AzStackHciExternalActiveDirectory/AzStackHci.ExternalActiveDirectory.Tests.psm1
Import-LocalizedData -BindingVariable lcAdTxt -FileName AzStackHci.ExternalActiveDirectory.Strings.psd1 class HealthModel { # Attributes for Azure Monitor schema [string]$Name #Name of the individual test/rule/alert that was executed. Unique, not exposed to the customer. [string]$Title #User-facing name; one or more sentences indicating the direct issue. [string]$Severity #Severity of the result (Critical, Warning, Informational, Hidden) – this answers how important the result is. Critical is the only update-blocking severity. [string]$Description #Detailed overview of the issue and what impact the issue has on the stamp. [psobject]$Tags #Key-value pairs that allow grouping/filtering individual tests. For example, "Group": "ReadinessChecks", "UpdateType": "ClusterAware" [string]$Status #The status of the check running (i.e. Failed, Succeeded, In Progress) – this answers whether the check ran, and passed or failed. [string]$Remediation #Set of steps that can be taken to resolve the issue found. [string]$TargetResourceID #The unique identifier for the affected resource (such as a node or drive). [string]$TargetResourceName #The name of the affected resource. [string]$TargetResourceType #The type of resource being referred to (well-known set of nouns in infrastructure, aligning with Monitoring). [datetime]$Timestamp #The Time in which the HealthCheck was called. [psobject[]]$AdditionalData #Property bag of key value pairs for additional information. [string]$HealthCheckSource #The name of the services called for the HealthCheck (I.E. Test-AzureStack, Test-Cluster). } class OrganizationalUnitTestResult : HealthModel {} class ExternalADTest { [string]$TestName [scriptblock]$ExecutionBlock } $ExternalAdTestInitializors = @( (New-Object -Type ExternalADTest -Property @{ TestName = "InitializePhysicalHosts" ExecutionBlock = { param ( [Parameter()] [hashtable]$TestContext ) $clusterName = $TestContext["ClusterName"] $serverParams = @{} if ($TestContext["AdServer"]) { $serverParams += @{Server = $TestContext["AdServer"]} } if ($TestContext["AdCredentials"]) { $serverParams += @{Credential = $TestContext["AdCredentials"]} } $stoSG = "$($TestContext["NamingPrefix"])-Sto-SG" # This is a bit messed up, but I don't see another way to get this list $computerObjects = $null try { $groupObject = Get-ADGroup -Filter {Name -eq $stoSG} @serverParams if ($groupObject) { $computerObjects = Get-ADGroupMember -Identity $groupObject.DistinguishedName @serverParams | Where-Object {$_.objectClass -eq 'computer'} } } catch {} # exclude: # * Anything that matches the cluster name (eg, s-cluster) # * SU1FileServer $physicalHosts = ($computerObjects | Where-Object { $_.Name -notin @("$clusterName", "SU1FileServer") }).DistinguishedName return @{PhysicalHosts = $physicalHosts} } }) ) $ExternalAdTests = @( <# Can't execute this test during deployment as Get-KdsRootKey will try to access the DVM KDS and come up with an empty value (New-Object -Type ExternalADTest -Property @{ TestName = "KdsRootKeyExists" ExecutionBlock = { Param ([hashtable]$testContext) $dcName = $null $KdsRootKey = $null $accessDenied = $false try { # Must use the server name and credentials that are passed in if they exist $getDomainControllerParams = @{} if ($testContext["AdServer"] -and $testContext["AdCredentials"]) { $getDomainControllerParams += @{Server = $testContext["AdServer"]} $getDomainControllerParams += @{Credential = $testContext["AdCredentials"]} } else { $getDomainControllerParams += @{DomainName = $testContext["DomainFQDN"]} $getDomainControllerParams += @{MinimumDirectoryServiceVersion = "Windows2012"} $getDomainControllerParams += @{NextClosestSite = $true} $getDomainControllerParams += @{Discover = $true} } $adDomainController = Get-ADDomainController @getDomainControllerParams $dcName = "$($adDomainController.Name).$($adDomainController.Domain)" # This cmdlet doesn't take a server name or credentials, so it may fail when not run from a domain-joined machine $KdsRootKey = $null try { $KdsRootKey = Get-KdsRootKey } catch { $accessDenied = $true } if($KdsRootKey) { # make sure it is effective at least 10 hours ago if(((Get-Date) - $KdsRootKey.EffectiveTime).TotalHours -lt 10) { $KdsRootKey = $null } } } catch {} $rootKeyStatus = if ($dcName -and $KdsRootKey) { 'Succeeded' } else { 'Failed' } if ($accessDenied) { $rootKeyStatus = 'Skipped' } return New-Object PSObject -Property @{ Resource = "KdsRootKey" Status = $rootKeyStatus TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = $testContext["LcAdTxt"].KdsRootKeyMissingRemediation } } }), #> (New-Object -Type ExternalADTest -Property @{ TestName = "RequiredOrgUnitsExist" ExecutionBlock = { Param ([hashtable]$testContext) $serverParams = @{} if ($TestContext["AdServer"]) { $serverParams += @{Server = $TestContext["AdServer"]} } if ($TestContext["AdCredentials"]) { $serverParams += @{Credential = $TestContext["AdCredentials"]} } $requiredOUs = @($testContext["ADOUPath"], $testContext["ComputersADOUPath"], $testContext["UsersADOUPath"]) $results = $requiredOUs | ForEach-Object { $resultingOU = $null try { $resultingOU = Get-ADOrganizationalUnit -Identity $_ -ErrorAction SilentlyContinue @serverParams } catch { } return New-Object PSObject -Property @{ Resource = $_ Status = if ($resultingOU) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = ($testContext["LcAdTxt"].MissingOURemediation -f $_) } } return $results } }), (New-Object -Type ExternalADTest -Property @{ TestName = "DeploymentUserExists" ExecutionBlock = { Param ([hashtable]$testContext) # TODO: I'm not totally sure this is required, need to confirm return $null } }), (New-Object -Type ExternalADTest -Property @{ TestName = "PhysicalMachineObjectsExist" ExecutionBlock = { Param ([hashtable]$testContext) $serverParams = @{} if ($TestContext["AdServer"]) { $serverParams += @{Server = $TestContext["AdServer"]} } if ($TestContext["AdCredentials"]) { $serverParams += @{Credential = $TestContext["AdCredentials"]} } $computerAdOuPath = $testContext["ComputersADOUPath"] $domainFQDN = $testContext["DomainFQDN"] $physicalHostsSetting = @($testContext["PhysicalHosts"] | Where-Object { -not [string]::IsNullOrEmpty($_) }) [array]$physicalHosts = $physicalHostsSetting | ForEach-Object { Get-ADComputer -Identity $_ @serverParams } $physicalHostsWithBadDnsName = $physicalHosts | Where-Object { $_.DNSHostName -ne "$($_.Name).$domainFQDN" } $physicalHostsWithBadSAMAcct = $physicalHosts | Where-Object { $_.SAMAccountName -ne "$($_.Name)$" } $results = @() $hasComputerEntries = ($physicalHosts -and $physicalHosts.Count -gt 0) $allEntriesHaveCorrectDnsNames = (-not $physicalHostsWithBadDnsName -or $physicalHostsWithBadDnsName.Count -eq 0) $allEntriesHaveCorrectSamAcct = (-not $physicalHostsWithBadSAMAcct -or $physicalHostsWithBadSAMAcct.Count -eq 0) $results += New-Object PSObject -Property @{ Resource = "PhysicalHostAdComputerEntries" Status = if ($hasComputerEntries) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = ($testContext["LcAdTxt"].HostsMissingRemediation -f $computerAdOuPath) } $results += New-Object PSObject -Property @{ Resource = "PhysicalHostAdComputerDnsNames" Status = if ($hasComputerEntries -and $allEntriesHaveCorrectDnsNames) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = $testContext["LcAdTxt"].HostsWithIncorrectDnsNameRemediation } $results += New-Object PSObject -Property @{ Resource = "PhysicalHostAdComputerSamAccounts" Status = if ($hasComputerEntries -and $allEntriesHaveCorrectSamAcct) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = $testContext["LcAdTxt"].HostsWithIncorrectSamAcctRemediation } return $results } }), (New-Object -Type ExternalADTest -Property @{ TestName = "ClusterExistsWithRequiredAcl" ExecutionBlock = { Param ([hashtable]$testContext) $serverParams = @{} if ($TestContext["AdServer"]) { $serverParams += @{Server = $TestContext["AdServer"]} } if ($TestContext["AdCredentials"]) { $serverParams += @{Credential = $TestContext["AdCredentials"]} } $createChildAce = $null $readPropertyAce = $null $computersAdOuPath = $testContext["ComputersADOUPath"] $clusterName = $testContext["ClusterName"] $clusterComputerEntry = Get-ADComputer -SearchBase $computersAdOuPath -Filter "Name -eq '$clusterName'" @serverParams if ($clusterComputerEntry) { $clusterSID = $clusterComputerEntry.SID # The AD module SHOULD install a drive that we can use to get ACLs. However, sometimes it isn't properly registered # especially if we just installed it. So verify that it's usable $adDriveName = "AD" $tempDriveName = "hciad" $adDriveObject = $null $adProvider = Get-PSProvider -PSProvider ActiveDirectory if ($adProvider.Drives.Count -gt 0) { $adDriveObject = $adProvider.Drives | Where-Object {$_.Name -eq $adDriveName -or $_.Name -eq $tempDriveName} } if (-not $adDriveObject) { # Add a new drive $adDriveObject = New-PSDrive -Name $tempDriveName -PSProvider ActiveDirectory -Root '' @serverParams } $adDriveName = $adDriveObject.Name try { $ouPath = ("{0}:\{1}" -f $adDriveName,$computersAdOuPath) $ouAcl = Get-Acl $ouPath } catch { throw ("Can't get acls from {0}. Inner exception: {1}" -f $ouPath,$_) } finally { # best effort cleanup if we had added the temp drive try { if ($adDriveName -eq $tempDriveName) { $adDriveObject | Remove-PSDrive } } catch {} } # must specify the type to retrieve -- need to get something comparable to the clusterSID $accessRules = $ouAcl.GetAccessRules($true, $true, $clusterSID.GetType()) # Check that the CreateChild ACE has been added $createChildAce = $accessRules | Where-Object { ` $_.IdentityReference -eq $clusterSID -and ` $_.ActiveDirectoryRights -bor [System.DirectoryServices.ActiveDirectoryRights]::CreateChild -and ` $_.