Once a while, you will have a need to setup a new environment with new service accounts for all your apps/services. We all know, over time, those accounts in the current environments are added gradually one at a time. It would be nice if we can have a script to populate them and have a way to know what they are even.
So here you go, I created these Power Shell scripts to read the settings from a XML file and then create them into the domain AD. So from this point on, you can just maintain these XML config files for you various environments/domains. Easy to maintain, audit, and create a new one.
First, this is the XML file looks like. You can sure add more nodes/attributes to it to fit your needs.
<Env id="UAT">
<LDAPServer>MyLDAPServerName</LDAPServer>
<OU>OU=Service Accounts,OU=MyOU,dc=uat,dc=MyDomain</OU>
<Accounts>
<Account id="ServiceAccount1">
<Description>Service Account for Service1</Description>
<sAMAccountName>ServiceAccount1</sAMAccountName>
<UserPrincipalName>ServiceAccount1@MyCompany.com</UserPrincipalName>
<Password>MyPassword1</Password>
</Account>
<Account id="ServiceAccount2">
<Description>Service Account for Service2</Description>
<sAMAccountName>ServiceAccount2</sAMAccountName>
<UserPrincipalName>ServiceAccount1@MyCompany.com</UserPrincipalName>
<Password>MyPassword2</Password>
</Account>
<Accounts>
</Env>
Second, let’s create a PS file to do the creation
function SetupAServiceAccount ($ldapServer, $ou, $accountName, $sAMAccountName, $userPrincipalName, $accountPassword, $accountDescription)
{
### There is a limitation of maximum length (20) of sAMAccountname. So we have to watch the error for it
$errorDeviceNotFunctioning = 'Exception calling "SetInfo" with "0" argument(s): "A device attached to the system is not functioning.'
### Error for object (account) already exist. We will ignore it and proceed to update the account
$errorObjectAlreadyExist = 'Exception calling "SetInfo" with "0" argument(s): "The object already exists.'
### Initialize variables
$errorString = ""
### Get the AD object
$objOU=[adsi]"LDAP://$ldapServer/$ou"
### Try to Create a new account
$objUser = $objOU.Create("user", "cn=$accountName")
$objUser.Put("sAMAccountName", $sAMAccountName)
try
{
$objUser.SetInfo()
$objUser=""
write-host "*** Account Creation Success: $accountName ***"
}
catch
{
[string] $errorString = $_
}
if ($errorString.Contains($errorDeviceNotFunctioning) -eq $True)
{
write-host "%%% Creation Unsuccess: $accountName - $errorString %%%"
write-host "%%% The length of sAMAccountName cannot be more than 20 %%%"
}
elseif ($errorString.Contains($errorObjectAlreadyExist) -eq $True -Or $errorString -eq "")
{
if ($errorString.Contains($errorObjectAlreadyExist) -eq $True)
{
write-host "*** Account Alreday Exist, will update it instead ***"
}
if ($errorString -eq "")
{
write-host "*** Prepare to update ***"
}
$objUser=[adsi]"LDAP://$ldapServer/cn=$accountName,$ou"
$objUser.SetPassword($accountPassword)
$objUser.Put("pwdLastSet", -1)
$objUser.Put("userPrincipalName", $userPrincipalName)
$objUser.Put("description", $accountDescription)
$objUser.Put("userAccountControl", 66048)
try
{
$objUser.SetInfo()
write-host "*** Update Success: $accountName ***"
$objUser = ""
& 'C:\Program Files (x86)\Windows Resource Kits\Tools\ntrights.exe' +r SeServiceLogonRight -u $userPrincipalName
}
catch
{
write-host "%%% Update Unsuccess: $accountName - $_ %%%"
}
}
else
{
write-host "%%% Creation Unsuccess : $accountName - $errorString %%%"
}
}
Note: Here I used a tool called notrights.exe to grant the LogonAsService permission to those newly created accounts. It is a Microsoft tool and you can get it from here
Finally, we need to loop through the config file to run by the script we just created.
. ".\SetupAServiceAccount.ps1"
### Read the config XML
$configFile = $args[0]
[xml]$thisEnv = Get-Content $configFile
### Create a service account for each element in the xml file (under accounts)
$ldapServer = $thisEnv.Env.LDAPServer
$ou = $thisEnv.Env.OU
$thisEnv.Env.Accounts.Account| foreach {SetupAServiceAccount $ldapServer $ou $_.id $_.sAMAccountName $_.UserPrincipalName $_.Password $_.Description}
Heal My SCM 