private/New-RBACAdmin.ps1
|
function New-RBACAdmin { [CmdletBinding(SupportsShouldProcess=$true)] Param ( [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=0)] [ValidateScript({ $SearchBase = "OU={0},OU={1},{2}" -f $UsersOU, $GlobalOUStruct.Name, $GlobalOUStruct.Path get-aduser -searchbase $SearchBase -filter "SamAccountName -eq '$_'" })] [String]$ParentUser, [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=1)] [ValidateScript({ [bool](get-rbacOrg -org $_) })] [ArgumentCompleter( {(get-rbacOrg).Org})] [String]$Org ) BEGIN { $SA_OU_Name = "PrivilegedAccounts" $UserSearchBase = "OU={0},OU={1},{2}" -f $UsersOU, $GlobalOUStruct.Name, $GlobalOUStruct.Path $DNSDomain = (get-addomain).dnsroot } Process { $password = get-randomPassword $securePassword = $password | ConvertTo-SecureString -AsPlainText -force $orgObject = get-rbacOrg -org $org $ParentUserObject = get-aduser -searchbase $UserSearchBase -filter "SamAccountName -eq '$ParentUser'" -properties mail,telephoneNumber,displayname $userParams = @{ name = "SA_{1}" -f $org,$ParentUserObject.name GivenName = $ParentUserObject.GivenName SurName = $ParentUserObject.Surname samaccountName = "SA_{1}" -f $org,$ParentUserObject.samaccountName DisplayName = "{1} (Admin / {0})" -f $org,$ParentUserObject.DisplayName EmailAddress = $ParentUserObject.Mail Path = "OU={0},{1}" -f $SA_OU_Name, $orgObject.DistinguishedName Title = $ParentUserObject.title OtherAttributes = @{ telephoneNumber = $ParentUserObject.telephoneNumber } Enabled = $true UserPrincipalName = "SA_{1}@{2}" -f $org,$ParentUserObject.name,$DNSDomain AccountPassword = $securePassword } try { $User = new-aduser @userParams -passthru write-Host ("User '{0}' created at {1}." -f $user.userprincipalName, $userParams.path) write-host "PASSWORD: $password" } catch { throw $_ } } } |