API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 11th, 2017
164
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.63 KB | None | 0 0
raw download clone embed print report
  1. <#----------------------------------------------------------------------------------------------------------------------------
  2. August 2017 - Robin Beismann - Michael Wessel Informationstechnologie GmbH
  3.  
  4. This script creates dummy users for MAC based Microsoft NPS Radius authentication by using MAC Addresses out of a specific
  5. AD User Attribut containing MAC Addresses seperated by semicolas
  6.  
  7. CAUTION: THIS WILL DELETE ALL USERS OUT OF A SPECIFIC ORGANIZATIONAL UNIT IF THEY MATCH THE SCHEMA!
  8. ----------------------------------------------------------------------------------------------------------------------------#>
  9.  
  10. #Define base OU for the dummy users
  11. $baseOU = "OU=test,OU=Testuser,<stripped>"
  12.  
  13. #This is the DN of the group to which the fine grained password policy is applied
  14. $WLANUsersGroup = "CN=WLAN-TESTGROUP,OU=test,OU=Testuser,<stripped>"
  15.  
  16. #Name of the domain users default group (depends on AD setup language)
  17. $domainUsersGroup = "Domain Users"
  18.  
  19. #If this is set to false we're actually gonna start creating and deleting users
  20. $dryRun = $true
  21.  
  22. #######################################################################################################################
  23. ########################################### Do not modify below #######################################################
  24. #######################################################################################################################
  25.  
  26. #Get closest DC
  27. $dc = (Get-ADDomainController -NextClosestSite -Discover).Name
  28.  
  29. #Initialize MAC Table
  30. $MACTable = @{}
  31.  
  32. #Get current Dummy Users
  33. $currentDummyUsers = Get-ADUser -SearchBase $baseOU -Filter *
  34.  
  35. #Determinate Group ID of WLAN Group, this group is used for the Fine Grained Password Policy
  36. $group = Get-ADGroup $WLANUsersGroup
  37. $groupSid = $group.SID
  38. [int]$primaryGroupID = $groupSid.Value.Substring($groupSid.Value.LastIndexOf("-")+1)
  39.  
  40. #Grab users with fitting MAC Address Attributes
  41. Get-ADUser -Filter { personalPager -ne $false } -Properties * | ForEach-Object {
  42.  
  43. $mac = $_.personalPager #Define MAC
  44. $dn = $_.distinguishedName #Define DN
  45. $sAMAccountName = $_.sAMAccountName #Define sAMAccountName
  46.  
  47. if($mac.Length -ge 12){
  48. $mac = $mac.ToLower()
  49. $mac = $mac.Replace(" ",";") #Fix space delimiter
  50. $mac = $mac.Replace(",",";") #Fix "," Delimiter
  51. $mac = $mac.Replace(":","") #Strip MAC Down
  52. $mac = $mac.Replace(";;",";") #Replace Double Semicola
  53. $mac = $mac.Replace("-","") #Strip MAC further Down
  54.  
  55. #Remove finishing semicola
  56. if($mac.Substring(($mac.Length)-1) -eq ";"){
  57. $mac = $mac.Substring( 0,($mac.Length)-1)
  58. }
  59.  
  60. $mac.Split(";") | ForEach-Object {
  61. if($_.Length -ne 12){
  62. Write-Host ("Found unparseable MAC Address: $dn = $mac")
  63. }else{
  64. $MACTable[$_] = $sAMAccountName
  65. }
  66. }
  67. }
  68. }
  69.  
  70. #Cleanup old
  71. foreach($user in $currentDummyUsers){
  72.  
  73. #Check if our built MAC Table contains those addresses
  74. if(!$MACTable[($user.sAMAccountName)]){
  75.  
  76. if( ($user.DistinguishedName).EndsWith($baseOU) -and ($user.SamAccountName.Length -eq 12) ){
  77. Write-Host("Removing AD User: " + $user.SamAccountName)
  78.  
  79. #Check for dry run flag
  80. if(!$dryRun){
  81. Remove-ADUser -Identity $user.DistinguishedName -Confirm:$false
  82. }
  83. }
  84.  
  85. }
  86.  
  87. }
  88.  
  89. #Create new devices
  90. foreach($mac in $MACTable.GetEnumerator()){
  91. $macAddress = $mac.Name
  92. if( !(Get-ADUser -Filter {sAMAccountName -eq $macAddress} -Server $dc)){
  93. Write-Host("Creating $macAddress")
  94.  
  95. #Check for dry run flag
  96. if(!$dryRun){
  97. #Encode Password
  98. $password = ConvertTo-SecureString -AsPlainText $macAddress -Force
  99.  
  100. #Create AD User
  101. New-ADUser -SamAccountName $macAddress -DisplayName $_.Value -name $macAddress -Path $baseOU -Enabled $false -Server $dc
  102.  
  103. #Get AD User
  104. $user = Get-ADUser -Filter {sAMAccountName -eq $macAddress} -Server $dc -SearchBase $baseOU
  105.  
  106. #Add to WLAN Group so Password Policys match
  107. Add-ADGroupMember -Identity $group -Members $user
  108.  
  109. #Change his primary group
  110. $user | Set-ADUser -Replace @{PrimaryGroupID = $primaryGroupID }
  111.  
  112. #Remove him from Domain Users so he looses most of his privilegues
  113. Remove-ADGroupMember -Identity $domainUsersGroup -Members $user -Confirm:$false
  114.  
  115. #Set his Password
  116. $user | Set-ADAccountPassword -NewPassword $password
  117.  
  118. #Finally enable the account
  119. $user | Enable-ADAccount
  120. }
  121. }
  122. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!