воскресенье, 7 октября 2018 г.

Настройка MSA и gMSA

Настройка Managed Service Account:
Import-Module ActiveDirectory
$AccountName='Network1cAccount'
$domain='example.com'
$fqdn=$AccountName+'.'+$domain
$computer='s1c-1'
New-ADServiceAccount -Name $AccountName -Enabled $true
Add-ADComputerServiceAccount -Identity $computer -ServiceAccount $AccountName
Invoke-Command -ComputerName $computer {if ((Get-WindowsFeature rsat-ad-powershell).InstallState -ne [Microsoft.Windows.ServerManager.Commands
.InstallState]::Installed) {Install-WindowsFeature rsat-ad-powershell}}
nvoke-Command -ComputerName $computer {Import-Module ActiveDirectory; Install-ADServiceAccount -Identity $AccountName}

Источник
Настройка group Managed Service Account:
while (!(Get-KDSRootKey)) {
     Add-KDSRootKey –EffectiveImmediately
     Start-Sleep -Seconds 86400 #Ждём пока ключ создастся в AD
}
$AccountName='Network1cAccount'
$domain='example.com'
$fqdn=$AccountName+'.'+$domain
$ADGroupName='servers1c'
New-ADServiceAccount -name $AccountName -DNSHostName $fqdn -PrincipalsAllowedToRetrieveManagedPassword $ADGroupName
$AccountADPath= ('ad:'+(Get-ADServiceAccount $AccountName).DistinguishedName)
<#$acl=get-acl $AccountADPath
$group=Get-ADGroup $ADGroupName
$sid=[System.Security.Principal.SecurityIdentifier]$group.SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "Read"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl $AccountADPath#>

Источник


Комментариев нет:

Отправить комментарий