update
This commit is contained in:
Zack Meier
+89
@@ -0,0 +1,89 @@
|
||||
Set-PSUAuthenticationMethod -Type "Form" -ScriptBlock {
|
||||
param(
|
||||
[PSCredential]$Credential
|
||||
)
|
||||
|
||||
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
|
||||
|
||||
# is this a UPN?
|
||||
if ( $Credential.UserName.IndexOf('@') -gt -1 ) {
|
||||
|
||||
# juggle back and forth from SID to get NTAccount format
|
||||
$NTAccountName = ([System.Security.Principal.NTAccount]$Credential.UserName).Translate([System.Security.Principal.SecurityIdentifier]).Translate([System.Security.Principal.NTAccount]).Value
|
||||
|
||||
}
|
||||
elseif ( $Credential.UserName.IndexOf('\') -gt -1 ) {
|
||||
|
||||
# already NTAccount format
|
||||
$NTAccountName = $Credential.UserName
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
# someone didn't enter their domain...
|
||||
$NTAccountName = "NDGOV\" + $Credential.GetNetworkCredential().UserName
|
||||
|
||||
}
|
||||
|
||||
# split domain and username
|
||||
$DomainName, $UserName = $NTAccountName.Split('\', 2)
|
||||
|
||||
# perform auth with AD
|
||||
$PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext( 'Domain', $DomainName )
|
||||
$Authenticated = $PrincipalContext.ValidateCredentials( $UserName, $Credential.GetNetworkCredential().Password, 'Negotiate, Sealing' )
|
||||
|
||||
if ( $Authenticated ) {
|
||||
|
||||
# discover the user principal, needed for the user DN
|
||||
$UserPrincipal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName, $NTAccountName )
|
||||
|
||||
# get the user's domain
|
||||
$UserDomainContext = [System.DirectoryServices.ActiveDirectory.DirectoryContext]::new( 'Domain', $DomainName, $Credential.UserName, $Credential.GetNetworkCredential().Password )
|
||||
$UserDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $UserDomainContext )
|
||||
|
||||
# get the computer's domain
|
||||
#$ComputerDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
|
||||
|
||||
# hold all the user groups
|
||||
[System.Collections.Generic.List[hashtable]]$Groups = @()
|
||||
|
||||
# get groups from user's domain
|
||||
#[adsisearcher]::new( $UserDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($UserPrincipal.DistinguishedName)))", @('name') ).FindAll().ForEach({
|
||||
[adsisearcher]::new( $UserDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($UserPrincipal.DistinguishedName))(name=ITD-PSUniversal-*))", @('name') ).FindAll().ForEach({
|
||||
$Groups.Add(@{
|
||||
Type = 'Group'
|
||||
Value = $_.Properties['name'][0]
|
||||
Issuer = $UserDomain.Name
|
||||
})
|
||||
})
|
||||
<#
|
||||
# get groups from the computer's domain (if different)
|
||||
if ( $UserDomain.Name -ne $ComputerDomain.Name ) {
|
||||
|
||||
# lookup the user's foreign security principal in the computer's domain
|
||||
$ForeignSecurityPrincipal = [adsisearcher]::new( $ComputerDomain.GetDirectoryEntry(), "(&(objectCategory=foreignSecurityPrincipal)(objectClass=foreignSecurityPrincipal)(name=$($UserPrincipal.Sid)))", @('distinguishedName') ).FindOne().Properties['distinguishedName'][0]
|
||||
|
||||
# find all the group memberships
|
||||
[adsisearcher]::new( $ComputerDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$ForeignSecurityPrincipal))", @('name') ).FindAll().ForEach({
|
||||
|
||||
$Groups.Add(@{
|
||||
Type = 'Group'
|
||||
Value = $_.Properties['name'][0]
|
||||
Issuer = $ComputerDomain.Name
|
||||
})
|
||||
|
||||
})
|
||||
|
||||
}
|
||||
#>
|
||||
New-PSUAuthenticationResult -Success -UserName $UserPrincipal.UserPrincipalName -Claims {
|
||||
$Groups | ForEach-Object { New-PSUAuthorizationClaim @_ }
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
New-PSUAuthenticationResult -ErrorMessage 'Bad username or password :)'
|
||||
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,75 @@
|
||||
New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -Policy {
|
||||
param(
|
||||
[Security.ClaimsPrincipal]$User
|
||||
)
|
||||
|
||||
<#
|
||||
Policies should return $true or $false to determine whether the user has the particular
|
||||
claim that require them for that role.
|
||||
#>
|
||||
|
||||
$Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
|
||||
$Roles -contains 'ITD-PSUniversal-Admin'
|
||||
}
|
||||
New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy {
|
||||
param(
|
||||
[Security.ClaimsPrincipal]$User
|
||||
)
|
||||
|
||||
<#
|
||||
Policies should return $true or $false to determine whether the user has the particular
|
||||
claim that require them for that role.
|
||||
#>
|
||||
|
||||
$false
|
||||
}
|
||||
New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy {
|
||||
param(
|
||||
[Security.ClaimsPrincipal]$User
|
||||
)
|
||||
|
||||
<#
|
||||
Policies should return $true or $false to determine whether the user has the particular
|
||||
claim that require them for that role.
|
||||
#>
|
||||
|
||||
$false
|
||||
}
|
||||
New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy {
|
||||
param(
|
||||
[Security.ClaimsPrincipal]$User
|
||||
)
|
||||
|
||||
<#
|
||||
Policies should return $true or $false to determine whether the user has the particular
|
||||
claim that require them for that role.
|
||||
#>
|
||||
|
||||
$true #default $false
|
||||
}
|
||||
New-PSURole -Name "Team-Windows" -Policy {
|
||||
param(
|
||||
[Security.ClaimsPrincipal]$User
|
||||
)
|
||||
|
||||
<#
|
||||
Policies should return $true or $false to determine whether the user has the particular
|
||||
claim that require them for that role.
|
||||
#>
|
||||
|
||||
#$false
|
||||
$Roles = $User.Claims | Where-Object Type -EQ Group | Select-Object -ExpandProperty Value
|
||||
$Roles -contains "ITD-PSUniversal-Team-Windows"
|
||||
}
|
||||
New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy {
|
||||
param(
|
||||
[Security.ClaimsPrincipal]$User
|
||||
)
|
||||
|
||||
<#
|
||||
Policies should return $true or $false to determine whether the user has the particular
|
||||
claim that require them for that role.
|
||||
#>
|
||||
|
||||
$false
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
New-PSUScript -Name "Get-HelloWorld.ps1" -Description "Get-HelloWorld.ps1" -Path "ZM-Test\Get-HelloWorld.ps1"
|
||||
New-PSUScript -Name "NewITDVMwareVMSnapshotTask.ps1" -Description "NewITDVMwareVMSnapshotTask.ps1" -Path "Infra-VMware.Snapshot\NewITDVMwareVMSnapshotTask.ps1"
|
||||
New-PSUScript -Name "Remove_ITDVmwareVMSnapshotExpired.ps1" -Description "Remove_ITDVmwareVMSnapshotExpired.ps1" -Path "Infra-VMware.Snapshot\Remove_ITDVmwareVMSnapshotExpired.ps1"
|
||||
New-PSUScript -Name "Update-ITDVMwareVMSnapshotStatus.ps1" -Description "Update-ITDVMwareVMSnapshotStatus.ps1" -Path "Infra-VMware.Snapshot\Update-ITDVMwareVMSnapshotStatus.ps1"
|
||||
@@ -0,0 +1,5 @@
|
||||
$Parameters = @{
|
||||
EnhancedAppTokenSecurity = $true
|
||||
ApiSecurityModel = "Medium"
|
||||
}
|
||||
Set-PSUSetting @Parameters
|
||||
@@ -0,0 +1,2 @@
|
||||
New-PSUVariable -Name "ndgov_svcitdiaasauto" -Vault "Database" -Type "PSCredential"
|
||||
New-PSUVariable -Name "ndgov_svcitdvmsnapmgr" -Vault "Database" -Type "PSCredential"
|
||||
+37
@@ -0,0 +1,37 @@
|
||||
<#####
|
||||
.SYNOPSIS
|
||||
Creates a vCenter scheduled task that will create a virtual machine snapshot.
|
||||
.DESCRIPTION
|
||||
Creates a vCenter scheduled task that will create a virtual machine snapshot. 2506091114
|
||||
.NOTES
|
||||
|
||||
.LINK
|
||||
https://northdakota.service-now.com/kb_view.do?sysparm_article=KB0017146
|
||||
#>
|
||||
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
[Parameter(
|
||||
Mandatory = $true,
|
||||
HelpMessage = "The VMware virtual machine name. This is most commonly the FQDN. You can verify the virtual machine name by logging into vCenter. Multiple entries can be submitted if the field loses focus, and you go back to it. For example, after each entry hit Tab, then Shift-Tab back."
|
||||
)]
|
||||
[string[]]
|
||||
$VMName = $null,
|
||||
|
||||
[Parameter(Mandatory = $true,
|
||||
HelpMessage = "The DateTime you want the snapshot to occur.")]
|
||||
[datetime]
|
||||
$DateTime = (Get-Date),
|
||||
|
||||
[Parameter(Mandatory = $true,
|
||||
HelpMessage = "How many hours the snapshot will exist. The snapshot will be automatically deleted after the duration. Maximum value is 72 hours.")]
|
||||
[ValidateRange(1, 72)]
|
||||
[int]
|
||||
$DurationHours = 4,
|
||||
|
||||
[Parameter(HelpMessage = "Email address that you want vCenter to notify when the snapshot is taken. Multiple entries can be submitted if the field loses focus, and you go back to it. For example, after each entry hit Tab, then Shift-Tab back.")]
|
||||
[string[]]
|
||||
$Email = $null
|
||||
)
|
||||
|
||||
Write-Warning -Message ("Creating new snapshot " + (Get-Date) )
|
||||
+1
@@ -0,0 +1 @@
|
||||
# Script contents
|
||||
+1
@@ -0,0 +1 @@
|
||||
# Script contents
|
||||
@@ -0,0 +1,3 @@
|
||||
# Script contents
|
||||
|
||||
wtf
|
||||
Reference in New Issue
Block a user