1 Einleitung

2 Anlage von Computerobjekten

Ein einfaches Beispiel um Computeraccounts anzulegen findet ihr unter:

2.2 Computerkonten anlegen -> Beispiel 1

Möchtet ihr gleich einige Eigenschaften des eben erstellten Computerkontos verändern, so ist dieses Beispiel das richtige

 

Beispiel 1: Computeraccount mit Trusted Delegation

Set-StrictMode -Version "2.0"
Clear-Host

 
Function Main{
   #Daten zur Anlage
   $DomainDN = ([ADSI]"LDAP://RootDSE").DefaultNamingContext
   $Location = "Munich"
   $OuDN = "OU=Desktops,OU=Computers,OU=$Location,OU=Scripting"
   $Description = "Created by Create-Method"

   #Daten zum Update
   #UAC-Flag zur Delegation
   $ADS_UF_TRUSTED_FOR_DELEGATION = 0x80000
   $Delegation = $ADS_UF_TRUSTED_FOR_DELEGATION

   $ManagedBy = "CN=Administrators,CN=Builtin,DC=Dom1,DC=Intern"
      
   $ComputerNames = @()
   For($i = 18; $i -le 18;$i++){
     #New Account
     $ComputerName = $Location+"Desktop"+$i.ToString("000")
     
     #Update des Accounts
     $ComputerDN = New-ComputerAccount $DomainDn $Location $OuDn $ComputerName
     
     Update-ComputerAccount $ComputerDN $ManagedBy $Delegation $Description
    }#For
}#End Main

Function New-ComputerAccount{
  <#
  .Synopsis
  create computeraccounts
  #>
  Param($DomainDn,$Location,$OuDn,$ComputerName)

  $Class = "Computer"
  $AdsiOU = [ADSI]"LDAP://$OuDN,$DomainDN"
  $AdsiComputer = $AdsiOU.Children.Add("CN=$ComputerName",$Class)
 
  $AdsiComputer.InvokeSet("SamAccountName", $ComputerName+"$")
  $AdsiComputer.InvokeSet("Location", $Location)
 
  Try{
     $AdsiComputer.CommitChanges()
    Write-Host "$Computername wurde angelegt"
  }Catch{
    Write-Host "$Computername konnte nicht angelegt werden"  
  }
  Return $AdsiComputer.DistinguishedName
}#End Function New-ComputerAccount

Function Update-ComputerAccount{
  <#
  .Synopsis
  changes following properties: "ManagedBy","Description","Delegation"
  #>
  Param($ComputerDN,$ManagedBy,$Delegation, $Description)

  #Connnect to the computerObject "$ComputerDN"
  $AdsiComputer = [ADSI]"LDAP://$ComputerDN"

  #Setzen der Eigenschaft ManagedBy (Gruppe oder Domainuser) und Description
  $AdsiComputer.InvokeSet("ManagedBy", $ManagedBy)
  $AdsiComputer.InvokeSet("Description", $Description)

  #UAC auslesen, verändern und neu setzen
  $oldUAC = $ADSIComputer.InvokeGet("UserAccountControl") #Eigenschaft des LDAP-Providers
  $newUAC = $oldUAC -bor $Delegation
  $ADSIComputer.Invokeset("UserAccountControl",$newUAC)
  $ADSIComputer.Invokeset("msDS-AllowedToDelegateTo","alerter/Dom1Win701")

  $AdsiComputer.CommitChanges()
}#End Function Update-ComputerAccount

Main

 Kap 4.1.2 TrustedDelegation.ps1.txt.txt

Ein mit diesem Skript angelegter Account, insbesondere die Trusted Delegation sieht dann etwa so aus:

 

3 Filtern von ComputerObjekten

Beispiel 1: Filtern nach verschiedenen Kriterien (Zeit, Delegation, AccountDisabled)

Clear-Host
Set-StrictMode -Version "2.0"

