forked from jseerden/SLAPS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
New-LocalAdmin.ps1
125 lines (109 loc) · 4.47 KB
/
New-LocalAdmin.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# New-LocalUser is only available in a x64 PowerShell process. We need to restart the script as x64 bit first.
# Based on a template created by Oliver Kieselbach @ https://gist.github.com/okieselbach/4f11ba37a6848e08e8f82d9f2ffff516
$exitCode = 0
if(-not [System.Environment]::Is64BitProcess)
{
# start new PowerShell as x64 bit process, wait for it and gather exit code and standard error output
$sysNativePowerShell = "$($PSHOME.ToLower().Replace("syswow64", "sysnative"))\powershell.exe"
$processStartInfo = New-Object System.Diagnostics.ProcessStartInfo
$processStartInfo.FileName = $sysNativePowerShell
$processStartInfo.Arguments = "-ExecutionPolicy Bypass -File `"$PSCommandPath`""
$processStartInfo.RedirectStandardError = $true
$processStartInfo.RedirectStandardOutput = $true
$processStartInfo.CreateNoWindow = $true
$processStartInfo.UseShellExecute = $false
$process = New-Object System.Diagnostics.Process
$process.StartInfo = $processStartInfo
$process.Start()
$exitCode = $process.ExitCode
$standardError = $process.StandardError.ReadToEnd()
if ($standardError) {
Write-Error -Message $standardError
}
}
else
{
#region Configuration
# Define the userName for the Local Administrator
$userName = "administrator"
# Azure Function Uri (containing "azurewebsites.net") for storing Local Administrator secret in Azure Key Vault
$uri = 'https://myfunctions.azurewebsites.net/api/Set-KeyVaultSecret?code=s0mer4nd0mstr1ng/pIZPg=='
#endregion
# Hide the $uri (containing "azurewebsites.net") from logs to prevent manipulation of Azure Key Vault
$intuneManagementExtensionLogPath = "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log"
Set-Content -Path $intuneManagementExtensionLogPath -Value (Get-Content -Path $intuneManagementExtensionLogPath | Select-String -Pattern "azurewebsites.net" -notmatch)
# start logging to TEMP in file "scriptname.log"
$null = Start-Transcript -Path "$env:TEMP\$($(Split-Path $PSCommandPath -Leaf).ToLower().Replace(".ps1",".log"))"
$AzureADDeviceDeviceID = (Get-ChildItem -Path "hklm:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\" | select pschildname).PSChildName
# Azure Function Request Body. Azure Function will strip the keyName and add a secret value. https://docs.microsoft.com/en-us/rest/api/keyvault/setsecret/setsecret
$body = @"
{
"keyName": "$env:COMPUTERNAME",
"contentType": "Local Administrator Credentials",
"tags": {
"Username": "$userName",
"DeviceID": "$AzureADDeviceDeviceID"
}
}
"@
# Trigger Azure Function.
try
{
$password = Invoke-RestMethod -Uri $uri -Method POST -Body $body -ContentType 'application/json' -ErrorAction Stop
}
catch
{
Write-Error "Failed to submit Local Administrator configuration. StatusCode: $($_.Exception.Response.StatusCode.value__). StatusDescription: $($_.Exception.Response.StatusDescription)"
}
# Convert password to Secure String
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
# Create a new Local User, change the password if it already exists.
try
{
New-LocalUser -Name $userName -Password $securePassword -PasswordNeverExpires:$true -AccountNeverExpires:$true -ErrorAction Stop
}
catch
{
# If it already exists, catch it and continue.
if ($_.CategoryInfo.Reason -eq 'UserExistsException')
{
Write-Output "Local Admin '$userName' already exists. Changing password."
$userExists = $true
}
else
{
$exitCode = -1
Write-Error $_
}
}
if ($userExists)
{
# Change the password of the Local Administrator
try
{
Set-LocalUser -Name $userName -Password $securePassword -PasswordNeverExpires $true
}
catch
{
$exitCode = -1
Write-Error $_
}
}
else
{
# Add the new Local User to the Local Administrators group
try
{
Add-LocalGroupMember -Group "Administrators" -Member $userName
Write-Output "Added Local User '$userName' to Local Administrators Group"
}
catch
{
$exitCode = -1
Write-Error $_
}
}
Get-LocalUser -Name $userName | Enable-LocalUser
$null = Stop-Transcript
}
exit $exitCode