update
This commit is contained in:
Zack Meier
+96
@@ -0,0 +1,96 @@
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Add Service Principal Name to a ITD AD Service Account
|
||||
.DESCRIPTION
|
||||
Add Service Principal Name to a ITD AD Service Account
|
||||
.NOTES
|
||||
example using setspn:
|
||||
setspn.exe -s MSSQLSvc/test.nd.gov:1433 ndgov\svctest
|
||||
setspn.exe -s MSSQLSvc/test:1433 ndgov\svctest
|
||||
setspn.exe -s MSSQLSvc/test.nd.gov ndgov\svctest
|
||||
setspn.exe -s MSSQLSvc/test ndgov\svctest
|
||||
|
||||
setspn.exe -s MSSQLSvc/test.nd.gov ndgov\svctest
|
||||
.LINK
|
||||
|
||||
#>
|
||||
|
||||
[CmdletBinding()]
|
||||
Param(
|
||||
[string]
|
||||
$SamAccountName,
|
||||
|
||||
[Parameter(HelpMessage = "Multiple entries can be submitted if the field loses focus, and you go back to it. For example, after each entry hit Tab, then Shift-Tab back.")]
|
||||
[string[]]
|
||||
$ServicePrincipalName = $null
|
||||
)
|
||||
|
||||
Write-Verbose -Message "Prep Variables and Connections"
|
||||
switch ($UAJob.ComputerName) {
|
||||
"ITDWINAUTOT1" {
|
||||
$ServiceNowEnvironment = 'Test'
|
||||
}
|
||||
"ITDWINAUTOP1" {
|
||||
$ServiceNowEnvironment = 'Production'
|
||||
}
|
||||
}
|
||||
$RequestedBy = $UAJob.Identity.Name # user that started the job
|
||||
$PSUJobId = $UAJob.Id
|
||||
$StartDateTime = Get-Date
|
||||
|
||||
Write-Verbose -Message "Find AD User" -Verbose
|
||||
$ADUser = Get-ADUser -Identity $SamAccountName -ErrorAction Stop
|
||||
|
||||
Write-Verbose -Message "Add SPN(s)" -Verbose
|
||||
try {
|
||||
$ServicePrincipalName | ForEach-Object {
|
||||
Write-Verbose -Message ("Attempt to add SPN value " + $_) -Verbose
|
||||
$ADUser | Set-ADUser -ServicePrincipalNames @{Add=$_}
|
||||
}
|
||||
}
|
||||
catch {
|
||||
Write-Error $Error[0]
|
||||
}
|
||||
|
||||
Start-Sleep -Seconds 2
|
||||
|
||||
Write-Verbose -Message "No errors when adding the SPNs, listing the SPNs here for human validation" -Verbose
|
||||
$ValidateUser = Get-ADUser -Identity $SamAccountName -Properties ServicePrincipalNames | Select-Object SamAccountName, ServicePrincipalNames
|
||||
$ValidateUser.ServicePrincipalNames
|
||||
|
||||
Write-Verbose -Message "Generate ServiceNow CHG" -Verbose
|
||||
Write-Verbose -Message ("UAJob.ComputerName = " + $UAJob.ComputerName) -Verbose
|
||||
|
||||
New-ITDServiceNowSession -Environment $ServiceNowEnvironment -Credential $Secret:snow_vmcred -Verbose
|
||||
$NewITDServiceNowChangeRequestParams = @{
|
||||
TemplateName = 'NDIT-SPS-Server Add/Chg/Del'
|
||||
RequestedByUsername = $RequestedBy.split('@')[0] -replace 'prv';
|
||||
Category = 'Systems Platforms - Systems';
|
||||
Subcategory = 'Windows';
|
||||
Impact = 3;
|
||||
ShortDescription = "ServicePrincipalName added to ndgov\$SamAccountName - PSU Job Id $PSUJobId";
|
||||
Description = "ServicePrincipalName added to ndgov\$SamAccountName - PSU Job Id $PSUJobId, see notes for details";
|
||||
Justification = "ServicePrincipalName is required to be added to Active Directory Service Accounts by some applications";
|
||||
Implementation = "PSUniversal execution";
|
||||
RiskImpactAnalysis = "Low";
|
||||
BackoutPlan = "Remove the new service principal name from the serviceprincipalname attribute."
|
||||
TestPlan = "n/a"
|
||||
WhoIsImpacted = "Windows System Administrators";
|
||||
StartTime = $StartDateTime
|
||||
EndTime = $StartDateTime.AddMinutes(1);
|
||||
AssignmentGroup = 'NDIT-Computer Systems Windows';
|
||||
ChangeManagerUsername = 'khellman';
|
||||
ChangeCoordinatorUsername = 'gpgolberg';
|
||||
AssignedToUsername = $RequestedBy.split('@')[0] -replace 'prv';
|
||||
}
|
||||
|
||||
$CHG = New-ITDServiceNowChangeRequest @NewITDServiceNowChangeRequestParams -Verbose
|
||||
$CHGNum = $CHG.Number.value
|
||||
|
||||
Write-Verbose -Message ("Completing SNow " + $CHG.Number.value) -Verbose
|
||||
$CompleteITDServiceNowChangeRequestParams = @{
|
||||
Number = $CHG.Number.value
|
||||
CloseCode = "Successful"
|
||||
CloseNotes = "ServicePrincipalNames added to ndgov\$SamAccountName - PSU Job Id $PSUJobId`n" + ($ServicePrincipalName | ForEach-Object {$_})
|
||||
}
|
||||
Complete-ITDServiceNowChangeRequest @CompleteITDServiceNowChangeRequestParams -Verbose
|
||||
+1
@@ -0,0 +1 @@
|
||||
# It all starts with a single line of powershell code.
|
||||
+134
@@ -0,0 +1,134 @@
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Creates an Active Directory user/service account for the nd.gov domain
|
||||
.DESCRIPTION
|
||||
Creates an Active Directory user/service account for the nd.gov domain.
|
||||
.NOTES
|
||||
The PasswordstateList parameter must be validated. If a Passwordstate Password List to the options, ensure that the ndgov\svcitdiaasauto Active Directory has modify access on the Password List.
|
||||
|
||||
Requires Integrated or Agent environment. If not chosen, an erroneous error is caused during the invocation of New-ITDADServiceAccount when the PSCredential object is created to be returned to the user, see below.
|
||||
[error] Exception calling ".ctor" with "2" argument(s): "Cannot process argument because the value of argument "password" is null. Change the value of argument "password" to a non-null value."
|
||||
The agent environment is selected to reduce parameter during script execution, and Run As Credential is enforced as svcitdpsuwin
|
||||
.LINK
|
||||
https://northdakota.service-now.com/kb_view.do?sysparm_article=KB0016867
|
||||
#>
|
||||
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
[Parameter(Mandatory = $true,
|
||||
HelpMessage = "Only nd.gov domain is supported at this time.")]
|
||||
[ValidateSet("nd.gov")]
|
||||
[string]
|
||||
$DomainName = 'nd.gov',
|
||||
|
||||
[Parameter(Mandatory = $true,
|
||||
HelpMessage = "This is the account name. This value will also be set on the Active Directory Surname attribute (GivenName or Surname are required for ServiceNow lookups)")]
|
||||
[string]
|
||||
$SamAccountName,
|
||||
|
||||
[Parameter(Mandatory = $true,
|
||||
HelpMessage = "Will be set on the respective Passwordstate record property and Active Directory attribute. '1120' will automatically be appended to the entry.")]
|
||||
[string]
|
||||
$Description,
|
||||
|
||||
[Parameter(Mandatory = $true,
|
||||
HelpMessage = "What goes into the Passwordstate record Title field. Generally a FQDN for the server that will use this service account.")]
|
||||
[string]
|
||||
$PasswordstateTitle,
|
||||
|
||||
[Parameter(Mandatory = $true,
|
||||
HelpMessage = "The Passwordstate Password List where the credentials to be saved. Go here to retrieve the password for the new account.")]
|
||||
[ValidateSet('CSRC', 'VMware_Systems','Peoplesoft Share PW')]
|
||||
[string]
|
||||
$PasswordstateList
|
||||
)
|
||||
|
||||
Write-Verbose -Message "Prepare variables / SQL connection based on PSU server" -Verbose
|
||||
$RequestedBy = $UAJob.Identity.Name # user that started the job
|
||||
$PSUJobId = $UAJob.Id
|
||||
|
||||
$StartDateTime = (Get-Date)
|
||||
$EndDateTime = $StartDateTime.AddMinutes(1)
|
||||
|
||||
Write-Verbose -Message ("UAJob.ComputerName = " + $UAJob.ComputerName) -Verbose
|
||||
switch ($UAJob.ComputerName) {
|
||||
"ITDWINAUTOT1" {
|
||||
$ServerInstance = "itdintsql22p1.nd.gov\INTSQL22P1"
|
||||
$Database = "ITD-Systems-Automation"
|
||||
$SnapshotTable = "Infra_ActiveDirectory_Object_NewITDADServiceAccount_NPD"
|
||||
