janikvonrotz/Assign-TemporaryAdministratorRights.ps1

## Assign-TemporaryAdministratorRights.ps1
<#
$Metadata = @{
	Title = "Assign Temporary Administrator Rights"
	Filename = "Assign-TemporaryAdministratorRights.ps1"
	Description = ""
	Tags = "powershell, script, activedirectory, assign, temporary, administrator, rights, computer"
	Project = ""
	Author = "Janik von Rotz"
	AuthorContact = "http://janikvonrotz.ch"
	CreateDate = "2013-11-15"
	LastEditDate = "2013-11-18"
	Url = ""
	Version = "1.0.0"
	License = @'
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ch/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
'@
}
#>

try{
    #--------------------------------------------------#
    # modules
    #--------------------------------------------------#
    Import-Module ActiveDirectory
    Import-Module GroupPolicy

    #--------------------------------------------------#
    # settings
    #--------------------------------------------------#

    # var #Username# replaces username, var #Computername# replaces computername
    $GPOTemplate = "Windows User #Username# - #Computername# Lokaler Administrator"
    $TempFolder = "C:\export"
    $SPWebUrl = (Get-SPUrl "http://sharepoint.vbl.ch/finanzen/it/Abteilungssite/SitePages/Homepage.aspx").Url
    $SPListName = "Temporäre Adminrechte"
    $RemoteConnectionKey = "sp1"

    #--------------------------------------------------#
    # main
    #--------------------------------------------------#

    $Computer = Get-RemoteConnection -Name $RemoteConnectionKey
    $Credential = Import-PSCredential -Path (Get-ChildItem $PSconfigs.Path -Filter "SharePoint.credential.config.xml" -Recurse).FullName
    $Session = New-PSSession -ComputerName $Computer.Name -Credential $Credential -ConfigurationName microsoft.powershell
    $Computer.SnapIns | %{ Invoke-Command -Session $Session -ScriptBlock {param ($Name) Add-PSSnapin -Name $Name} -ArgumentList $_}
    [ScriptBlock]$ScriptBlock = [scriptblock]::Create(@"
Get-SPWeb '$SPWebUrl' | %{
    `$_.Lists['$SPListName'].GetItems() | %{
        `$(New-Object PSObject -Property @{
            Mail = `$_["Title"].toString()
            Computer = `$_["Computer"].toString()
            From = `$_["From"].toString()
            To = `$_["To"].toString()
        })
    }
}
"@)
    $Config = Invoke-Command -Session $Session -ScriptBlock $ScriptBlock
    Remove-PSSession $Session

    <#
     $Config = @(
          $(New-Object PSObject -Property @{
              Mail = "name.surname@domain.ch"
              Computer = "tpbmar1"
              From = "18.11.2013"
              To = "25.11.2013"
          }),

          $(New-Object PSObject -Property @{
              Mail = "name.surname@vbl.ch"
              Computer = "tpfit9"
              From = "15.11.2013"
              To = "21.11.2013"
          }),
      )
    #>
    $Config | %{

        # get settings
        $ADComputer = Get-ADComputer $_.Computer
        $ADUser = Get-ADUser -Filter "mail -eq '$($_.Mail)'" | select -first 1
        $GPOName = ($GPOTemplate -replace "#Username#", $ADUser.Name -replace "#Computername#", $ADComputer.Name)
        $SourceGPO = Get-GPO $GPOTemplate
        $TargetOU = $ADComputer.DistinguishedName -replace "CN=$($ADComputer.Name),",""
        $FromDate = Get-Date $_.From
        $ToDate = Get-Date $_.To
        $Date = $(Get-Date)

        # create temp folder
        if(-not (Test-Path $TempFolder)){New-Item -Path $TempFolder -ItemType Directory}

        # get gpo
        $GPO = Get-GPO -Name $GPOName -ErrorAction SilentlyContinue

        # create if not exist
        if(-not $GPO -and $Date -gt $FromDate -and $Date -lt $ToDate){

            # create new gpo
            $GPO = New-GPO -Name $GPOName
            $GPO | New-GPLink -Target $TargetOU
            $GPO | Set-GPPermissions -Replace -PermissionLevel None -TargetName "Authentifizierte Benutzer" -TargetType Group
            $GPO | Set-GPPermissions -PermissionLevel GpoApply -TargetName $ADComputer.Name -TargetType Computer

            # backup template gpo
            $GPOBackup = $SourceGPO | Backup-GPO -Path $TempFolder
            $PathToXML = Join-Path $TempFolder ("{" + $GPOBackup.Id + "}\DomainSysvol\GPO\Machine\Preferences\Groups\Groups.xml")
            $PathToFolder = Join-Path $TempFolder ("{" + $GPOBackup.Id + "}")
            [xml]$GroupXML = Get-Content $PathToXML

            # update template gpo settings
            $GroupXML.Groups.Group.Properties.Members.Member.name = $(Get-ADDomain).NetBIOSName + "\" +$ADUser.SamAccountName
            $GroupXML.Groups.Group.Properties.Members.Member.sid = "$($ADUser.SID)"
            $GroupXML.Save($PathToXML)

            # import to new gpo
            Import-GPO -BackupId $GPOBackup.Id -TargetGuid $GPO.Id -path $TempFolder

            # clean up tempfolder
            Remove-Item $PathToFolder -Force -confirm:$false -Recurse

            Write-PPEventLog -Message "Added temporary administrator rights for: $($_.Mail) on computer: $($_.Computer)" -Source "Assign Temporary Administrator Rights" -WriteMessage

        # delete gpo
        }elseif($GPO -and $Date -gt $ToDate ){

           $GPO | Remove-GPO
           Write-PPEventLog -Message "Removed temporary administrator rights for: $($_.Mail) on computer: $($_.Computer)" -Source "Assign Temporary Administrator Rights" -WriteMessage
        }
    }
}catch{

    Write-PPErrorEventLog -Source "Assign Temporary Administrator Rights"
}

## Assign-TemporaryAdministratorRights.task.config.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2013-03-20T14:18:21.6393172</Date>
    <Author>Janik von Rotz (http://janikvonrotz.ch)</Author>
	<Description>Assign Temporary Administrator Rights</Description>
  </RegistrationInfo>
  <Triggers>
    <CalendarTrigger>
      <Repetition>
        <Interval>PT1H</Interval>
        <Duration>PT12H</Duration>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2013-01-01T06:00:00</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>$PSapps.PowerShell</Command>
      <Arguments>$(Get-ChildItem -Path $PSscripts.Path -Filter "Assign-TemporaryAdministratorRights.ps1" -Recurse).Fullname</Arguments>
      <WorkingDirectory>$PSProfile.Path</WorkingDirectory>
    </Exec>
  </Actions>
</Task>

## Server.remote.config.xml
<?xml version="1.0" encoding="UTF-8" ?>
<Content>
	<Metadata>
		<Title>Server Remote Configurations</Title>
		<Filename>Server.remote.config.xml</Filename>
		<Description></Description>
		<Tags>powershell, configuration, remote, session</Tags>
		<Project></Project>
		<Author>Janik von Rotz</Author>
		<AuthorContact>www.janikvonrotz.ch</AuthorContact>
		<CreateDate>2013-11-18</CreateDate>
		<LastEditDate>2013-11-18</LastEditDate>
		<Version>3.0.0</Version>
	</Metadata>

	<!-- SharePoint -->
    <Server Key="sp1" Name="vblw2k8sp01" User="vbl\sa-spadmin" Description="SharePoint Server" SnapIns="Microsoft.SharePoint.PowerShell"></Server>

</Content>
	<#
	$Metadata = @{
	Title = "Assign Temporary Administrator Rights"
	Filename = "Assign-TemporaryAdministratorRights.ps1"
	Description = ""
	Tags = "powershell, script, activedirectory, assign, temporary, administrator, rights, computer"
	Project = ""
	Author = "Janik von Rotz"
	AuthorContact = "http://janikvonrotz.ch"
	CreateDate = "2013-11-15"
	LastEditDate = "2013-11-18"
	Url = ""
	Version = "1.0.0"
	License = @'
	This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License.
	To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ch/ or
	send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
	'@
	}
	#>

	try{
	#--------------------------------------------------#
	# modules
	#--------------------------------------------------#
	Import-Module ActiveDirectory
	Import-Module GroupPolicy

