Sometimes, an application requires an Authentication provider that both uses an Enterprise’s Active Directory and at the same time stores application scope accounts for external users. Microsoft recommends using Active Directory Lightweight Directory Services, or ADLDS, to accomplish this.
We have a scenario where we have a WPF application that is authenticating in an ADLDS through a WCF Web Service, this application has a specific set of groups, and requires the ADLDS to be properly configured.
To accomplish these tasks, yesterday I had to create 2 powershell scrips, one to setup the entire ADLDS with the default groups and a default user per group for the test team to use during testing, and a second one to add a single user to a specific group.
1. Setting up our entire ADLDS
This script creates a set of defined application groups, and populates each one of them with a test user. It also creates a general admin user. I’m using the ` line escape to make the script readable in the blog.
Import-Module ActiveDirectory ############################################################################################## # Array with groups for AD LDS $ADGroups = @("GROUP1", "GROUP2", "GROUP3", "GROUP4", "GROUP5", "GROUP6", "GROUP7", "GROUP8", "GROUP9", "GROUP10", "GROUP11", "GROUP12") ############################################################################################## ############################################################################################## # Username, Password of an admin account for the AD LDS and the location of the AD LDS $credUsername = 'MyDomain\MyUser' $credPassword = 'MyPassword' $server = 'Myserver' ############################################################################################## $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ` @($credUsername,(ConvertTo-SecureString -String $credPassword -AsPlainText -Force)) Write-Host Write-Host "Creating User Groups ..." foreach ($element in $ADGroups) { New-ADGroup -Name $element -SamAccountName $element -DisplayName $element ` -GroupCategory Distribution -GroupScope DomainLocal -Path "CN=Roles,CN=MyCN,DC=PT" ` -OtherAttributes @{isCriticalSystemObject='TRUE'} -Server $server -Credential $cred } Write-Host "Creating the user my_admin ..." $userName = "my_admin" New-ADUser -Name $userName -SamAccountName $userName -DisplayName $userName ` -Path "CN=Users,CN=MyCN,DC=PT" ` -AccountPassword (ConvertTo-SecureString -AsPlainText "MyPassword" -Force) -Enabled $true ` -PasswordNeverExpires $true -Server $server -Credential $cred $user = Get-ADUser -Filter {cn -eq $userName} -SearchBase "CN=Users,CN=MyCN,DC=PT" ` -server $server -Credential $cred Get-ADGroup -Filter {cn -eq "ADMINISTRADOR"} -SearchBase "CN=Roles,CN=MyCN,DC=PT" ` -server $server -Credential $cred | Add-ADGroupMember -Members $user -Server $server -Credential $cred Write-Host "Creating test users ..." foreach ($element in $ADGroups) { $userName = "mytest_" + $element.ToLower() New-ADUser -Name $userName -SamAccountName $userName -DisplayName $userName ` -Path "CN=Users,CN=MyCN,DC=PT" ` -AccountPassword (ConvertTo-SecureString -AsPlainText "testuserpwd" -Force) ` -Enabled $true -PasswordNeverExpires $true -Server $server -Credential $cred $user = Get-ADUser -Filter {cn -eq $userName} -SearchBase "CN=Users,CN=MyCN,DC=PT" ` -server $server -Credential $cred Get-ADGroup -Filter {cn -eq $element} -SearchBase "CN=Roles,CN=MyCN,DC=PT" ` -server $server -Credential $cred | Add-ADGroupMember -Members $user -Server $server -Credential $cred } Write-Host Write-Host "ADLDS sucessfuly configured" -foregroundcolor green
2. Script to create a specific ADLDS user and assign it to a group
This scrip prompts for the user group, the user name and the user password, creates the user and assigns it to the group. I’m using the ` line escape to make the script readable in the blog.
Import-Module ActiveDirectory ############################################################################################## # Array with groups for AD LDS $ADGroups = @("GROUP1", "GROUP2", "GROUP3", "GROUP4", "GROUP5", "GROUP6", "GROUP7", "GROUP8", "GROUP9", "GROUP10", "GROUP11", "GROUP12") ############################################################################################## ############################################################################################## # Username, Password of an admin account for the AD LDS and the location of the AD LDS $credUsername = 'MyDomain\MyUser' $credPassword = 'MyPassword' $server = 'Myserver' ############################################################################################## $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ` @($credUsername,(ConvertTo-SecureString -String $credPassword -AsPlainText -Force)) Clear-Host Write-Host "================="; Write-Host "= Chose a group ="; Write-Host "================="; [char]$startNumber = 'A' [char]$lastNumber = 'L' [char]$groupNumber = $startNumber foreach ($element in $ADGroups) { Write-Host $groupNumber : $element $groupNumber = [char]([int]$groupNumber +1) } $input = Read-Host "Enter the Group Letter" $groupPosition = ([int]($input.ToUpper().ToCharArray())[0]) - [int]$startNumber $ADGroup = $ADGroups[$groupPosition] Write-Host Write-Host "Creating user in group", $ADGroups[$groupPosition] $userName = Read-Host "User Name (without spaces)" $userPassword = Read-Host "User Password" New-ADUser -Name $userName -SamAccountName $userName -DisplayName $userName ` -Path "CN=Users,CN=MyCN,DC=PT" ` -AccountPassword (ConvertTo-SecureString -AsPlainText $userPassword -Force) -Enabled $true ` -PasswordNeverExpires $true -Server $server -Credential $cred $user = Get-ADUser -Filter {cn -eq $userName} -SearchBase "CN=Users,CN=MyCN,DC=PT" ` -server $server -Credential $cred Get-ADGroup -Filter {cn -eq $ADGroup} -SearchBase "CN=Roles,CN=MyCN,DC=PT" ` -server $server -Credential $cred | Add-ADGroupMember -Members $user -Server $server -Credential $cred Write-Host Write-Host "User created sucessfully" -foregroundcolor green