Function Main{
  #Filterkriterium SamAccountName
  $SamAccountName = "MunichDesktop0*"+"$"
 
  $Domain=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
  $PdcRoleOwner=$Domain.PdcRoleOwner.Name
 
  #DN bestimmen
  $LDAPComputerNames = @(Get-Dn $SamAccountName $Domain $PdcRoleOwner)
 
  $Now =[System.DateTime]::Now
  ForEach($LDAPComputerName in $LDAPComputerNames){
    [ADSI]$ADSIComputer = $LDAPComputerName
    If (Test-Condition $ADSIComputer){
      Write-Host "SamAccountName: $($ADSIComputer.SamAccountName)"
      Write-Host "Path: $($ADSIComputer.Path)"
      Write-Host "WhenCreated: $($ADSIComputer.WhenCreated)"
      Write-Host "AccountDisabled:" $ADSIComputer.InvokeGet("AccountDisabled")
      ""
    }
  }
}#end Main

Function Get-Dn {
    Param($SamAccountName,$Domain,$PdcRoleOwner)
           
    $SearchScope = "Subtree"
    $Searchrootpath= $Domain
    
    $DirectorySearcher = ([ADSISearcher]"LDAP://$PdcRoleOwner")
    $DirectorySearcher.Filter="(SamAccountName=$SamAccountName)"
    $DirectorySearcher.SearchScope = $SearchScope
    $DirectorySearcher.Searchroot="LDAP://$SearchrootPath"
      
    Try{
      $LDAPComputerNames = $DirectorySearcher.Findall().Path
    }Catch{
      Write-Host "Error: $SamAccountName not found in $Domain"
      Break
    }
    
    Return $LDAPComputerNames
}#end Get-Dn

Function Test-Condition{
  <#
  .Synopsis
  mehrere Filterbedingungen
  #>
  Param ($ADSIComputer)
 
  #Condition 1: Time
  <#
  If (  $($Now - $($ADSIComputer.WhenCreated)).Hours -gt 0.5  ){
   $Return = $True
  }Else{
   $Return = $False
  }
  #>

  #Condition 2: Trusted for Delegation
  <#
  $UAC = $ADSIComputer.Invokeget("UserAccountControl")
  $ADS_UF_TRUSTED_FOR_DELEGATION = 0x80000
  If ( ($UAC -band $ADS_UF_TRUSTED_FOR_DELEGATION)  ){
   $Return = $True
  }Else{
   $Return = $False
  }
  #>

  #Condition 3: Disabled Accounts
  $UAC = $ADSIComputer.Invokeget("UserAccountControl")
  $ADS_UF_ACCOUNTDISABLE = 0x2
 
  If ( ($UAC -band $ADS_UF_ACCOUNTDISABLE)  ){
   $Return = $True
  }Else{
   $Return = $False
  }

  $Return
}#End Test-Condition

Main
#mögliche Ausgabe

SamAccountName: MunichDesktop044$
Path: LDAP://Dom1.Intern/CN=MunichDesktop044,OU=Desktops,OU=Computers,OU=Munich,OU=Scripting,DC=Dom1,DC=Intern
WhenCreated: 08/15/2013 15:03:02
AccountDisabled: True

SamAccountName: MunichDesktop045$
Path: LDAP://Dom1.Intern/CN=MunichDesktop045,OU=Desktops,OU=Computers,OU=Munich,OU=Scripting,DC=Dom1,DC=Intern
WhenCreated: 08/15/2013 15:03:02
AccountDisabled: True

 Kap 4.1.3 FilterAccounts.ps1.txt

In diesem Beispiel habe ich in der Funktion Test-Condition einige Bedingungen eingebaut, um Eigenschaften von Computeraccounts zu prüfen. Entfernt gegebenfalls bitte die Auskommentierunge <#...#>

4 Verändern von Computerobjekten

5 Auslesen von Computereigenschaften