	#--------------------------------------------------#
	# settings
	#--------------------------------------------------#

	# var #Username# replaces username, var #Computername# replaces computername
	$GPOTemplate = "Windows User #Username# - #Computername# Lokaler Administrator"
	$TempFolder = "C:\export"
	$SPWebUrl = (Get-SPUrl "http://sharepoint.vbl.ch/finanzen/it/Abteilungssite/SitePages/Homepage.aspx").Url
	$SPListName = "Temporäre Adminrechte"
	$RemoteConnectionKey = "sp1"

	#--------------------------------------------------#
	# main
	#--------------------------------------------------#

	$Computer = Get-RemoteConnection -Name $RemoteConnectionKey
	$Credential = Import-PSCredential -Path (Get-ChildItem $PSconfigs.Path -Filter "SharePoint.credential.config.xml" -Recurse).FullName
	$Session = New-PSSession -ComputerName $Computer.Name -Credential $Credential -ConfigurationName microsoft.powershell
	$Computer.SnapIns \| %{ Invoke-Command -Session $Session -ScriptBlock {param ($Name) Add-PSSnapin -Name $Name} -ArgumentList $_}
	[ScriptBlock]$ScriptBlock = [scriptblock]::Create(@"
	Get-SPWeb '$SPWebUrl' \| %{
	`$_.Lists['$SPListName'].GetItems() \| %{
	`$(New-Object PSObject -Property @{
	Mail = `$_["Title"].toString()
	Computer = `$_["Computer"].toString()
	From = `$_["From"].toString()
	To = `$_["To"].toString()
	})
	}
	}
	"@)
	$Config = Invoke-Command -Session $Session -ScriptBlock $ScriptBlock
	Remove-PSSession $Session

	<#
	$Config = @(
	$(New-Object PSObject -Property @{
	Mail = "name.surname@domain.ch"
	Computer = "tpbmar1"
	From = "18.11.2013"
	To = "25.11.2013"
	}),

	$(New-Object PSObject -Property @{
	Mail = "name.surname@vbl.ch"
	Computer = "tpfit9"
	From = "15.11.2013"
	To = "21.11.2013"
	}),
	)
	#>
	$Config \| %{

	# get settings
	$ADComputer = Get-ADComputer $_.Computer
	$ADUser = Get-ADUser -Filter "mail -eq '$($_.Mail)'" \| select -first 1
	$GPOName = ($GPOTemplate -replace "#Username#", $ADUser.Name -replace "#Computername#", $ADComputer.Name)
	$SourceGPO = Get-GPO $GPOTemplate
	$TargetOU = $ADComputer.DistinguishedName -replace "CN=$($ADComputer.Name),",""
	$FromDate = Get-Date $_.From
	$ToDate = Get-Date $_.To
	$Date = $(Get-Date)

	# create temp folder
	if(-not (Test-Path $TempFolder)){New-Item -Path $TempFolder -ItemType Directory}

	# get gpo
	$GPO = Get-GPO -Name $GPOName -ErrorAction SilentlyContinue

	# create if not exist
	if(-not $GPO -and $Date -gt $FromDate -and $Date -lt $ToDate){

	# create new gpo
	$GPO = New-GPO -Name $GPOName
	$GPO \| New-GPLink -Target $TargetOU
	$GPO \| Set-GPPermissions -Replace -PermissionLevel None -TargetName "Authentifizierte Benutzer" -TargetType Group
	$GPO \| Set-GPPermissions -PermissionLevel GpoApply -TargetName $ADComputer.Name -TargetType Computer

	# backup template gpo
	$GPOBackup = $SourceGPO \| Backup-GPO -Path $TempFolder
	$PathToXML = Join-Path $TempFolder ("{" + $GPOBackup.Id + "}\DomainSysvol\GPO\Machine\Preferences\Groups\Groups.xml")
	$PathToFolder = Join-Path $TempFolder ("{" + $GPOBackup.Id + "}")
	[xml]$GroupXML = Get-Content $PathToXML

