Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <#
- .Synopsis
- Process to create administrative accounts. Need to supply the name.name of their standard user account. Please see the ServiceNow KB article for up to date information on administrative accounts for an explanation of .02-.05 to ensure you're using the correct number (hint: 03 for systems/network access, 02 for desktop support).
- .DESCRIPTION
- Process to create administrative accounts. Checks for the existence of the deprecated .admin account, if true it copies access over to the .0# account. If false, it copies standard user account access and checks for common role groups that aren't necessary. Adds user to FGPP group to force the stronger password requirements. Dumps newly created account into the correct OU under <#*redacted*#>
- .EXAMPLE
- New-DUAdminAccount -NameDotName Bruce.Wayne -Level 03
- .EXAMPLE
- New-DUAdminAccount -NameDotName Thor.Odinson,Tony.Stark,Peter.Parker -Level 03
- .EXAMPLE
- New-DUAdminAccount Han.Solo,Ben.Kenobi -Level 02
- #>
- function New-DUAdminAccount{
- [CmdletBinding()]
- Param
- (
- # Param1 help description
- [Parameter(Mandatory=$true,
- Position=0)]
- [string[]]
- $NameDotName,
- # Param2 help description
- [Parameter(Mandatory=$true,
- ValueFromRemainingArguments=$false,
- Position=1)]
- [ValidateSet("02", "03", "04", "05")]
- [String]
- $Level,
- # Param3 help description
- [Parameter(ParameterSetName='Another Parameter Set')]
- [String]
- $TemplateUser
- )
- #$User = [string]$NameDotName
- foreach ($User in $NameDotName){
- $singleUser = get-aduser $user -Properties *
- $firstName = $singleUser.givenname
- $lastName = $singleUser.surname
- $displayName = $singleUser.DisplayName + ' ' + $Level
- $nameDName = $singleUser.SamAccountName + '.' + $Level
- $userPrincipalName = $nameDName + '@du.edu'
- $description = "$displayName Account"
- $standardUserEmail = $singleUser.mail
- $UTSAzureExemptUsers = <#*redacted*#>
- #declaring $truncNameDotName
- $truncNameDotName=@()
- $amount = '17'
- #finding the length of the namedotname, if it's greater than 17 then...
- if ( $nameDotName.length -gt 17){
- #add new entry to $truncNameDotName that performs the substring method which takes everything from character 0 up to the $amount(i.e. 17) and removes the rest
- $truncNameDotName = $nameDotName.substring(0,$amount)
- $truncNameDotName = $truncNameDotName + "." + $Level
- }
- else{$truncNameDotName = $nameDName}
- #creates random password for each user
- $randomObj = New-Object System.Random
- $Password=""
- #For those curious, the (33,126) represents the acceptable(a-z,A-Z,#,special characters) characters on the ASCI table. For example, 27 is backspace!!!
- 1..15 |
- ForEach { $Password = $Password + [char]$randomObj.next(33,126) }
- #Converts password to securestring type which we have to do because new-aduser requires it
- $securePW = ConvertTo-SecureString $Password -AsPlainText -Force
- #create the user
- New-ADUser -Name $displayName -GivenName $firstName -DisplayName $nameDName -Surname $lastName -SamAccountName $truncNameDotName -Description $description -Path $UTSAzureExemptUsers -AccountPassword $securePW -UserPrincipalName $userPrincipalName -Enabled $true -Confirm:$false
- Start-Sleep -Seconds 10
- #Group Membership
- Set-ADUser -Identity $truncNameDotName -Add @{extensionAttribute10 = $standardUserEmail}
- if(!$TemplateUser){
- #Perform actions exclusive to 02
- if($Level -eq '02'){
- Add-ADGroupMember -Members $truncNameDotName -Identity <#*redacted*#>
- #replaces primary group with <#*redacted*#>
- $primaryGroupToken = Get-ADGroup <#*redacted*#> -Properties primarygrouptoken |select primarygrouptoken -ExpandProperty primarygrouptoken
- Set-ADUser -Identity $truncNameDotName -replace @{PrimaryGroupID="$primaryGroupToken"}
- Remove-ADGroupMember -Identity "Domain Users" -Members $truncNameDotName -Confirm:$false
- }
- }
- else{
- Get-ADUser $TemplateUser -Properties memberof |
- Select-Object memberof -ExpandProperty memberof |
- foreach ({Add-ADGroupMember -Members $truncNameDotName -Identity $_})
- #filters out needless role groups
- $roleGroups = Get-ADGroup -Filter <#*redacted*#> | select name
- foreach($group in $roleGroups.name){Remove-ADGroupMember -Identity $group -Members $truncNameDotName -Confirm:$false}
- }
- #Adds FGGP target group
- Add-ADGroupMember -Members $truncNameDotName -Identity <#*redacted*#>
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement