I’ve decided to
call this lab series "W16" - W for WFA and 16 for 2016. Since every
post in the series isn’t necessarily going to have any/much WFA in, didn’t make
sense to call it WFA Lab Series.
Firstly, we need some Active Directory user accounts and
groups set up. I’m not going to automate this setup with WFA, they’re pretty
much one offs. Having said that, it might be useful being able to add/remove
users from the storageusers and storageadmins groups in the future, as new
storage admins come and go - one for a future post...
PowerShell
Commands to Create Desired Users and Groups (on a Windows Server 2008 R2 Domain
Controller)
Note: The commands
come mostly from the post How to Create a Fat Token which wasn’t a well viewed post, with just
75 pageviews so far for this November 2015 post - I guess it’s a very niche
requirement knowing how to create fat Kerberos tokens for testing purposes...
In fairness, many of my posts struggle to get 100 pageviews, and that doesn’t
matter one jot - if I was in the business of wanting to get lots of pageviews,
I’d do a p*rno blog/site!
Import-Module
ActiveDirectory
[String]$OUPATH
= "DC=lab,DC=priv"
$Password
= Read-Host -AsSecureString
New-ADOrganizationalUnit
-Name "~Users"
New-ADOrganizationalUnit
-Name "~Groups"
New-ADuser
-Name "WFA" -AccountPassword $Password -path
"OU=~Users,$OUPATH"
New-ADuser
-Name "OCUM" -AccountPassword $Password -path
"OU=~Users,$OUPATH"
New-ADuser
-Name "StorageAdmin" -AccountPassword $Password -path
"OU=~Users,$OUPATH"
New-ADuser
-Name "12345678-adm" -AccountPassword $Password -path
"OU=~Users,$OUPATH"
New-ADuser
-Name "StorageUser" -AccountPassword $Password -path
"OU=~Users,$OUPATH"
New-ADuser
-Name "12345678" -AccountPassword $Password -path
"OU=~Users,$OUPATH"
Enable-ADaccount
-Identity "WFA"
Enable-ADaccount
-Identity "OCUM"
Enable-ADaccount
-Identity "StorageAdmin"
Enable-ADaccount
-Identity "12345678-adm"
Enable-ADaccount
-Identity "StorageUser"
Enable-ADaccount
-Identity "12345678"
Set-ADUser
-Identity "WFA" -PasswordNeverExpires $TRUE
Set-ADUser
-Identity "OCUM" -PasswordNeverExpires $TRUE
Set-ADUser
-Identity "StorageAdmin" -PasswordNeverExpires $TRUE
Set-ADUser
-Identity "StorageUser" -PasswordNeverExpires $TRUE
New-ADGroup
-Name StorageAdmins -GroupScope global -path "OU=~Groups,$OUPATH"
New-ADGroup
-Name StorageUsers -GroupScope global -path "OU=~Groups,$OUPATH"
Add-ADGroupMember
-Identity "StorageAdmins" -Members "WFA"
Add-ADGroupMember
-Identity "StorageAdmins" -Members "OCUM"
Add-ADGroupMember
-Identity "StorageAdmins" -Members "StorageAdmin"
Add-ADGroupMember
-Identity "StorageAdmins" -Members "12345678-adm"
Add-ADGroupMember
-Identity "StorageUsers"
-Members "StorageUser"
Add-ADGroupMember
-Identity "StorageUsers"
-Members "12345678"
Add-ADGroupMember
-Identity "DnsAdmins"
-Members "WFA"
Table: Users, their
group, and their purpose
Regards the user login being a number, I think this
convention makes a lot of sense. For instance, you might have 100 John Smiths in your corporation,
so a first character of first name + surname convention for login name, doesn’t
really work. Some other user naming conventions, like CCCFFSS, where CCC is a
company country code, FF is first two characters of first name, SS is first two
characters of surname, can produce unfortunate results (think what becomes of
Anna Altwood or Cuba Ntini for instance).
Note: Adding WFA to
"DnsAdmins" will be explained more
in the next post.
Comments
Post a Comment