mirror of
https://github.com/Icinga/icinga-powershell-framework.git
synced 2025-12-21 07:10:15 -05:00
bf8d6479a9
Fix: Icinga Managed User lookup time Fixes the lookup time if a user is managed by Icinga for Windows or not in large Active Directory environments, by using \`Get\-LocalUser\` instead. This Cmdlet is available starting with PowerShell 5.0 and later and only required in general for running Icinga for Windows in JEA context. As JEA is only supported starting with PowerShell 5.0 or later, this will not cause any problems. In case the command is executed on an older system without the \`Get\-LocalUser\` Cmdlet available, Icinga for Windows will handle all users tested with the new implementation as \`not\` managed by Icinga for Windows.
85 lines
3.1 KiB
PowerShell
85 lines
3.1 KiB
PowerShell
function New-IcingaWindowsUser()
|
|
{
|
|
param (
|
|
$IcingaUser = 'icinga'
|
|
);
|
|
|
|
if ((Test-AdministrativeShell) -eq $FALSE) {
|
|
Write-IcingaConsoleError 'For this command you require to run an Admin shell';
|
|
|
|
return @{
|
|
'User' = $null;
|
|
'SID' = $null;
|
|
};
|
|
}
|
|
|
|
# Max length for the user name
|
|
if ($IcingaUser.Length -gt 20) {
|
|
Write-IcingaConsoleError 'The specified user name "{0}" is too long. The maximum character limit is 20 digits.' -Objects $IcingaUser;
|
|
|
|
return @{
|
|
'User' = $null;
|
|
'SID' = $null;
|
|
};
|
|
}
|
|
|
|
$UserMetadata = Get-IcingaWindowsUserMetadata;
|
|
$UserConfig = Get-IcingaWindowsUserConfig -UserName $IcingaUser;
|
|
|
|
# In case the user exist, we can check if it is a managed user for modifying the login password
|
|
if ($UserConfig.UserExist) {
|
|
|
|
# User already exist -> override password - but only if the user is entirely managed by Icinga
|
|
if ($UserConfig.IcingaManagedUser) {
|
|
$Result = Start-IcingaProcess -Executable 'net' -Arguments ([string]::Format('user "{0}" "{1}"', $IcingaUser, (ConvertFrom-IcingaSecureString -SecureString (New-IcingaWindowsUserPassword))));
|
|
|
|
if ($Result.ExitCode -ne 0) {
|
|
Write-IcingaConsoleError 'Failed to update password for user "{0}": {1}' -Objects $IcingaUser, $Result.Error;
|
|
|
|
return @{
|
|
'User' = $UserConfig.Caption;
|
|
'SID' = $UserConfig.SID;
|
|
};
|
|
}
|
|
|
|
Write-IcingaConsoleNotice 'User updated successfully.';
|
|
} else {
|
|
Write-IcingaConsoleWarning 'User "{0}" is not managed by Icinga for Windows. No changes were made.' -Objects $IcingaUser;
|
|
}
|
|
|
|
return @{
|
|
'User' = $UserConfig.Caption;
|
|
'SID' = $UserConfig.SID;
|
|
};
|
|
}
|
|
|
|
# Access our local Account Database
|
|
$AccountDB = [ADSI]"WinNT://$Env:COMPUTERNAME,Computer";
|
|
$IcingaUserObject = $AccountDB.Create("User", $IcingaUser);
|
|
$IcingaUserObject.SetPassword((ConvertFrom-IcingaSecureString -SecureString (New-IcingaWindowsUserPassword)));
|
|
$IcingaUserObject.SetInfo();
|
|
$IcingaUserObject.FullName = $UserMetadata.FullName;
|
|
$IcingaUserObject.SetInfo();
|
|
$IcingaUserObject.Description = $UserMetadata.Description;
|
|
$IcingaUserObject.SetInfo();
|
|
$IcingaUserObject.UserFlags = 65600;
|
|
$IcingaUserObject.SetInfo();
|
|
|
|
# Add to local user group
|
|
<# This is not required, but let's leave it here for possible later lookup on how this works
|
|
$SIDLocalGroup = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-32-545");
|
|
$LocalGroup = ($SIDLocalGroup.Translate([System.Security.Principal.NTAccount])).Value.Split('\')[1];
|
|
|
|
$LocalUserGroup = [ADSI]"WinNT://$Env:COMPUTERNAME/$LocalGroup,group";
|
|
$LocalUserGroup.Add("WinNT://$Env:COMPUTERNAME/$IcingaUser,user")
|
|
#>
|
|
|
|
$UserConfig = Get-IcingaWindowsUserConfig -UserName $IcingaUser;
|
|
|
|
Write-IcingaConsoleNotice 'User was successfully created.';
|
|
|
|
return @{
|
|
'User' = $UserConfig.Caption;
|
|
'SID' = $UserConfig.SID;
|
|
};
|
|
}
|