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Allow -and ` $_.ObjectType -eq ([System.Guid]::New('bf967a86-0de6-11d0-a285-00aa003049e2')) -and $_.InheritanceType -eq [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All } $readPropertyAce = $accessRules | Where-Object { ` $_.IdentityReference -eq $clusterSID -and ` $_.ActiveDirectoryRights -bor [System.DirectoryServices.ActiveDirectoryRights]::ReadProperty -and ` $_.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Allow -and ` $_.ObjectType -eq [System.Guid]::Empty -and $_.InheritanceType -eq [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All } } return New-Object PSObject -Property @{ Resource = "ClusterAcls" Status = if ($createChildAce -and $readPropertyAce) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = ($testContext["LcAdTxt"].ClusterAclsMissingRemediation -f $computersAdOuPath) } } }), (New-Object -Type ExternalADTest -Property @{ TestName = "SecurityGroupsExist" ExecutionBlock = { Param ([hashtable]$testContext) $serverParams = @{} if ($TestContext["AdServer"]) { $serverParams += @{Server = $TestContext["AdServer"]} } if ($TestContext["AdCredentials"]) { $serverParams += @{Credential = $TestContext["AdCredentials"]} } $securityGroups = @( "$($testContext["NamingPrefix"])-Sto-SG", "$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-FsAcl-AcsSG", "$($testContext["NamingPrefix"])-FsAcl-SqlSG", "$($testContext["NamingPrefix"])-Fab-SrvSG", "$($testContext["NamingPrefix"])-HA-SrvSG", "$($testContext["NamingPrefix"])-EceSG", "$($testContext["NamingPrefix"])-BM-ECESG", "$($testContext["NamingPrefix"])-HA-R-SrvSG", "$($testContext["NamingPrefix"])-SB-Jea-LC-VmSG", "$($testContext["NamingPrefix"])-Hc-Rs-SrvSG", "$($testContext["NamingPrefix"])-Agw-SrvSG", "$($testContext["NamingPrefix"])-Hrp-HssSG", "$($testContext["NamingPrefix"])-IH-HsSG", "$($testContext["NamingPrefix"])-OpsAdmin", "$($testContext["NamingPrefix"])-SB-Jea-MG-VmSG", "$($testContext["NamingPrefix"])-FsAcl-PublicSG", "$($testContext["NamingPrefix"])-IH-MsSG" ) $usersOuPath = $testContext["UsersADOUPath"] $missingSecurityGroups = @() try { # Look up all the required security groups and identify any that are missing foreach ($securityGroup in $securityGroups) { $adGroup = Get-AdGroup -SearchBase $usersOuPath -Filter { Name -eq $securityGroup } @serverParams if (-not $adGroup) { $missingSecurityGroups += $securityGroup } } } catch {} $physicalHosts = $() try { # get the list of physical hosts foreach ($host in $testContext["PhysicalHosts"]) { $physicalHosts += ${Name=$host; Object=(Get-ADComputer -Identity $_ @serverParams); MissingSGs=@()} } # Now check that the physical machines have been added to the required SGs $physicalMachineSecurityGroups = @("$($testContext["NamingPrefix"])-Sto-SG") foreach ($physicalHost in $physicalHosts) { foreach ($physicalMachineSecurityGroup in $physicalMachineSecurityGroups) { $isMember = $false try { $groupObject = Get-ADGroup -SearchBase $usersOuPath -Filter {Name -eq $physicalMachineSecurityGroup} @serverParams if ($groupObject) { $isMember = Get-ADGroupMember -Identity $groupObject @serverParams | Where-Object {$_.SID -eq $($physicalHost.Object.SID)} } } catch {} if (-not $isMember) { $physicalHost.MissingSGs += $physicalMachineSecurityGroup } } } } catch { } # Do we need to check for the deployment user $results = @() $results += New-Object PSObject -Property @{ Resource = "SecurityGroups" Status = if ($missingSecurityGroups.Count -eq 0) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = ($testContext["LcAdTxt"].SecurityGroupsMissingRemediation -f ($missingSecurityGroups -join ', ')) } foreach ($physicalHost in $physicalHosts) { $missingSecurityGroupMemberships = $physicalHost.MissingSGs $results += New-Object PSObject -Property @{ Resource = "SecurityGroupMembership_$($physicalHost.Name)" Status = if ($missingSecurityGroupMemberships.Count -eq 0) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = ($testContext["LcAdTxt"].HostSecurityGroupsMissingRemediation -f $physcialHost.Name,($missingSecurityGroupMemberships -join ', ')) } } return $results } }), (New-Object -Type ExternalADTest -Property @{ TestName = "gMSAsExist" ExecutionBlock = { Param ([hashtable]$testContext) $usersOuPath = $testContext["UsersADOUPath"] $serverParams = @{} if ($TestContext["AdServer"]) { $serverParams += @{Server = $TestContext["AdServer"]} } if ($TestContext["AdCredentials"]) { $serverParams += @{Credential = $TestContext["AdCredentials"]} } $gmsaAccounts = @( [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-BM-ECE"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@("$($testContext["NamingPrefix"])/ae3299a9-3e87-4186-bd99-c43c9ae6a571"); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-SqlSG", "$($testContext["NamingPrefix"])-Fab-SrvSG", "$($testContext["NamingPrefix"])-HA-SrvSG", "$($testContext["NamingPrefix"])-EceSG", "$($testContext["NamingPrefix"])-BM-ECESG", "$($testContext["NamingPrefix"])-FsAcl-InfraSG")}, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-BM-ALM"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@(); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG")}, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-BM-FCA"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@(); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG")}, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-BM-FRA"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@(); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG")}, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-BM-TCA"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@(); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG")}, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-BM-HA"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@("$($testContext["NamingPrefix"])/PhysicalNode/1b4dde6b-7ea8-407a-8c9e-f86e8b97fd1c"); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-HA-R-SrvSG")}, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-SB-LC"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG", "$($testContext["NamingPrefix"])-SB-Jea-LC-VmSG"); ServicePrincipalName=@("$($testContext["NamingPrefix"])/754dbc04-8f91-4cb6-a10f-899dac573fa0"); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-SB-Jea-LC-VmSG", "$($testContext["NamingPrefix"])-Sto-SG" ) }, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-SB-Jea"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@(); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-Sto-SG" ) }, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-SB-MG"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG", "$($testContext["NamingPrefix"])-SB-Jea-MG-VmSG"); ServicePrincipalName=@("$($testContext["NamingPrefix"])/ea126685-c89e-4294-959f-bba6bf75b4aa"); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-SB-Jea-MG-VmSG", "$($testContext["NamingPrefix"])-Sto-SG" ) }, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-SBJeaM"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@(); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-Sto-SG" ) }, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-EceSA"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@("$($testContext["NamingPrefix"])/4dde37cc-6ee0-4d75-9444-7061e156507f"); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-FsAcl-sqlSG", "$($testContext["NamingPrefix"])-Fab-SrvSG", "$($testContext["NamingPrefix"])-HA-SrvSG", "$($testContext["NamingPrefix"])-EceSG", "$($testContext["NamingPrefix"])-BM-EceSG")}, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-Urp-SA"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@("$($testContext["NamingPrefix"])/110bac92-1879-47ae-9611-e40f8abf4fc0"); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-PublicSG", "$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-BM-ECESG", "$($testContext["NamingPrefix"])-Fab-SrvSG", "$($testContext["NamingPrefix"])-EceSG")}, [pscustomobject]@{ GmsaName="$($testContext["NamingPrefix"])-BM-MSA"; PrincipalsAllowedToRetrieveManagedPassword= @("$($testContext["NamingPrefix"])-Sto-SG"); ServicePrincipalName=@("$($testContext["NamingPrefix"])/PhysicalNode/d8c180f6-7290-458e-90f0-96894f45e981"); MemberOf=@("$($testContext["NamingPrefix"])-FsAcl-InfraSG", "$($testContext["NamingPrefix"])-IH-MsSG", "$($testContext["NamingPrefix"])-HA-R-SrvSG")} ) $missingGmsaAccounts = @() foreach ($gmsaAccount in $gmsaAccounts) { $accountMissing = $true try { $gmsaName = $gmsaAccount.GmsaName $adGmsaAccount = Get-ADServiceAccount -SearchBase $usersOuPath -Filter {Name -eq $gmsaName} @serverParams if ($adGmsaAccount) { # TODO, identify SPNs and make sure they match # TODO, identify PrincipasAllowedToRetrieveManagedPassword