blob: 1e5ba74b0d26534fe35ab2d59892a0310e9b4411 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
function Set-MachineAccountAttribute
{
<#
.SYNOPSIS
This function can populate an attribute for an account that was added through New-MachineAccount. Write
access to the attribute is required. This function should be used with the same user that created the
machine account.
.DESCRIPTION
The user account that creates a machine account is granted write access to some attributes. These attributes
can be leveraged to help an added machine account blend in better or change values that were restricted by
validation when the account was created.
Here is a list of some of the usual write access enabled attributes:
AccountDisabled
description
displayName
DnsHostName
ServicePrincipalName
userParameters
userAccountControl
msDS-AdditionalDnsHostName
msDS-AllowedToActOnBehalfOfOtherIdentity
SamAccountName
Author: Kevin Robertson (@kevin_robertson)
License: BSD 3-Clause
.PARAMETER DistinguishedName
Distinguished name for the computers OU.
.PARAMETER Domain
The targeted domain.
.PARAMETER MachineAccount
The username of the machine account that will be modified.
.PARAMETER Attribute
The machine account attribute.
.PARAMETER Value
The machine account attribute value.
.EXAMPLE
Set-MachineAccountAttribute -MachineAccount payroll -Attribute description -Value "Payroll app server"
.LINK
https://github.com/Kevin-Robertson/Powermad
#>
[CmdletBinding()]
param
(
[parameter(Mandatory=$false)][String]$DistinguishedName,
[parameter(Mandatory=$false)][String]$Domain,
[parameter(Mandatory=$true)][String]$MachineAccount,
[parameter(Mandatory=$true)][String]$Attribute,
[parameter(Mandatory=$true)]$Value
)
if($MachineAccount.EndsWith('$'))
{
$machine_account = $MachineAccount.SubString(0,$MachineAccount.Length - 1)
}
else
{
$machine_account = $MachineAccount
}
if(!$Domain)
{
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
}
if(!$DistinguishedName)
{
$distinguished_name = "CN=$machine_account,CN=Computers"
$DCArray = $Domain.Split(".")
ForEach($DC in $DCArray)
{
$distinguished_name += ",DC=$DC"
}
}
else
{
$distinguished_name = "$DistinguishedName"
}
$account = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$distinguished_name"
try
{
$account.InvokeSet($Attribute,$Value)
$account.SetInfo()
Write-Output "[+] $attribute updated"
}
catch
{
$error_message = $_.Exception.Message
$error_message = $error_message -replace "`n",""
Write-Output "[-] $error_message"
}
}
|