Skip to content

Instantly share code, notes, and snippets.

@adbertram
Created August 3, 2016 20:00
Show Gist options
  • Save adbertram/60cc1fe11805a07f54a99a1348beda7e to your computer and use it in GitHub Desktop.
Save adbertram/60cc1fe11805a07f54a99a1348beda7e to your computer and use it in GitHub Desktop.
function set-KCD
{
[cmdletbinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
param (
[parameter(Mandatory = $True, ValueFromPipeline = $True)]
$ADObject,
[parameter(Mandatory = $True, ValueFromPipeline = $True)]
[string[]]$SPNs
)
if ($ADObject.AccountNotDelegated -eq $True)
{
$ADObject | Set-ADAccountControl -AccountNotDelegated $False -TrustedForDelegation $False -TrustedToAuthForDelegation $True
}
else
{
$ADObject | Set-ADAccountControl -TrustedForDelegation $False -TrustedToAuthForDelegation $true
}
foreach ($SPN in $SPNs)
{
$SPN = $SPN.toString()
set-adObject -Identity $ADObject.distinguishedName -Add @{ "msds-AllowedtoDelegateTo" = $SPN }
Write-Verbose -Message $ADObject.distinguishedName
write-verbose "Kerberos Constrained Delegation applied on $ADObject.sAMAccountName for $SPN."
}
}
describe 'Set-Kcd' {
mock 'Set-ADAccountControl'
mock 'Set-AdObject'
context 'AD User' {
$adUser = New-MockObject -Type Microsoft.ActiveDirectory.Management.ADUser
$adUser.DistinguishedName = 'whatever'
$spns = 'whatever', 'whateveragain'
it 'sets delegation stuff given AccountNotDelegated is $true' {
$adUser.AccountNotDelegated = $true
set-KCD -ADObject $adUser -SPNs $spns
$assMParams = @{
'CommandName' = 'Set-AdAccountControl'
'Times' = 1
'Exactly' = $true
'Scope' = 'It'
'ParameterFilter' = {
$AccountNotDelegated -eq $false -and
$TrustedForDelegation -eq $false -and
$TrustedToAuthForDelegation -eq $true
}
}
Assert-MockCalled @assMParams
}
it 'sets delegation stuff given AccountNotDelegated is $false' {
$adUser.AccountNotDelegated = $false
set-KCD -ADObject $adUser -SPNs $spns
$assMParams = @{
'CommandName' = 'Set-AdAccountControl'
'Times' = 1
'Exactly' = $true
'Scope' = 'It'
'ParameterFilter' = {
$TrustedForDelegation -eq $false -and
$TrustedToAuthForDelegation -eq $true
}
}
Assert-MockCalled @assMParams
}
it 'sets the msds-AllowedtoDelegateTo AD attribute for all objects in SPNs' {
$assMParams = @{
'CommandName' = 'Set-AdObject'
'Times' = 1
'Exactly' = $true
'Scope' = 'It'
}
@($spns).foreach({
set-KCD -ADObject $adUser -SPNs $spns
$assMParams.ParameterFilter = {
$Identity -eq $adUser.DistinguishedName #-and
#$Add -eq @{ "msds-AllowedtoDelegateTo" = $_ }
}
Assert-MockCalled @assMParams
})
}
}
context 'AD Computer' {
$adComputer = New-MockObject -Type Microsoft.ActiveDirectory.Management.ADComputer
$adComputer.DistinguishedName = 'dontcare'
$adComputer.Identity = 'hello'
$spns = 'whatever', 'whateveragain'
it 'sets delegation stuff given AccountNotDelegated is $true' {
$adComputer.AccountNotDelegated = $true
$spns = 'whatever', 'whateveragain'
set-KCD -ADObject $adComputer -SPNs $spns
$assMParams = @{
'CommandName' = 'Set-AdAccountControl'
'Times' = 1
'Exactly' = $true
'Scope' = 'It'
'ParameterFilter' = {
$AccountNotDelegated -eq $false -and
$TrustedForDelegation -eq $false -and
$TrustedToAuthForDelegation -eq $true
}
}
Assert-MockCalled @assMParams
}
it 'sets delegation stuff given AccountNotDelegated is $false' {
$adComputer.AccountNotDelegated = $false
set-KCD -ADObject $adComputer -SPNs $spns
$assMParams = @{
'CommandName' = 'Set-AdAccountControl'
'Times' = 1
'Exactly' = $true
'Scope' = 'It'
'ParameterFilter' = {
$TrustedForDelegation -eq $false -and
$TrustedToAuthForDelegation -eq $true
}
}
Assert-MockCalled @assMParams
}
it 'sets the msds-AllowedtoDelegateTo AD attribute for all objects in SPNs' {
$adComputer.DistinguishedName = 'dontcare'
set-KCD -ADObject $adComputer -SPNs $spns
$assMParams = @{
'CommandName' = 'Set-AdObject'
'Times' = 1
'Exactly' = $true
'Scope' = 'It'
}
@($spns).foreach({
$assMParams.ParameterFilter = {
$Identity -eq 'hello' -and
$Add -eq @{ "msds-AllowedtoDelegateTo" = $_ }
}
Assert-MockCalled @assMParams
})
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment