private/New-RBACAdmin.ps1
|
function New-RBACAdmin { [CmdletBinding(SupportsShouldProcess=$true)] Param ( [Parameter(Mandatory, ValueFromPipelineByPropertyName)] [ValidateScript({ get-aduser -searchbase $settings.OUPaths.DefaultUsers -filter "SamAccountName -eq '$_'" })] [String]$ParentUser, [Parameter(Mandatory, ValueFromPipelineByPropertyName)] [ValidateScript({ [bool](get-rbacOrg -org $_) })] [ArgumentCompleter( { param ( $commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters ) (get-rbacOrg -org "$wordToComplete*").Org })] [String]$Org, [Microsoft.ActiveDirectory.Management.ADDirectoryServer]$Server = (get-addomainController -Writable -Discover) ) BEGIN { $SA_OU_Name = "PrivilegedAccounts" $DNSDomain = (get-addomain).dnsroot } Process { $password = get-randomPassword $securePassword = $password | ConvertTo-SecureString -AsPlainText -force $orgObject = get-rbacOrg -org $org $ParentUserObject = get-aduser -server $server -searchbase $settings.OUPaths.DefaultUsers -filter "SamAccountName -eq '$ParentUser'" -properties mail,telephoneNumber,displayname $userParams = @{ name = "SA_{1}" -f $org,$ParentUserObject.name GivenName = $ParentUserObject.GivenName SurName = $ParentUserObject.Surname samaccountName = "SA_{1}" -f $org,$ParentUserObject.samaccountName DisplayName = "⚠️{0} (Admin)⚠️" -f $ParentUserObject.DisplayName EmailAddress = $ParentUserObject.Mail Path = "OU={0},{1}" -f $SA_OU_Name, $orgObject.DistinguishedName Title = $ParentUserObject.title OtherAttributes = @{ telephoneNumber = $ParentUserObject.telephoneNumber } Enabled = $true UserPrincipalName = "SA_{1}@{2}" -f $org,$ParentUserObject.name,$DNSDomain AccountPassword = $securePassword } try { $User = new-aduser -server $server @userParams -passthru write-Host ("User '{0}' created at {1}." -f $user.userprincipalName, $userParams.path) write-host "PASSWORD: $password" } catch { write-warning $_.exception.getType().fullname throw $_ } } } |