and check $isMember = $true try { foreach ($memberOfGroup in $gmsaAccount.MemberOf) { $groupObject = Get-ADGroup -SearchBase $usersOuPath -Filter {Name -eq $gmsaAccount} @serverParams if ($groupObject) { $isMemberOfThisGroup = Get-ADGroupMember -Identity $groupObject @serverParams | Where-Object {$_.SID -eq $($adGmsaAccount.SID)} if (-not $isMemberOfThisGroup) { $isMember = $false } } } } catch {} $accountMissing = -not $isMember } } catch {} if ($accountMissing) { $missingGmsaAccounts += $gmsaAccount.GmsaName } } return New-Object PSObject -Property @{ Resource = "GmsaAccounts" Status = if ($missingGmsaAccounts.Count -eq 0) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = ($testContext["LcAdTxt"].GmsaAccountsMissingRemediation -f ($missingGmsaAccounts -join ', ')) } } }), (New-Object -Type ExternalADTest -Property @{ TestName = "GroupMembershipsExist" ExecutionBlock = { Param ([hashtable]$testContext) $usersOuPath = $testContext["UsersADOUPath"] $serverParams = @{} if ($TestContext["AdServer"]) { $serverParams += @{Server = $TestContext["AdServer"]} } if ($TestContext["AdCredentials"]) { $serverParams += @{Credential = $TestContext["AdCredentials"]} } $SecurityGroupMemberships = @( [pscustomobject]@{ Name="$($testContext["NamingPrefix"])-HA-R-SrvSG"; MemberOf=@("$($testContext["NamingPrefix"])-Hc-Rs-SrvSG", "$($testContext["NamingPrefix"])-Agw-SrvSG", "$($testContext["NamingPrefix"])-Hrp-HssSG", "$($testContext["NamingPrefix"])-IH-HsSG", "$($testContext["NamingPrefix"])-IH-MsSG", "$($testContext["NamingPrefix"])-FsAcl-InfraSG"); MissingMemberships=@()} ) $results = @() foreach ($securityGroupMembership in $SecurityGroupMemberships) { $sgName = $securityGroupMembership.Name $sgMemberList = $securityGroupMembership.MemberOf $groupObject = $null try { $groupObject = Get-ADGroup -SearchBase $usersOuPath -Filter {Name -eq $sgName} @serverParams } catch {} if ($groupObject) { foreach ($securityGroupName in $sgMemberList) { $isMember = $false try { $parentGroupObject = Get-ADGroup -SearchBase $usersOuPath -Filter {Name -eq $securityGroupName} @serverParams if ($groupObject) { $isMember = Get-ADGroupMember -Identity $parentGroupObject @serverParams | Where-Object {$_.SID -eq $($groupObject.SID)} } } catch {} if (-not $isMember) { $securityGroupMembership.MissingMemberships += $securityGroupName } } } else { $securityGroupMembership.MissingMemberships = $sgMemberList } $results += New-Object PSObject -Property @{ Resource = "NestedSecurityGroups_$sgName" Status = if ($securityGroupMembership.MissingMemberships.Count -eq 0) { 'Succeeded' } else { 'Failed' } TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = ($testContext["LcAdTxt"].NestedSecurityGroupsMissingRemediation -f $sgName,($securityGroupMembership.MissingMemberships -join ', ')) } } return $results } }), (New-Object -Type ExternalADTest -Property @{ TestName = "GpoInheritanceIsBlocked" ExecutionBlock = { Param ([hashtable]$testContext) $serverParams = @{} if ($TestContext["AdServer"]) { $serverParams += @{Server = $TestContext["AdServer"]} } $ouList = @($testContext["ADOUPath"],$testContext["ComputersADOUPath"],$testContext["UsersADOUPath"]) $ousWithoutGpoInheritanceBlocked = @() $accessWasDenied = $false try { foreach ($ouItem in $ouList) { try { $gpInheritance = Get-GPInheritance -Target $ouItem @serverParams } catch { if ($_.Exception -is [System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException]) { throw } } if ((-not $gpInheritance) -or (-not $gpInheritance.GpoInheritanceBlocked)) { $ousWithoutGpoInheritanceBlocked += $ouItem } } } catch [System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException] { $accessWasDenied = $true } $statusValue = 'Succeeded' if ($ousWithoutGpoInheritanceBlocked.Count -ne 0) { $statusValue = 'Failed' } if ($accessWasDenied) { $statusValue = 'Skipped' } return New-Object PSObject -Property @{ Resource = "OuGpoInheritance" Status = $statusValue TimeStamp = [datetime]::UtcNow Source = $ENV:COMPUTERNAME Detail = $testContext["LcAdTxt"].OuInheritanceBlockedMissingRemediation } } }) ) function Test-OrganizationalUnitOnSession { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string] $ADOUPath, [Parameter(Mandatory=$true)] [string] $DomainFQDN, [Parameter(Mandatory=$true)] [string] $NamingPrefix, [Parameter(Mandatory=$true)] [string] $ClusterName, [Parameter(Mandatory=$false)] [System.Management.Automation.Runspaces.PSSession] $Session, [Parameter(Mandatory=$false)] [string] $ActiveDirectoryServer, [Parameter(Mandatory=$false)] [pscredential] $ActiveDirectoryCredentials ) $testContext = @{ ADOUPath = $ADOUPath ComputersADOUPath = "OU=Computers,$ADOUPath" UsersADOUPath = "OU=Users,$ADOUPath" DomainFQDN = $DomainFQDN NamingPrefix = $NamingPrefix ClusterName = $ClusterName LcAdTxt = $lcAdTxt AdServer = $ActiveDirectoryServer AdCredentials = $ActiveDirectoryCredentials } $computerName = if ($Session) { $Session.ComputerName } else { $ENV:COMPUTERNAME } Log-Info -Message "Executing test on $computerName" -Type Info # Reuse the parameters for Invoke-Command so that we only have to set up context and session data once $invokeParams = @{ ScriptBlock = $null ArgumentList = $testContext } if ($Session) { $invokeParams += @{Session = $Session} } # Initialize the array of detailed results $detailedResults = @() # Test preparation -- fill in more of the test context that needs to be executed remotely $ExternalAdTestInitializors | ForEach-Object { $invokeParams.ScriptBlock = $_.ExecutionBlock $testName = $_.TestName Log-Info -Message "Executing test initializer $testName" -Type Info try { $results = Invoke-Command @invokeParams if ($results) { $testContext += $results } } catch { throw ("Unable to execute test {0} on {1}. Inner exception: {2}" -f $testName,$computerName,$_) } } Log-Info -Message "Executing tests with parameters: " -Type Info foreach ($key in $testContext.Keys) { if ($key -ne "LcAdTxt") { Log-Info -Message " $key : $($testContext[$key])" -Type Info } } # Update InvokeParams with the full context $invokeParams.ArgumentList = $testContext # For each test, call the test execution block and append the results $ExternalAdTests | ForEach-Object { # override ScriptBlock with the particular test execution block $invokeParams.ScriptBlock = $_.ExecutionBlock $testName = $_.TestName Log-Info -Message "Executing test $testName" -Type Info try { $results = Invoke-Command @invokeParams Log-Info -Message ("Test $testName completed with: {0}" -f $results) -Type Info $detailedResults += $results } catch { Log-Info -Message ("Test $testName FAILED. Inner exception: {0}" -f $_) -Type Info throw ("Unable to execute test {0} on {1}. Inner exception: {2}" -f $testName,$computerName,$_) } } return $detailedResults } function Test-OrganizationalUnit { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string] $ADOUPath, [Parameter(Mandatory=$true)] [string] $DomainFQDN, [Parameter(Mandatory=$true)] [string] $NamingPrefix, [Parameter(Mandatory=$true)] [string] $ClusterName, [Parameter(Mandatory=$false)] [System.Management.Automation.Runspaces.PSSession] $PsSession, [Parameter(Mandatory=$false)] [string] $ActiveDirectoryServer = $null, [Parameter(Mandatory=$false)] [pscredential] $ActiveDirectoryCredentials = $null ) $ErrorActionPreference = [System.Management.Automation.ActionPreference]::Stop Log-Info -Message "Executing Test-OrganizationalUnit" $fullTestResults = Test-OrganizationalUnitOnSession -ADOUPath $ADOUPath -DomainFQDN $DomainFQDN -NamingPrefix $NamingPrefix -ClusterName $ClusterName -Session $PsSession -ActiveDirectoryServer $ActiveDirectoryServer -ActiveDirectoryCredentials $ActiveDirectoryCredentials # Build the results $now = [datetime]::UtcNow $TargetComputerName = if ($PsSession.PSComputerName) { $PsSession.PSComputerName } else { $ENV:COMPUTERNAME } $aggregateStatus = if ($fullTestResults.Status -notcontains 'Failed') { 'Succeeded' } else { 'Failed' } $remediationValues = $fullTestResults | Where-Object -Property Status -NE 'Succeeded' | Select-Object $Remediation $remediationValues = $remediationValues -join "`r`n" if (-not $remediationValues) { $remediationValues = '' } $testOuResult = New-Object -Type OrganizationalUnitTestResult -Property @{ Name = 'AzStackHci_ExternalActiveDirectory_Test_OrganizationalUnit' Title = 'Test AD Organizational Unit' Severity = 'Critical' Description = 'Tests that the specified organizational unit exists and contains the proper sub-OUs' Tags = $null Remediation = 'https://learn.microsoft.com/en-us/azure-stack/hci/deploy/deployment-tool-active-directory' TargetResourceID = "Test_AD_OU_$TargetComputerName" TargetResourceName = "Test_AD_OU_$TargetComputerName" TargetResourceType = 'ActiveDirectory' Timestamp = $now Status = $aggregateStatus AdditionalData = $fullTestResults HealthCheckSource = ((Get-PSCallStack)[-1].Command) } return $testOuResult } # SIG # Begin signature block # MIInkwYJKoZIhvcNAQcCoIInhDCCJ4ACAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAnhgWcHlfUSDEw # OpWRv2T25wvybZyoEA2wtmHIeRQ/NaCCDXYwggX0MIID3KADAgECAhMzAAACy7d1 # OfsCcUI2AAAAAALLMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjIwNTEyMjA0NTU5WhcNMjMwNTExMjA0NTU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQC3sN0WcdGpGXPZIb5iNfFB0xZ8rnJvYnxD6Uf2BHXglpbTEfoe+mO//oLWkRxA # wppditsSVOD0oglKbtnh9Wp2DARLcxbGaW4YanOWSB1LyLRpHnnQ5POlh2U5trg4 # 3gQjvlNZlQB3lL+zrPtbNvMA7E0Wkmo+Z6YFnsf7aek+KGzaGboAeFO4uKZjQXY5 # RmMzE70Bwaz7hvA05jDURdRKH0i/1yK96TDuP7JyRFLOvA3UXNWz00R9w7ppMDcN # lXtrmbPigv3xE9FfpfmJRtiOZQKd73K72Wujmj6/Su3+DBTpOq7NgdntW2lJfX3X # a6oe4F9Pk9xRhkwHsk7Ju9E/AgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUrg/nt/gj+BBLd1jZWYhok7v5/w4w # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzQ3MDUyODAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAJL5t6pVjIRlQ8j4dAFJ # ZnMke3rRHeQDOPFxswM47HRvgQa2E1jea2aYiMk1WmdqWnYw1bal4IzRlSVf4czf # zx2vjOIOiaGllW2ByHkfKApngOzJmAQ8F15xSHPRvNMmvpC3PFLvKMf3y5SyPJxh # 922TTq0q5epJv1SgZDWlUlHL/Ex1nX8kzBRhHvc6D6F5la+oAO4A3o/ZC05OOgm4 # EJxZP9MqUi5iid2dw4Jg/HvtDpCcLj1GLIhCDaebKegajCJlMhhxnDXrGFLJfX8j # 7k7LUvrZDsQniJZ3D66K+3SZTLhvwK7dMGVFuUUJUfDifrlCTjKG9mxsPDllfyck # 4zGnRZv8Jw9RgE1zAghnU14L0vVUNOzi/4bE7wIsiRyIcCcVoXRneBA3n/frLXvd # jDsbb2lpGu78+s1zbO5N0bhHWq4j5WMutrspBxEhqG2PSBjC5Ypi+jhtfu3+x76N # mBvsyKuxx9+Hm/ALnlzKxr4KyMR3/z4IRMzA1QyppNk65Ui+jB14g+w4vole33M1 # pVqVckrmSebUkmjnCshCiH12IFgHZF7gRwE4YZrJ7QjxZeoZqHaKsQLRMp653beB # fHfeva9zJPhBSdVcCW7x9q0c2HVPLJHX9YCUU714I+qtLpDGrdbZxD9mikPqL/To # /1lDZ0ch8FtePhME7houuoPcMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGXMwghlvAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAALLt3U5+wJxQjYAAAAAAsswDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIF3VZ17TRkkBkp5OAVZU+UH3 # JA5+RgmhLzqL52G4ZYxJMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAP6GpnjzYtUhrYv8ht3SsXO7K1NQ0LTnDmsHFIxWVyTwmvdWTyx7QrcfS # 8Qi0jvtSO582t5qe4zsnPzu4QcxIRcbQYwiKwneHONPyYsOnEHRtpyb2orz2MEbc # FUn5zejCuq2P46+mk+P7Y+v6XdLHQMkSvJ6KLDp23BqEG6+7cMFsjOrwtzPqkfXd # jP38pjd7cgQaQf6I7Z+4XSJk72WZ3bZS/1DSXaxFK/KmgT8VY4i6HPA6qVx509f/ # 3hThUZgnXxGipzi/S+18RjdimRQsKc5FdFqUR0E9CvIGvX/xFB7KuwoOXSfORVQd # 0aA51VoVUCavPXQmVwKuhuDx3emGS6GCFv0wghb5BgorBgEEAYI3AwMBMYIW6TCC # FuUGCSqGSIb3DQEHAqCCFtYwghbSAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFRBgsq # hkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCBCyl7lqQS2IT/plhEHiglU95JVO1gq+SUmgfSlI0b7GgIGZBMBXrsJ # GBMyMDIzMDMyMTEwMDcxNC43ODNaMASAAgH0oIHQpIHNMIHKMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l # cmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpERDhDLUUz # MzctMkZBRTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaCC # EVQwggcMMIIE9KADAgECAhMzAAABxQPNzSGh9O85AAEAAAHFMA0GCSqGSIb3DQEB # CwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4XDTIyMTEwNDE5MDEz # MloXDTI0MDIwMjE5MDEzMlowgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMx # JjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkREOEMtRTMzNy0yRkFFMSUwIwYDVQQD # ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjANBgkqhkiG9w0BAQEF # AAOCAg8AMIICCgKCAgEAq0hds70eX23J7pappaKXRhz+TT7JJ3OvVf3+N8fNpxRs # 5jY4hEv3BV/w5EWXbZdO4m3xj01lTI/xDkq+ytjuiPe8xGXsZxDntv7L1EzMd5jI # SqJ+eYu8kgV056mqs8dBo55xZPPPcxf5u19zn04aMQF5PXV/C4ZLSjFa9IFNcrib # dOm3lGW1rQRFa2jUsup6gv634q5UwH09WGGu0z89RbtbyM55vmBgWV8ed6bZCZrc # oYIjML8FRTvGlznqm6HtwZdXMwKHT3a/kLUSPiGAsrIgEzz7NpBpeOsgs9TrwyWT # ZBNbBwyIACmQ34j+uR4et2hZk+NH49KhEJyYD2+dOIaDGB2EUNFSYcy1MkgtZt1e # RqBB0m+YPYz7HjocPykKYNQZ7Tv+zglOffCiax1jOb0u6IYC5X1Jr8AwTcsaDyu3 # qAhx8cFQN9DDgiVZw+URFZ8oyoDk6sIV1nx5zZLy+hNtakePX9S7Y8n1qWfAjoXP # E6K0/dbTw87EOJL/BlJGcKoFTytr0zPg/MNJSb6f2a/wDkXoGCGWJiQrGTxjOP+R # 96/nIIG05eE1Lpky2FOdYMPB4DhW7tBdZautepTTuShmgn+GKER8AoA1gSSk1EC5 # ZX4cppVngJpblMBu8r/tChfHVdXviY6hDShHwQCmZqZebgSYHnHl4urE+4K6ZC8C # AwEAAaOCATYwggEyMB0GA1UdDgQWBBRU6rs4v1mxNYG/rtpLwrVwek0FazAfBgNV # HSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQhk5o # dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBU # aW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwG # CCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz # L01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNV # HRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IC # AQCMqN58frMHOScciK+Cdnr6dK8fTsgQDeZ9bvQjCuxNIJZJ92+xpeKRCf3Xq47q # dRykkKUnZC6dHhLwt1fhwyiy/LfdVQ9yf1hYZ/RpTS+z0hnaoK+P/IDAiUNm32NX # LhDBu0P4Sb/uCV4jOuNUcmJhppBQgQVhFx/57JYk1LCdjIee//GrcfbkQtiYob9O # a93DSjbsD1jqaicEnkclUN/mEm9ZsnCnA1+/OQDp/8Q4cPfH94LM4J6X0NtNBeVy # wvWH0wuMaOJzHgDLCeJUkFE9HE8sBDVedmj6zPJAI+7ozLjYqw7i4RFbiStfWZSG # jwt+lLJQZRWUCcT3aHYvTo1YWDZskohWg77w9fF2QbiO9DfnqoZ7QozHi7RiPpbj # gkJMAhrhpeTf/at2e9+HYkKObUmgPArH1Wjivwm1d7PYWsarL7u5qZuk36Gb1mET # S1oA2XX3+C3rgtzRohP89qZVf79lVvjmg34NtICK/pMk99SButghtipFSMQdbXUn # S2oeLt9cKuv1MJu+gJ83qXTNkQ2QqhxtNRvbE9QqmqJQw5VW/4SZze1pPXxyOTO5 # yDq+iRIUubqeQzmUcCkiyNuCLHWh8OLCI5mIOC1iLtVDf2lw9eWropwu5SDJtT/Z # wqIU1qb2U+NjkNcj1hbODBRELaTTWd91RJiUI9ncJkGg/jCCB3EwggVZoAMCAQIC # EzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYT # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBS # b290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoX # DTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 # b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh # dGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC # 0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VG # Iwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP # 2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/P # XfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361 # VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwB # Sru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9 # X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269e # wvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDw # wvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr # 9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+e # FnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAj # BgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+n # FV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEw # PwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9j # cy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3 # FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAf # BgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBH # hkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNS # b29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF # BzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0Nl # ckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4Swf # ZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTC # j/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu # 2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/ # GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3D # YXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbO # xnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqO # Cb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I # 6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0 # zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaM # mdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNT # TY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIBATCB+KGB0KSBzTCByjEL # MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v # bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWlj # cm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBF # U046REQ4Qy1FMzM3LTJGQUUxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1w # IFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVACEAGvYXZJK7cUo62+LvEYQEx7/noIGD # MIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV # BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG # A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEF # BQACBQDnwsTVMCIYDzIwMjMwMzIwMTk0MTA5WhgPMjAyMzAzMjExOTQxMDlaMHQw # OgYKKwYBBAGEWQoEATEsMCowCgIFAOfCxNUCAQAwBwIBAAICL78wBwIBAAICEbcw # CgIFAOfEFlUCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgC # AQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOBgQCHK8R5Ra5a9VPr # LlF+cYaR2R3JJgIJpM4fnNQFmRTOdiBZVeIQq25+YQGnzasRIb2SG/c2FhQwt9iR # RvIAHId7WU3Ip+q7NzvEAVkSHoFRUO3tyGzaXli7LIr4Zd+fWIzHnyMTD5gi1EAP # xqcSsAKWiNxm+qyJatsRAQC2qymIRjGCBA0wggQJAgEBMIGTMHwxCzAJBgNVBAYT # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBU # aW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABxQPNzSGh9O85AAEAAAHFMA0GCWCGSAFl # AwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJKoZIhvcN # AQkEMSIEIHq8PiS29K+gWDY/G7MvNBFLxTURA3iYDxq+2Bu4XsBoMIH6BgsqhkiG # 9w0BCRACLzGB6jCB5zCB5DCBvQQgGQGxkfYkd0wK+V09wO0sO+sm8gAMyj5EuKPq # vNQ/fLEwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAA # AcUDzc0hofTvOQABAAABxTAiBCCMLJz3orD9awBj+zywNeYy5HRyuj7eHJW3mARx # RjX6MzANBgkqhkiG9w0BAQsFAASCAgAc3pZ9rla6elYUoMHaaWT/Uqvq0aaewjUT # czHfFS9bEpNz9yG1+gj0JlwAhZG8maty/7pVaVrQRNTMHYCcMY5GaO2Yh19nh5+w # WuPyDMcgB9AcOn9SXHAfENRWggW8eQl3c9yRjgP8YAxiI1/mZREZ3QSJq0QMeP+Y # cef9j5rFP55cLP8u6GssSyPaSk4KgQihPZf6vhIihTrqkKwL8gw1ANHNh+g8O5f8 # qu3qKarGQP4T30WwaI68fL90tsyjcclUcRu1SeXO/obOkikEd7FHZozmggCfXT2j # 4IMbnnDlOfAWkvA5GigJd4hB/kjP5eQSU5ERi5V8h5mwtgCk0Bf9bXxtP8uHcbaM # QaT5BK2oGFqFVa1e92nDQXuI00aLJ4z380/F+G0zhPDASoW5R9U00btF/VwQk78G # imiPKA8rQRENgp2+3ZxdaqwzJO+55Op9fSkpSlxwaplshauovtqfVoNMR9w7gajK # n7TIUvOXWKt0KZiLSjaBakwuZiaoPHY89xOfXRe9LR17YbRb1anDLJiJ8xKRMbne # 0w2P+6yk15dV4XGfRgz47zCIBV9x42A6RPFqI42vvC79Q06ddzb+pxwOXTjvbdWK # USts6ja7I64KK9UymMNoRbpHEMD9WvbVO9zChziuD+mB9LK8NZMqIFEHOzjWNCVI # F9G6MB2O3A== # SIG # End signature block |