1+ # region Prep work
2+ $PswaServerName = ' PSWA'
3+ $DomainControllerName = ' LABDC'
4+ $JeaRoleName = ' ADUserManager'
5+ $AdGroupName = ' ADUserManagers'
6+ $DomainName = ' lab.local'
7+
8+ # # Run this on $DomainControllerName
9+
10+ New-ADGroup - Name ADUserManagers - GroupScope DomainLocal
11+
12+ # # Add any applicable users to the group
13+ # Add-ADGroupMember -Identity ADUserManagers -Members XXXXX
14+
15+ # endregion
16+
17+ # region JEA Setup
18+
19+ # region Create the script that users will run to create new AD users
20+ $functionText = " @
21+ #requires -Module ActiveDirectory
22+
23+ function New-User {
24+ [CmdletBinding()]
25+ param (
26+ [Parameter(Mandatory)]
27+ [ValidateNotNullOrEmpty()]
28+ [string]`$ FirstName,
29+
30+ [Parameter(Mandatory)]
31+ [ValidateNotNullOrEmpty()]
32+ [string]`$ LastName,
33+
34+ [Parameter(Mandatory)]
35+ [ValidateNotNullOrEmpty()]
36+ [ValidateScript({
37+ `$ deps = 'Accounting', 'Information Services'
38+ if (`$ _ -notin `$ deps) {
39+ throw `" You have used an invalid department name. Choose from the following: `$ (`$ deps -join ', ').`"
40+ } else {
41+ `$ true
42+ }
43+ })]
44+ [string]`$ Department,
45+
46+ [Parameter()]
47+ [ValidateNotNullOrEmpty()]
48+ [string]`$ DomainName = 'lab.local'
49+ )
50+
51+ `$ userName = '{0}{1}' -f `$ FirstName.Substring(0,1),`$ LastName
52+ if (Get-AdUser -Filter `" samAccountName -eq '`$ userName'`" ) {
53+ Write-Host `" The username [`$ (`$ userName)] already exists.`" -ForegroundColor Red
54+ } elseif (-not (Get-ADOrganizationalUnit -Filter `" Name -eq '`$ Department'`" )) {
55+ Write-Host `" The Active Directory OU for department [`$ (`$ Department)] could not be found.`" -ForegroundColor Red
56+ } else {
57+ `$ password = [System.Web.Security.Membership]::GeneratePassword((Get-Random -Minimum 20 -Maximum 32), 3)
58+ `$ secPw = ConvertTo-SecureString -String `$ password -AsPlainText -Force
59+
60+ `$ ouPath = 'OU={0}, DC={1}, DC={2}' -f `$ Department,`$ DomainName.Split('.')[0],`$ DomainName.Split('.')[1]
61+ `$ newUserParams = @{
62+ GivenName = `$ FirstName
63+ Surname = `$ LastName
64+ Name = `$ userName
65+ AccountPassword = `$ secPw
66+ ChangePasswordAtLogon = `$ true
67+ Enabled = `$ true
68+ Department = `$ Department
69+ Path = `$ ouPath
70+ }
71+
72+ New-AdUser @newUserParams
73+ }
74+ }
75+ @"
76+
77+ Set-Content - Path C:\AdUserInitScript.ps1 - Value $functionText
78+ # endregion
79+
80+ # Create a folder for the module
81+ $modulePath = Join-Path $env: ProgramFiles " WindowsPowerShell\Modules\$JeaRoleName "
82+ $null = New-Item - ItemType Directory - Path $modulePath
83+
84+ # Create an empty script module and module manifest. At least one file in the module folder must have the same name as the folder itself.
85+ $null = New-Item - ItemType File - Path (Join-Path $modulePath " $JeaRoleName .psm1"
86+ New-ModuleManifest - Path (Join-Path $modulePath " $JeaRoleName .psd1" - RootModule " $JeaRoleName .psm1"
87+
88+ # Create the RoleCapabilities folder and copy in the PSRC file
89+ $rcFolder = Join-Path $modulePath " RoleCapabilities"
90+ $null = New-Item - ItemType Directory $rcFolder
91+
92+ $rcCapFilePath = Join-Path - Path $rcFolder - ChildPath " $JeaRoleName .psrc"
93+ $roleCapParams = @ {
94+ Path = $rcCapFilePath
95+ VisibleFunctions = ' New-User'
96+ ModulesToImport = ' ActiveDirectory'
97+ AssembliesToLoad = ' System.Web'
98+ VisibleCmdlets = ' ConvertTo-SecureString' , @ {
99+ Name = ' New-Aduser'
100+ Parameters = @ { Name = ' GivenName' ,
101+ @ { Name = ' SurName' ,
102+ @ { Name = ' Name' ,
103+ @ { Name = ' AccountPassword' ,
104+ @ { Name = ' ChangePasswordAtLogon' ,
105+ @ { Name = ' Enabled' ,
106+ @ { Name = ' Department' ,
107+ @ { Name = ' Path'
108+ },
109+ @ {
110+ Name = ' Get-AdUser'
111+ Parameters = @ {
112+ Name = ' Filter'
113+ }
114+ },
115+ @ {
116+ Name = ' Set-Aduser'
117+ Parameters = @ { Name = ' GivenName' ,
118+ @ { Name = ' SurName' ,
119+ @ { Name = ' Name' ,
120+ @ { Name = ' ChangePasswordAtLogon' ,
121+ @ { Name = ' Department'
122+ }
123+ }
124+ New-PSRoleCapabilityFile @roleCapParams
125+
126+ $sessionFilePath = Join-Path - Path $rcFolder - ChildPath " $JeaRoleName .pssc"
127+ $params = @ {
128+ SessionType = ' RestrictedRemoteServer'
129+ Path = $sessionFilePath
130+ RunAsVirtualAccount = $true
131+ ScriptsToProcess = ' C:\AdUserInitScript.ps1'
132+ RoleDefinitions = @ { ' LAB\ADUserManagers' = @ { RoleCapabilities = $JeaRoleName } }
133+ }
134+
135+ New-PSSessionConfigurationFile @params
136+
137+ if (-not (Test-PSSessionConfigurationFile - Path $sessionFilePath )) {
138+ throw ' Failed session configuration file test.'
139+ }
140+
141+ Register-PSSessionConfiguration - Path $sessionFilePath - Name $JeaRoleName - Force
142+
143+
144+ # # Test JEA
145+ $nonAdminCred = Get-Credential - Message ' Input user credential to test JEA.'
146+ Invoke-Command - ComputerName $DomainControllerName - ScriptBlock { New-User - FirstName ' Adam' - LastName ' Bertram' - Department ' Information Services'
147+
148+ # endregion
149+
150+ # region PowerShell Web Access Setup
151+ Add-WindowsFeature - Name WindowsPowerShellWebAccess
152+ Install-PswaWebApplication –UseTestCertificate
153+ Add-PswaAuthorizationRule –ComputerName $DomainControllerName –UserGroupName " $DomainName \$AdGroupName " $JeaRoleName
154+ # endregion
0 commit comments