Update
This commit is contained in:
parent
40a82d6ea2
commit
27dc4dda5e
73
CopyTo-Sysvol.ps1
Normal file
73
CopyTo-Sysvol.ps1
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Run get-help -example CopyTo-Sysvol.ps1 for examples
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
.\CopyTo-Sysvol.ps1 -FilesPath C:\LAPS -DefaultSysvolPlacement -Verbose
|
||||||
|
VERBOSE: Declared SYSVOL path: 'C:\Windows\Sysvol\'
|
||||||
|
VERBOSE: Folder :'C:\Windows\Sysvol\\Sysvol\azureblog.pl\scripts' already exists
|
||||||
|
VERBOSE: Copying files from path 'C:\LAPS' to 'C:\Windows\Sysvol\Sysvol\azureblog.pl\scripts' using Recurse mode
|
||||||
|
|
||||||
|
|
||||||
|
Directory: C:\Windows\Sysvol\Sysvol\azureblog.pl\scripts
|
||||||
|
|
||||||
|
|
||||||
|
Mode LastWriteTime Length Name
|
||||||
|
---- ------------- ------ ----
|
||||||
|
d----- 02.02.2020 13:02 LAPS
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
.\CopyTo-Sysvol.ps1 -filesPath C:\LAPS -CustomSysvolPlacement -CustomSysvolPath C:\test -Verbose
|
||||||
|
VERBOSE: Declared SYSVOL path: 'C:\test'
|
||||||
|
VERBOSE: Folder :'C:\test\Sysvol\azureblog.pl\scripts' already exists
|
||||||
|
VERBOSE: Copying files from path 'C:\LAPS' to 'C:\test\Sysvol\azureblog.pl\scripts' using Recurse mode
|
||||||
|
|
||||||
|
|
||||||
|
Directory: C:\LAPS
|
||||||
|
|
||||||
|
|
||||||
|
Mode LastWriteTime Length Name
|
||||||
|
---- ------------- ------ ----
|
||||||
|
-a---- 05.12.2019 19:56 1019904 LAPS.x64.msi
|
||||||
|
-a---- 05.12.2019 19:56 991232 LAPS.x86.msi
|
||||||
|
|
||||||
|
#>
|
||||||
|
[CmdletBinding(DefaultParametersetName = "DefaultSysvolPath")]
|
||||||
|
param (
|
||||||
|
[parameter(Mandatory = $true)]
|
||||||
|
[ValidateScript( { Test-Path $_ })]
|
||||||
|
[string]$FilesPath,
|
||||||
|
[parameter(ParameterSetName = "DefaultSysvolPath")]
|
||||||
|
[switch]$DefaultSysvolPlacement,
|
||||||
|
[parameter(ParameterSetName = "CustomSysvolPath")]
|
||||||
|
[switch]$CustomSysvolPlacement,
|
||||||
|
[parameter(ParameterSetName = "CustomSysvolPath", Mandatory = $true)]
|
||||||
|
[ValidateScript( { Test-Path $_ })]
|
||||||
|
[string]$CustomSysvolPath
|
||||||
|
)
|
||||||
|
|
||||||
|
$domain = $env:USERDNSDOMAIN
|
||||||
|
switch ($PsCmdlet.ParameterSetName) {
|
||||||
|
"DefaultSysvolPath" {
|
||||||
|
$sysvolPath = "C:\Windows\Sysvol"
|
||||||
|
}
|
||||||
|
"CustomSysvolPath" {
|
||||||
|
$sysvolPath = $CustomSysvolPath
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Write-Verbose "Declared SYSVOL path: '$sysvolPath'"
|
||||||
|
|
||||||
|
$scriptsPath = "$sysvolPath\Sysvol\$domain\scripts"
|
||||||
|
$scriptsTest = Test-Path -Path $scriptsPath
|
||||||
|
if ($scriptstest -eq $false) {
|
||||||
|
Write-Error "There is no such a folder: '$scriptsPath'"
|
||||||
|
}
|
||||||
|
$filesPathTest = Test-Path -Path $scriptsPath
|
||||||
|
if ($filesPathTest -eq $true) {
|
||||||
|
Write-Verbose "Folder :'$scriptsPath' already exists"
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Verbose "Copying files from path '$FilesPath' to '$scriptsPath' using Recurse mode"
|
||||||
|
Copy-Item -Path $FilesPath -Destination $scriptsPath -Recurse -Force
|
||||||
|
|
||||||
|
Get-ChildItem -Path $FilesPath
|
||||||
73
LAPS_steps.ps1
Normal file
73
LAPS_steps.ps1
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
Throw "this is not a robust file"
|
||||||
|
$location = Get-Location
|
||||||
|
Set-Location C:\Tools\LAPS
|
||||||
|
$dsnAME = (Get-ADDomain).DistinguishedName
|
||||||
|
$domain = $env:USERDNSDOMAIN
|
||||||
|
|
||||||
|
Throw "Please download LAPS from aka.ms/laps and put the msi files into the C:\Tools\LAPS\LAPS"
|
||||||
|
|
||||||
|
#Copy LAPS msi files to sysvol
|
||||||
|
.\CopyTo-Sysvol.ps1 -FilesPath C:\ADSecurity\LAPS\LAPS -Verbose
|
||||||
|
|
||||||
|
#schema extension with LAPS #64 on DC LAB
|
||||||
|
$lapsPath = "\\$Domain\SysVol\$Domain\Scripts\LAPS\LAPS.x64.msi"
|
||||||
|
$expression = "C:\Windows\System32\msiexec.exe /i $lapsPath ADDLOCAL=CSE,Management,Management.UI,Management.PS,Management.ADMX /quiet"