	# update template gpo settings
	$GroupXML.Groups.Group.Properties.Members.Member.name = $(Get-ADDomain).NetBIOSName + "\" +$ADUser.SamAccountName
	$GroupXML.Groups.Group.Properties.Members.Member.sid = "$($ADUser.SID)"
	$GroupXML.Save($PathToXML)

	# import to new gpo
	Import-GPO -BackupId $GPOBackup.Id -TargetGuid $GPO.Id -path $TempFolder

	# clean up tempfolder
	Remove-Item $PathToFolder -Force -confirm:$false -Recurse

	Write-PPEventLog -Message "Added temporary administrator rights for: $($_.Mail) on computer: $($_.Computer)" -Source "Assign Temporary Administrator Rights" -WriteMessage

	# delete gpo
	}elseif($GPO -and $Date -gt $ToDate ){

	$GPO \| Remove-GPO
	Write-PPEventLog -Message "Removed temporary administrator rights for: $($_.Mail) on computer: $($_.Computer)" -Source "Assign Temporary Administrator Rights" -WriteMessage
	}
	}
	}catch{

	Write-PPErrorEventLog -Source "Assign Temporary Administrator Rights"
	}
	<?xml version="1.0" encoding="UTF-16"?>
	<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<RegistrationInfo>
	<Date>2013-03-20T14:18:21.6393172</Date>
	<Author>Janik von Rotz (http://janikvonrotz.ch)</Author>
	<Description>Assign Temporary Administrator Rights</Description>
	</RegistrationInfo>
	<Triggers>
	<CalendarTrigger>
	<Repetition>
	<Interval>PT1H</Interval>
	<Duration>PT12H</Duration>
	<StopAtDurationEnd>false</StopAtDurationEnd>
	</Repetition>
	<StartBoundary>2013-01-01T06:00:00</StartBoundary>
	<Enabled>true</Enabled>
	<ScheduleByDay>
	<DaysInterval>1</DaysInterval>
	</ScheduleByDay>
	</CalendarTrigger>
	</Triggers>
	<Settings>
	<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
	<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
	<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
	<AllowHardTerminate>true</AllowHardTerminate>
	<StartWhenAvailable>false</StartWhenAvailable>
	<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
	<IdleSettings>
	<StopOnIdleEnd>true</StopOnIdleEnd>
	<RestartOnIdle>false</RestartOnIdle>
	</IdleSettings>
	<AllowStartOnDemand>true</AllowStartOnDemand>
	<Enabled>true</Enabled>
	<Hidden>false</Hidden>
	<RunOnlyIfIdle>false</RunOnlyIfIdle>
	<WakeToRun>false</WakeToRun>
	<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
	<Priority>7</Priority>
	</Settings>
	<Actions Context="Author">
	<Exec>
	<Command>$PSapps.PowerShell</Command>
	<Arguments>$(Get-ChildItem -Path $PSscripts.Path -Filter "Assign-TemporaryAdministratorRights.ps1" -Recurse).Fullname</Arguments>
	<WorkingDirectory>$PSProfile.Path</WorkingDirectory>
	</Exec>
	</Actions>
	</Task>
	<?xml version="1.0" encoding="UTF-8" ?>
	<Content>
	<Metadata>
	<Title>Server Remote Configurations</Title>
	<Filename>Server.remote.config.xml</Filename>
	<Description></Description>
	<Tags>powershell, configuration, remote, session</Tags>
	<Project></Project>
	<Author>Janik von Rotz</Author>
	<AuthorContact>www.janikvonrotz.ch</AuthorContact>
	<CreateDate>2013-11-18</CreateDate>
	<LastEditDate>2013-11-18</LastEditDate>
	<Version>3.0.0</Version>
	</Metadata>

	<!-- SharePoint -->
	<Server Key="sp1" Name="vblw2k8sp01" User="vbl\sa-spadmin" Description="SharePoint Server" SnapIns="Microsoft.SharePoint.PowerShell"></Server>

	</Content>