ad.ps1 (106 lines of code) (raw):

param( $userName, $password, $authType, $adouPath, $ip, $port, $domainFqdn, $ifdeleteadou, $deploymentUser, $deploymentUserPassword ) if ($authType -eq "CredSSP") { try { echo "set trusted hosts" Set-Item wsman:localhost\client\trustedhosts -value * -Force echo "enable client CredSSP" Enable-WSManCredSSP -Role Client -DelegateComputer * -Force echo "Allow fresh credentials" $key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' if (!(Test-Path $key)) { md $key } New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force $allowFreshCredentialsKey = Join-Path $key 'AllowFreshCredentials' if (!(Test-Path $allowFreshCredentialsKey)) { md $allowFreshCredentialsKey } if (!(Get-ItemProperty -Path $allowFreshCredentialsKey -Name 'AzureArcIaCAutomation' -ErrorAction SilentlyContinue)) { New-ItemProperty -Path $allowFreshCredentialsKey -Name 'AzureArcIaCAutomation' -Value 'WSMAN/*' -PropertyType String -Force } echo "Allow fresh credentials when NTLM only" New-ItemProperty -Path $key -Name AllowFreshCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force $allowFreshCredentialsWhenNTLMOnlyKey = Join-Path $key 'AllowFreshCredentialsWhenNTLMOnly' if (!(Test-Path $allowFreshCredentialsWhenNTLMOnlyKey)) { md $allowFreshCredentialsWhenNTLMOnlyKey } if (!(Get-ItemProperty -Path $allowFreshCredentialsWhenNTLMOnlyKey -Name 1 -ErrorAction SilentlyContinue)) { New-ItemProperty -Path $allowFreshCredentialsWhenNTLMOnlyKey -Name 1 -Value 'WSMAN/*' -PropertyType String -Force } } catch { echo "Enable-WSManCredSSP failed: $_" } } $script:ErrorActionPreference = 'Stop' $count = 0 for ($count = 0; $count -lt 3; $count++) { try { $secpasswd = ConvertTo-SecureString $password -AsPlainText -Force $domainShort = $domainFqdn.Split(".")[0] $cred = New-Object System.Management.Automation.PSCredential -ArgumentList "$domainShort\$userName", $secpasswd if ($authType -eq "CredSSP") { try { Enable-WSManCredSSP -Role Client -DelegateComputer $ip -Force } catch { echo "Enable-WSManCredSSP failed" } } $session = New-PSSession -ComputerName $ip -Port $port -Authentication $authType -Credential $cred if ($ifdeleteadou) { Invoke-Command -Session $session -ScriptBlock { $OUPrefixList = @("OU=Computers,", "OU=Users,", "") foreach ($prefix in $OUPrefixList) { $ouname = "$prefix$Using:adouPath" echo "try to get OU: $ouname" Try { $ou = Get-ADOrganizationalUnit -Identity $ouname } Catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { $ou = $null } if ($ou) { Set-ADOrganizationalUnit -Identity $ouname -ProtectedFromAccidentalDeletion $false $ou | Remove-ADOrganizationalUnit -Recursive -Confirm:$False echo "Deleted adou: $ouname" } } } } $deploymentSecPasswd = ConvertTo-SecureString $deploymentUserPassword -AsPlainText -Force $lcmCred = New-Object System.Management.Automation.PSCredential -ArgumentList $deploymentUser, $deploymentSecPasswd Invoke-Command -Session $session -ScriptBlock { echo "Install Nuget Provider" Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Confirm:$false echo "Install AsHciADArtifactsPreCreationTool" Install-Module AsHciADArtifactsPreCreationTool -Repository PSGallery -Force -Confirm:$false echo "Add KdsRootKey" Add-KdsRootKey -EffectiveTime ((Get-Date).addhours(-10)) echo "New HciAdObjectsPreCreation" New-HciAdObjectsPreCreation -AzureStackLCMUserCredential $Using:lcmCred -AsHciOUName $Using:adouPath } break } catch { echo "Error in retry ${count}:`n$_" } finally { if ($session) { Remove-PSSession -Session $session } } } if ($count -ge 3) { throw "Failed to provision AD after 3 retries." }