential -eq "" -or $Credential -eq $null)
{
Write-Warning "credentials missing - stopping script"
break
}
If((Test-ADCredential -Credential $Credential -ErrorAction Stop) -eq $false)
{
Write-Warning "Invalid credentials or locked account."
break
}
}
Write-Verbose "Confirm Passwordstate connection"
If((Test-NetConnection -ComputerName itdpv.nd.gov).PingSucceeded)
{
}
Else
{
Write-Warning "Passwordstate unavailable"
break
}
Import-Module ActiveDirectory
}
Process
{
Write-Verbose "verify user account does not already exist, if it does, stop script"
$userexists = Get-ADUser -Filter {sAMAccountName -eq $SamAccountName}
If($userexists)
{
Write-Warning "$SamAccountName already exists"
break
}
Write-Verbose "fix description if needed"
If($Description -like "*1120*")
{
Write-Warning "Do not enter '1120' into the description, this will be done for you"
Break
}
Write-Verbose "set OU, get passwordstate passwordlist information, set ADDescription"
$OUdestination = "OU=ITD SERVICE,OU=USERS,OU=ITD,DC=ND,DC=GOV"
$PStateList = Get-ITDPasswordstatePasswordList -Name $PasswordstateList
$ADDescription = "1120 - " + $Description
<# removed 20181228
Write-Verbose "Generate new password"
$PasswordGenerated = New-ITDRandomPassword
$PasswordSecured = $PasswordGenerated | ConvertTo-SecureString -AsPlainText -Force
Write-Verbose "add to passwordstate"
$Date = Get-Date -UFormat "%Y/%m/%d @ %H:%M:%S"
$Notes = "Automatically generated by $env:USERNAME on $Date"
New-PasswordstateRecord -ListID $PStateList.ID -Title $ComputerName -Username "nd.gov\$SamAccountName" -APIkey $PStateList.APIkey -Password $PasswordGenerated -Description $Description -Notes $Notes
#>
New-ITDPasswordstateRecord -Title $ComputerName -Description $ADDescription -PSList $PasswordstateList -Username $SamAccountName -GeneratePassword
Write-Verbose "create account in AD"
New-ADUser -Name $SamAccountName `
-SamAccountName $SamAccountName `
-UserPrincipalName "$SamAccountName@nd.gov" `
-Description $ADDescription `
-DisplayName "$SamAccountName" `
-Path $OUdestination `
-AccountPassword $PasswordSecured `
-PasswordNeverExpires $true `
-Enabled $true `
-Credential $Credential
}
End
{
}
}
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/New-ITDADServiceAccountRitm.ps1
+88
View File
@@ -0,0 +1,88 @@
<#
.SYNOPSIS
A short one-line action-based description, e.g. 'Tests if a function is valid'
.DESCRIPTION
Function will submit a ServiceNow Catalog Request of Application Server type with relevant information required for automated AD Service Account creation.
.NOTES
Information or caveats about the function e.g. 'This function is not supported in Linux'
.LINK
Specify a URI to a help page, this will show when Get-Help -Online is used.
.EXAMPLE
Test-MyTestFunction -Verbose
Explanation of the function or its result. You can include multiple examples with additional .EXAMPLE lines
#>
function New-ITDADServiceAccountRitm {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[string]
$RequestedForEmail,
[Parameter(Mandatory = $true)]
[string]
$SamAccountName,
[Parameter(Mandatory = $true)]
[ValidateSet('nd.gov')]
[string]
$ADDomain,
[Parameter(Mandatory = $true)]
[string]
$Description,
[Parameter(Mandatory = $true)]
#[ValidateSet('Office365', 'VMware_Systems', 'CSRC', 'Shared Linux Password List', 'Peoplesoft Share PW', 'Cohesity', 'VDI')]
[string]
$PasswordstateList,
[Parameter(Mandatory = $true)]
[string]
$PasswordstateTitle
)
begin {
}
process {
# create Application Server RITM with json
$AdditionalComments = "Please create a new $ADDomain Active Directory service account with the following details, following guidelines found in KB0016867.`n`n"
$obj = [PSCustomObject]@{
RequestedForEmail = $RequestedForEmail
SamAccountName = $SamAccountName;
ADDomain = $ADDomain;
PasswordstateTitle = $PasswordstateTitle;
PasswordstateList = $PasswordstateList;
Description = $Description;
}
$AdditionalComments += ($obj | ConvertTo-Json -Compress)
$NewITDServiceNowServiceCatalogRequest = @{
CategoryItemName = 'Application Server';
RequestedForEmail = $RequestedForEmail;
Values = @{
additional_comments = $AdditionalComments;
request_type = "New";
application_name = "Infra-ActiveDirectory.Object";
environment = "Production";
require_hosting_quote = 'No';
add_change_disaster_recovery = 'No'; #>
vm_work_needed = 'No';
}
}
$ReqResult = New-ITDServiceNowServiceCatalogRequest @NewITDServiceNowServiceCatalogRequest
}
end {
Write-Output $ReqResult
}
}
_NDGOV_WindowsTeam/ITD.Infra-ActiveDirectory.Object/Public/Unlock-ITDADAccount.ps1
+80
View File
@@ -0,0 +1,80 @@
<#
.Synopsis
Unlock any Active Directory Account
.DESCRIPTION
Unlock any Active Directory Account, verify information
.EXAMPLE
Unlock-ITDADAccount -Identity username1
.EXAMPLE
Unlock-ITDADAccount -Identity username1, username2, username3
.EXAMPLE
Unlock-ITDADAccount -Identity username1 -Credential $PSCredential
.INPUTS
Inputs to this cmdlet (if any)
.OUTPUTS
Output from this cmdlet (if any)
.NOTES
General notes
.COMPONENT
The component this cmdlet belongs to
.ROLE
The role this cmdlet belongs to
.FUNCTIONALITY
The functionality that best describes this cmdlet
#>
function Unlock-ITDADAccount
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[string[]]
$Identity,
[PSCredential]
$Credential
)
Begin
{
Write-Verbose "Validate credentials, stop script if invalid."
If($Credential -eq "" -or $Credential -eq $null)
{
$Credential = Get-Credential -Message "Enter domain/OU administrator credentials. User name must be entered as a SAMAccountName (DOMAIN\username) or as a User Principal Name (username@domain.com)" -UserName $Credential
If($Credential -eq "" -or $Credential -eq $null)
{
Write-Warning "credentials missing - stopping script"
break
}
If((Test-ADCredential -Credential $Credential -ErrorAction Stop) -eq $false)
{
Write-Warning "Invalid credentials or locked account."
break
}
}
.3
Import-Module ActiveDirectory
}
Process
{
ForEach ($i in $Identity)
{
$before = Get-ADUser -Identity $i -Properties SamAccountName,PasswordLastSet,lastLogonDate,Enabled,LockedOut | Select-Object SamAccountName,PasswordLastSet,lastLogonDate,Enabled,LockedOut
$SamAccountName = $before.SamAccountName
If($before.LockedOut -eq $false)
{
Write-Warning "[$SamAccountName]:Before:$before"
}
Else
{
Unlock-ADAccount -Identity $i -Credential $Credential
$after = Get-ADUser -Identity $i -Properties SamAccountName,PasswordLastSet,lastLogonDate,Enabled,LockedOut | Select-Object SamAccountName,PasswordLastSet,lastLogonDate,Enabled,LockedOut
Write-Warning "[$SamAccountName]:After:$after"
}
}
}
End
{
}
}