$ServiceNowEnvironment = 'Test'
|
||||
}
|
||||
"ITDWINAUTOP1" {
|
||||
$ServerInstance = "itdintsql22p1.nd.gov\INTSQL22P1"
|
||||
$Database = "ITD-Systems-Automation"
|
||||
$SnapshotTable = "Infra_ActiveDirectory_Object_NewITDADServiceAccount_PRD"
|
||||
$ServiceNowEnvironment = 'Production'
|
||||
}
|
||||
}
|
||||
|
||||
Write-Verbose -Message "fix samaccountname" -Verbose
|
||||
$SamAccountName = $SamAccountName.Tolower()
|
||||
|
||||
# add to SQL
|
||||
Write-Verbose -Message "Add request to SQL" -Verbose
|
||||
$SqlQuery = "INSERT INTO [$SnapshotTable] (PSUJobId,RequestedBy,DateTime,Status,DomainName,SamAccountName,Description,PasswordstateTitle,PasswordstateList) Values ('$PSUJobId', '$RequestedBy', '$StartDateTime','Requested','$DomainName','$SamAccountName', '$Description', '$PasswordstateTitle', '$PasswordstateList');"
|
||||
Write-Verbose -Message $SqlQuery -Verbose
|
||||
Invoke-Sqlcmd -ServerInstance $ServerInstance -Database $Database -Query $SqlQuery -Credential $Secret:sql_itdpsu1 -Verbose
|
||||
|
||||
# Do the work
|
||||
Write-Verbose -Message "Create the account in Active Directory, and Passwordstate record" -Verbose
|
||||
New-ITDADServiceAccount -SamAccountName $SamAccountName -Description $Description -PasswordstateList $PasswordstateList -PasswordstateTitle $PasswordstateTitle -Credential $Secret:ndgov_svcitdpsuad -Verbose
|
||||
Write-Verbose -Message "Executing Get-ADUser -Identity $SamAccountName" -Verbose
|
||||
|
||||
# Validate the user
|
||||
$ADUser = Get-ADUser -Identity $SamAccountName
|
||||
If ($ADUser) {
|
||||
Write-Output $ADUser
|
||||
|
||||
Write-Verbose -Message "Create CHG request for the work" -Verbose
|
||||
New-ITDServiceNowSession -Environment $ServiceNowEnvironment -Credential $Secret:snow_vmcred
|
||||
$NewITDServiceNowChangeRequestParams = @{
|
||||
TemplateName = 'NDIT-SPS-Server Add/Chg/Del'
|
||||
RequestedByUsername = $RequestedBy.split('@')[0] -replace 'prv';
|
||||
Category = 'Systems Platforms - Systems';
|
||||
Subcategory = 'Windows';
|
||||
Impact = 3;
|
||||
ShortDescription = "New $DomainName Active Directory service account $SamAccountName created - PSU Job Id $PSUJobId";
|
||||
Description = "New $DomainName Active Directory service account $SamAccountName created";
|
||||
Justification = "New $DomainName Active Directory service account required for zero-trust policies, following guidelines found in KB0016867";
|
||||
Implementation = "PSUniversal execution";
|
||||
RiskImpactAnalysis = "Low";
|
||||
BackoutPlan = "Delete the new user account"
|
||||
TestPlan = "n/a"
|
||||
WhoIsImpacted = "Windows System Administrators";
|
||||
StartTime = $StartDateTime
|
||||
EndTime = $StartDateTime.AddMinutes(1);
|
||||
AssignmentGroup = 'NDIT-Computer Systems Windows';
|
||||
ChangeManagerUsername = 'khellman';
|
||||
ChangeCoordinatorUsername = 'gpgolberg';
|
||||
AssignedToUsername = $RequestedBy.split('@')[0] -replace 'prv';
|
||||
}
|
||||
|
||||
$CHG = New-ITDServiceNowChangeRequest @NewITDServiceNowChangeRequestParams -Verbose
|
||||
$CHGNum = $CHG.Number.value
|
||||
|
||||
Write-Verbose -Message ("Completing SNow " + $CHG.Number.value) -Verbose
|
||||
$CompleteITDServiceNowChangeRequestParams = @{
|
||||
Number = $CHG.Number.value
|
||||
CloseCode = "Successful"
|
||||
CloseNotes = ("New $DomainName Active Directory account " + $obj.ADDomain + "\" + $obj.SamAccountName + " created.")
|
||||
}
|
||||
Complete-ITDServiceNowChangeRequest @CompleteITDServiceNowChangeRequestParams -Verbose
|
||||
|
||||
Write-Verbose -Message "Status Success" -Verbose
|
||||
$SQLStatus = "Succcess"
|
||||
}
|
||||
Else {
|
||||
Write-Verbose -Message "Status Failure" -Verbose
|
||||
$SQLStatus = "Failure"
|
||||
}
|
||||
#>
|
||||
|
||||
Write-Verbose -Message "Update SQL with that CHG num and update Status" -Verbose
|
||||
$SqlQueryUpdate = ("UPDATE [$SnapshotTable] SET Status = '$SQLStatus', SNowCHGNum = '$CHGNum' WHERE PSUJobId = " + $PSUJobId)
|
||||
Invoke-Sqlcmd -ServerInstance $ServerInstance -Database $Database -Query $SqlQueryUpdate -Credential $Secret:sql_itdpsu1 -Verbose
|
||||
Reference in New Issue
Block a user