Last active
January 2, 2018 15:26
-
-
Save RobinBeismann/680cdc07a697dcc7ec7c20f2a1c95029 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <#---------------------------------------------------------------------------------------------------------------------------- | |
| August 2017 - Robin Beismann - Michael Wessel Informationstechnologie GmbH | |
| This script creates dummy users for MAC based Microsoft NPS Radius authentication by using MAC Addresses out of a specific | |
| AD User Attribut containing MAC Addresses seperated by semicolas | |
| CAUTION: THIS WILL DELETE ALL USERS OUT OF A SPECIFIC ORGANIZATIONAL UNIT IF THEY MATCH THE SCHEMA! | |
| ----------------------------------------------------------------------------------------------------------------------------#> | |
| #Define base OU for the dummy users | |
| $baseOU = "OU=test,OU=Testuser,<stripped>" | |
| #This is the DN of the group to which the fine grained password policy is applied | |
| $WLANUsersGroup = "CN=WLAN-TESTGROUP,OU=test,OU=Testuser,<stripped>" | |
| #If this is set to false we're actually gonna start creating and deleting users | |
| $dryRun = $true | |
| ####################################################################################################################### | |
| ########################################### Do not modify below ####################################################### | |
| ####################################################################################################################### | |
| #Get Domain Users Group | |
| $domainUsersGroupSID = (Get-ADDomain).DomainSid.Value + "-513" | |
| $domainUsersGroup = Get-ADGroup -Filter { objectSid -eq $domainUsersGroupSID } | |
| #Get closest DC | |
| $dc = (Get-ADDomainController -NextClosestSite -Discover).Name | |
| #Initialize MAC Table | |
| $MACTable = @{} | |
| #Get current Dummy Users | |
| $currentDummyUsers = Get-ADUser -SearchBase $baseOU -Filter * | |
| #Determinate Group ID of WLAN Group, this group is used for the Fine Grained Password Policy | |
| $group = Get-ADGroup $WLANUsersGroup | |
| $groupSid = $group.SID | |
| [int]$primaryGroupID = $groupSid.Value.Substring($groupSid.Value.LastIndexOf("-")+1) | |
| #Grab users with fitting MAC Address Attributes | |
| Get-ADUser -Filter { personalPager -ne $false } -Properties * | ForEach-Object { | |
| $mac = $_.personalPager #Define MAC | |
| $dn = $_.distinguishedName #Define DN | |
| $sAMAccountName = $_.sAMAccountName #Define sAMAccountName | |
| if($mac.Length -ge 12){ | |
| $mac = $mac.ToLower() | |
| $mac = $mac.Replace(" ",";") #Fix space delimiter | |
| $mac = $mac.Replace(",",";") #Fix "," Delimiter | |
| $mac = $mac.Replace(":","") #Strip MAC Down | |
| $mac = $mac.Replace(";;",";") #Replace Double Semicola | |
| $mac = $mac.Replace("-","") #Strip MAC further Down | |
| #Remove finishing semicola | |
| if($mac.Substring(($mac.Length)-1) -eq ";"){ | |
| $mac = $mac.Substring( 0,($mac.Length)-1) | |
| } | |
| $mac.Split(";") | ForEach-Object { | |
| if($_.Length -ne 12){ | |
| Write-Host ("Found unparseable MAC Address: $dn = $mac") | |
| }else{ | |
| $MACTable[$_] = $sAMAccountName | |
| } | |
| } | |
| } | |
| } | |
| #Cleanup old | |
| foreach($user in $currentDummyUsers){ | |
| #Check if our built MAC Table contains those addresses | |
| if(!$MACTable[($user.sAMAccountName)]){ | |
| if( ($user.DistinguishedName).EndsWith($baseOU) -and ($user.SamAccountName.Length -eq 12) ){ | |
| Write-Host("Removing AD User: " + $user.SamAccountName) | |
| #Check for dry run flag | |
| if(!$dryRun){ | |
| Remove-ADUser -Identity $user.DistinguishedName -Confirm:$false | |
| } | |
| } | |
| } | |
| } | |
| #Create new devices | |
| foreach($mac in $MACTable.GetEnumerator()){ | |
| $macAddress = $mac.Name | |
| if( !(Get-ADUser -Filter {sAMAccountName -eq $macAddress} -Server $dc)){ | |
| Write-Host("Creating $macAddress") | |
| #Check for dry run flag | |
| if(!$dryRun){ | |
| #Encode Password | |
| $password = ConvertTo-SecureString -AsPlainText $macAddress -Force | |
| #Create AD User | |
| New-ADUser -SamAccountName $macAddress -DisplayName $_.Value -name $macAddress -Path $baseOU -Enabled $false -Server $dc | |
| #Get AD User | |
| $user = Get-ADUser -Filter {sAMAccountName -eq $macAddress} -Server $dc -SearchBase $baseOU | |
| #Add to WLAN Group so Password Policys match | |
| Add-ADGroupMember -Identity $group -Members $user | |
| #Change his primary group | |
| $user | Set-ADUser -Replace @{PrimaryGroupID = $primaryGroupID } | |
| #Remove him from Domain Users so he looses most of his privilegues | |
| Remove-ADGroupMember -Identity $domainUsersGroup -Members $user -Confirm:$false | |
| #Set his Password | |
| $user | Set-ADAccountPassword -NewPassword $password | |
| #Finally enable the account | |
| $user | Enable-ADAccount | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment