Created
August 16, 2019 20:39
-
-
Save infamousjoeg/8498dfc2d22f610be70169b6229ace31 to your computer and use it in GitHub Desktop.
Create Active Directory security groups for CyberArk; Create safe in CyberArk; Add groups as members
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Import-Module ActiveDirectory | |
| Import-Module psPAS | |
| Import-Module CredentialRetriever | |
| $domainName = "joegarcia.dev" | |
| $baseURI = "https://cyberark.joegarcia.dev" | |
| $apiUsername = "Svc_CybrAutomation" | |
| $safeName = Read-Host "Enter the name of the safe in CyberArk PAS" | |
| Write-Output "Creating security group ${safeName}_Admin" | |
| New-ADGroup -Name "${safeName}_Admin" -SamAccountName "${safeName}_Admin" ` | |
| -GroupCategory Security -GroupScope Global -DisplayName "${safeName}_Admin" ` | |
| -Path "OU=Security Groups,OU=Groups,DC=joegarcia,DC=dev" ` | |
| -Description "Members of this group are ${safeName} Safe Administrators" | |
| Write-Output "Creating security group ${safeName}_Auditors" | |
| New-ADGroup -Name "${safeName}_Auditors" -SamAccountName "${safeName}_Auditors" ` | |
| -GroupCategory Security -GroupScope Global -DisplayName "${safeName}_Auditors" ` | |
| -Path "OU=Security Groups,OU=Groups,DC=joegarcia,DC=dev" ` | |
| -Description "Members of this group are ${safeName} Safe Auditors" | |
| Write-Output "Creating security group ${safeName}_Users" | |
| New-ADGroup -Name "${safeName}_Users" -SamAccountName "${safeName}_Users" ` | |
| -GroupCategory Security -GroupScope Global -DisplayName "${safeName}_Users" ` | |
| -Path "OU=Security Groups,OU=Groups,DC=joegarcia,DC=dev" ` | |
| -Description "Members of this group are ${safeName} Safe Users" | |
| ### GET API CREDENTIALS FROM AIM CCP | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| try { | |
| $securePassword = ConvertTo-SecureString $( | |
| Get-CCPCredential ` | |
| -AppID "AD Automation" ` | |
| -Safe D-Svc-RESTAPI ` | |
| -Username $apiUsername ` | |
| -WebServiceName AIMWebService ` | |
| -URL $baseURI | |
| ).Content -AsPlainText -Force | |
| $apiCredentials = New-Object System.Management.Automation.PSCredential($apiUsername, $securePassword) | |
| Write-Output "Retrieved ${apiUsername} secret successfully" | |
| } catch { | |
| Write-Error "Did not successfully retrieve secret for ${apiUsername}" | |
| exit | |
| } | |
| ### CONNECT TO CYBERARK WEB SERVICES | |
| $PASSession = @{ | |
| BaseURI = $baseURI | |
| type = "LDAP" | |
| Credential = $apiCredentials | |
| } | |
| try { | |
| New-PASSession @PASSession | |
| Write-Output "Successfully connected to CyberArk Web Services" | |
| } catch { | |
| Write-Error "Could not connect to ${baseURI} or ${apiUsername} credential is invalid" | |
| exit | |
| } | |
| ### CREATE SAFE | |
| $PASSafe = @{ | |
| SafeName = $safeName | |
| ManagingCPM = "PasswordManager" | |
| NumberOfVersionsRetention = "5" | |
| } | |
| try { | |
| Add-PASSafe @PASSafe | |
| Write-Output "Created safe ${safeName} in CyberArk PAS successfully" | |
| } catch { | |
| Write-Error "Could not create safe ${safeName} in CyberArk PAS" | |
| exit | |
| } | |
| ### APPLY SECURITY GROUPS CREATED TO SAFE | |
| $PASSafeMember_Admin = @{ | |
| MemberName = "${safeName}_Admin" | |
| SearchIn = $domainName | |
| SafeName = $safeName | |
| UseAccounts = $true | |
| RetrieveAccounts = $true | |
| ListAccounts = $true | |
| AddAccounts = $true | |
| UpdateAccountContent = $true | |
| UpdateAccountProperties = $true | |
| InitiateCPMAccountManagementOperations = $true | |
| SpecifyNextAccountContent = $false | |
| RenameAccounts = $true | |
| DeleteAccounts = $true | |
| UnlockAccounts = $true | |
| ManageSafe = $true | |
| ManageSafeMembers = $true | |
| BackupSafe = $true | |
| ViewAuditLog = $true | |
| ViewSafeMembers = $true | |
| RequestsAuthorizationLevel = "1" | |
| AccessWithoutConfirmation = $true | |
| CreateFolders = $true | |
| DeleteFolders = $true | |
| MoveAccountsAndFolders = $true | |
| } | |
| $PASSafeMember_Auditors = @{ | |
| MemberName = "${safeName}_Auditors" | |
| SearchIn = $domainName | |
| SafeName = $safeName | |
| ListAccounts = $true | |
| ViewAuditLog = $true | |
| ViewSafeMembers = $true | |
| AccessWithoutConfirmation = $true | |
| } | |
| $PASSafeMember_Users = @{ | |
| MemberName = "${safeName}_Users" | |
| SearchIn = $domainName | |
| SafeName = $safeName | |
| UseAccounts = $true | |
| RetrieveAccounts = $true | |
| ListAccounts = $true | |
| UnlockAccounts = $true | |
| ViewAuditLog = $true | |
| } | |
| try { | |
| Add-PASSafeMember @PASSafeMember_Admin | |
| Write-Output "Added ${safeName}_Admin to ${safeName} successfully" | |
| Add-PASSafeMember @PASSafeMember_Auditors | |
| Write-Output "Added ${safeName}_Auditors to ${safeName} successfully" | |
| Add-PASSafeMember @PASSafeMember_Users | |
| Write-Output "Added ${safeName}_Users to ${safeName} successfully" | |
| } catch { | |
| Write-Error "Failed to process all Safe Membership additions on ${safeName}" | |
| exit | |
| } | |
| Close-PASSession |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment