DryActiveDirectory

1.1.1

ScriptBlocks/DryAD_SB_User_Set.ps1

# DryActiveDirectory is an AD config module for use with DryDeploy, or by itself.
#
# Copyright (C) 2021 Bjørn Henrik Formo (bjornhenrikformo@gmail.com)
# LICENSE: https://raw.githubusercontent.com/bjoernf73/DryActiveDirectory/main/LICENSE
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ScriptBlock]$DryAD_SB_User_Set = { 
    Param (
        $UserSpec,
        $ExecutionType,
        $Server,
        $Secret
    ) 
    
    Try {
        # The function that finds certificate, decrypts, converts to secure string
        Function Convert-DryADEncryptedBase64ToSecureString {
            [CmdletBinding()]
            [OutputType([System.Security.SecureString])]
            Param(
                [Parameter(Mandatory)]
                [ValidateNotNullOrEmpty()]
                [String] $EncryptedBase64String
            )
            Try {
                # Try to find a certificate in the LocalMachine\My (Personal) Store with
                # - a private key accessible
                # - of type SHA256 RSA (ECDH does not work)
                # - 'Server Authentiaction' as part of the Enhanced Key Usage
                $Cert = Get-ChildItem -Path Cert:\LocalMachine\My -ErrorAction Stop | 
                Where-Object { 
                    ($_.HasPrivateKey -eq $True) -and 
                    ($_.SignatureAlgorithm.FriendlyName -eq 'SHA256RSA') -and
                    (@(($_.EnhancedKeyUsageList).FriendlyName) -contains 'Server Authentication')  
                }
        
                # If multiple, use first
                If ($Cert -is [Array]) {
                    $Cert = $Cert[0]
                }
                
                If ($Cert) {
                    $EncryptedByteArray = [Convert]::FromBase64String($EncryptedBase64String)
                    $ClearText = [System.Text.Encoding]::UTF8.GetString($Cert.PrivateKey.Decrypt($EncryptedByteArray,$True))
                }
                Else {
                    Throw "Server Authentication Certificate with Private Key not found!"
                }
                Return (ConvertTo-SecureString -String $ClearText -AsPlainText -Force)
            }
            Catch {
                $PSCmdlet.ThrowTerminatingError($_)
            }
            Finally {
                Remove-Variable -Name ClearText -ErrorAction Continue
            }
        }

         # Define variables
        $ADRootDSE = Get-ADRootDSE 
        $DomainDN = $ADRootDSE.DefaultNamingContext
        
        # Add DomainDN to path if not already added
        If ($UserSpec['Path'] -notmatch "$DomainDN$") {
            $UserSpec['Path'] = $UserSpec['Path'] + ",$DomainDN"
        }
        Switch ($ExecutionType) {
            'Remote' {
                # Decrypt the encypted password, and create a SecureString
                [System.Security.SecureString]$SecureStringPassword = Convert-DryADEncryptedBase64ToSecureString -EncryptedBase64String $Secret
            }
            'Local' {
                [System.Security.SecureString]$SecureStringPassword = $Secret
            }
        }
        # Add SecureString as 'AccountPassword'
        $UserSpec+=@{'AccountPassword'=$SecureStringPassword}

        New-ADUser @UserSpec -Server $Server -ErrorAction Stop
        $True,''
    }
    Catch {
        $False,"$($_.ToString())"
    }
}