Sometimes, an application requires an Authentication provider that both uses an Enterprise’s Active Directory and at the same time stores application scope accounts for external users. Microsoft recommends using Active Directory Lightweight Directory Services, or ADLDS, to accomplish this.
We have a scenario where we have a WPF application that is authenticating in an ADLDS through a WCF Web Service, this application has a specific set of groups, and requires the ADLDS to be properly configured.
To accomplish these tasks, yesterday I had to create 2 powershell scrips, one to setup the entire ADLDS with the default groups and a default user per group for the test team to use during testing, and a second one to add a single user to a specific group.
1. Setting up our entire ADLDS
This script creates a set of defined application groups, and populates each one of them with a test user. It also creates a general admin user. I’m using the ` line escape to make the script readable in the blog.
Import-Module ActiveDirectory
##############################################################################################
# Array with groups for AD LDS
$ADGroups = @("GROUP1", "GROUP2", "GROUP3",
"GROUP4", "GROUP5", "GROUP6",
"GROUP7", "GROUP8", "GROUP9",
"GROUP10", "GROUP11", "GROUP12")
##############################################################################################
##############################################################################################
# Username, Password of an admin account for the AD LDS and the location of the AD LDS
$credUsername = 'MyDomain\MyUser'
$credPassword = 'MyPassword'
$server = 'Myserver'
##############################################################################################
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList `
@($credUsername,(ConvertTo-SecureString -String $credPassword -AsPlainText -Force))
Write-Host
Write-Host "Creating User Groups ..."
foreach ($element in $ADGroups)
{
New-ADGroup -Name $element -SamAccountName $element -DisplayName $element `
-GroupCategory Distribution -GroupScope DomainLocal -Path "CN=Roles,CN=MyCN,DC=PT" `
-OtherAttributes @{isCriticalSystemObject='TRUE'} -Server $server -Credential $cred
}
Write-Host "Creating the user my_admin ..."
$userName = "my_admin"
New-ADUser -Name $userName -SamAccountName $userName -DisplayName $userName `
-Path "CN=Users,CN=MyCN,DC=PT" `
-AccountPassword (ConvertTo-SecureString -AsPlainText "MyPassword" -Force) -Enabled $true `
-PasswordNeverExpires $true -Server $server -Credential $cred
$user = Get-ADUser -Filter {cn -eq $userName} -SearchBase "CN=Users,CN=MyCN,DC=PT" `
-server $server -Credential $cred
Get-ADGroup -Filter {cn -eq "ADMINISTRADOR"} -SearchBase "CN=Roles,CN=MyCN,DC=PT" `
-server $server -Credential $cred
| Add-ADGroupMember -Members $user -Server $server -Credential $cred
Write-Host "Creating test users ..."
foreach ($element in $ADGroups)
{
$userName = "mytest_" + $element.ToLower()
New-ADUser -Name $userName -SamAccountName $userName -DisplayName $userName `
-Path "CN=Users,CN=MyCN,DC=PT" `
-AccountPassword (ConvertTo-SecureString -AsPlainText "testuserpwd" -Force) `
-Enabled $true -PasswordNeverExpires $true -Server $server -Credential $cred
$user = Get-ADUser -Filter {cn -eq $userName} -SearchBase "CN=Users,CN=MyCN,DC=PT" `
-server $server -Credential $cred
Get-ADGroup -Filter {cn -eq $element} -SearchBase "CN=Roles,CN=MyCN,DC=PT" `
-server $server -Credential $cred
| Add-ADGroupMember -Members $user -Server $server -Credential $cred
}
Write-Host
Write-Host "ADLDS sucessfuly configured" -foregroundcolor green
2. Script to create a specific ADLDS user and assign it to a group
This scrip prompts for the user group, the user name and the user password, creates the user and assigns it to the group. I’m using the ` line escape to make the script readable in the blog.
Import-Module ActiveDirectory
##############################################################################################
# Array with groups for AD LDS
$ADGroups = @("GROUP1", "GROUP2", "GROUP3",
"GROUP4", "GROUP5", "GROUP6",
"GROUP7", "GROUP8", "GROUP9",
"GROUP10", "GROUP11", "GROUP12")
##############################################################################################
##############################################################################################
# Username, Password of an admin account for the AD LDS and the location of the AD LDS
$credUsername = 'MyDomain\MyUser'
$credPassword = 'MyPassword'
$server = 'Myserver'
##############################################################################################
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList `
@($credUsername,(ConvertTo-SecureString -String $credPassword -AsPlainText -Force))
Clear-Host
Write-Host "=================";
Write-Host "= Chose a group =";
Write-Host "=================";
[char]$startNumber = 'A'
[char]$lastNumber = 'L'
[char]$groupNumber = $startNumber
foreach ($element in $ADGroups)
{
Write-Host $groupNumber : $element
$groupNumber = [char]([int]$groupNumber +1)
}
$input = Read-Host "Enter the Group Letter"
$groupPosition = ([int]($input.ToUpper().ToCharArray())[0]) - [int]$startNumber
$ADGroup = $ADGroups[$groupPosition]
Write-Host
Write-Host "Creating user in group", $ADGroups[$groupPosition]
$userName = Read-Host "User Name (without spaces)"
$userPassword = Read-Host "User Password"
New-ADUser -Name $userName -SamAccountName $userName -DisplayName $userName `
-Path "CN=Users,CN=MyCN,DC=PT" `
-AccountPassword (ConvertTo-SecureString -AsPlainText $userPassword -Force) -Enabled $true `
-PasswordNeverExpires $true -Server $server -Credential $cred
$user = Get-ADUser -Filter {cn -eq $userName} -SearchBase "CN=Users,CN=MyCN,DC=PT" `
-server $server -Credential $cred
Get-ADGroup -Filter {cn -eq $ADGroup} -SearchBase "CN=Roles,CN=MyCN,DC=PT" `
-server $server -Credential $cred
| Add-ADGroupMember -Members $user -Server $server -Credential $cred
Write-Host
Write-Host "User created sucessfully" -foregroundcolor green
David Rodrigues Blog 