|
||||||
|
Invoke-Expression $expression
|
||||||
|
<#
|
||||||
|
#64 on PAW
|
||||||
|
$lapsPath = "\\$Domain\SysVol\$Domain\Scripts\LAPS.x64.msi"
|
||||||
|
$expression = "C:\Windows\System32\msiexec.exe /i $LapsPath ADDLOCAL=CSE,Management.PS /quiet"
|
||||||
|
Invoke-Expression $expression
|
||||||
|
#32 on PAW
|
||||||
|
$lapsPath = "\\$Domain\SysVol\$Domain\Scripts\LAPS.x32.msi"
|
||||||
|
$expression = "C:\Windows\System32\msiexec.exe /i $LapsPath ADDLOCAL=CSE,Management.PS /quiet"
|
||||||
|
Invoke-Expression $expression
|
||||||
|
#>
|
||||||
|
#run as a member of schema admins group
|
||||||
|
Import-module AdmPwd.PS
|
||||||
|
Update-AdmPwdADSchema
|
||||||
|
|
||||||
|
#Allow computers to store passwords
|
||||||
|
Import-module AdmPwd.PS
|
||||||
|
Set-AdmPwdComputerSelfPermission -Identity "OU=Devices,OU=Tier0,OU=Admin,$dsname"
|
||||||
|
Set-AdmPwdComputerSelfPermission -Identity "OU=Tier0 Servers,OU=Tier0,OU=Admin,$dsname"
|
||||||
|
Set-AdmPwdComputerSelfPermission -Identity "OU=Devices,OU=Tier1,OU=Admin,$dsname"
|
||||||
|
Set-AdmPwdComputerSelfPermission -Identity "OU=Tier 1 Servers,$dsname"
|
||||||
|
Set-AdmPwdComputerSelfPermission -Identity "OU=Workstations,$dsname"
|
||||||
|
Set-AdmPwdComputerSelfPermission -Identity "OU=Quarantine,$dsname"
|
||||||
|
|
||||||
|
#Allow users to read passwords
|
||||||
|
Import-module AdmPwd.PS
|
||||||
|
Set-AdmPwdReadPasswordPermission -Identity "OU=Devices,OU=Tier0,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins"
|
||||||
|
Set-AdmPwdReadPasswordPermission -Identity "OU=Tier0 Servers,OU=Tier0,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins"
|
||||||
|
Set-AdmPwdReadPasswordPermission -Identity "OU=Devices,OU=Tier1,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
|
||||||
|
Set-AdmPwdReadPasswordPermission -Identity "OU=Tier 1 Servers,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
|
||||||
|
Set-AdmPwdReadPasswordPermission -Identity "OU=Workstations,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
|
||||||
|
Set-AdmPwdReadPasswordPermission -Identity "OU=Quarantine,$dsname" -AllowedPrincipals "Domain Admins","tier2admins"
|
||||||
|
|
||||||
|
#Alow users to reset passwords
|
||||||
|
Import-module AdmPwd.PS
|
||||||
|
Set-AdmPwdResetPasswordPermission -Identity "OU=Devices,OU=Tier0,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins"
|
||||||
|
Set-AdmPwdResetPasswordPermission -Identity "OU=Tier0 Servers,OU=Tier0,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins"
|
||||||
|
Set-AdmPwdResetPasswordPermission -Identity "OU=Devices,OU=Tier1,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
|
||||||
|
Set-AdmPwdResetPasswordPermission -Identity "OU=Tier 1 Servers,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
|
||||||
|
Set-AdmPwdResetPasswordPermission -Identity "OU=Workstations,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
|
||||||
|
Set-AdmPwdResetPasswordPermission -Identity "OU=Quarantine,$dsname" -AllowedPrincipals "Domain Admins","tier2admins"
|
||||||
|
|
||||||
|
#LAPS Installation GPO
|
||||||
|
Name: LAPSInstallation-v1.0
|
||||||
|
Source Starter GPO: (none)
|
||||||
|
GPO Status: User configuration settings disabled
|
||||||
|
Category Package Placement Deploy Software Additional Info
|
||||||
|
Software Installation \\$domain\sysvol\$domain\scripts\LAPS\LAPS.x64.msi Assigned
|
||||||
|
Category Package Placement Deploy Software Additional Info
|
||||||
|
Software Installation \\$domain\sysvol\$domainscripts\LAPS\LAPS.x86.msi Assigned Uncheck Make this 32-bit x86 appliction available to Win64 machines
|
||||||
|
|
||||||
|
#LAPS Configuration Policy
|
||||||
|
Name: LAPSConfiguration-v1.0
|
||||||
|
Source Starter GPO: (none)
|
||||||
|
GPO Status: User configuration settings disabled
|
||||||
|
Category Subcategory Policy Setting
|
||||||
|
|
||||||
|
Administrative Templates LAPS Password Settings Enabled
|
||||||
|
Password Complexity: Large letters + small letters + numbers + specials
|
||||||
Loading…
x
Reference in New Issue
Block a user