Tuesday, May 20, 2014

SCCM Lab Setup Laziness with PowerShell and Duct Tape

I've been dusting off my pointy little head with another round of "lets play set up with Configuration Manager!" and, well, I hate using GUI tools or command line stuff if a script will save me time.  The time invested in smacking the keyboard and making grunting noises and laughing hysterically is recouped later with spare change and coffee spilling, so it pays off.

Disclaimer:  I really don't have any duct tape right now, so you'll have to go without on this one.

Anyhow, I've been following along with a template procedure my buddy and trusted ass-kicking extraordinaire colleague and uber-technowunderkind: Chris DeCarlo compiled.  One part of this procedure has me creating a bunch of AD user accounts to tie to various things.  Some are for SQL services, others for AD tasks, and obviously some are for SCCM itself.  (btw- Chris, you did an outstanding job on this document. Kudos!)

Here's the accounts (sorry man, but I modified a few names out of brain-damaged habit).  The short names on the left are the sAMAccountName values, and to the right are their descriptions / explanations.

  • SCCMRS - SQL Reporting Services publishing account
  • SCCMNA - SCCM network access account
  • SCCMInstall - SCCM site server install account
  • SCCMDomJoin - SCCM domain joining account
  • SCCMClient - SCCM client push account
  • SCCMSQLSvc - SCCM SQL Server service account
  • SCCMSQLAgent - SCCM SQL Agent service account
  • SCCMOSD - SCCM OSD deploy and capture account
You may or may not need (or want) to create all of these, but I have the keyboard so this plane is going into the mountain and I'm the captain... so hold on.

In addition to this, I'm lazy.  Yes, I know that's a shock.  I'll wait as you pick your jaw off the floor.  (tap tap tap tap - eyes on phone,...) ok.  Rather than doing this the "right way", I do it (for lab purposes only) the "easy unrecommended way", which is to stuff all of these accounts into the "Domain Admins" group and then laugh as loud as possible.

You need two files (okay, you don't really NEED two files, but for this example it works):
  • A Comma-Separated Values file (.csv)
  • A PowerShell script (v3 or v4)
  1. Domain is "fubar.local"
  2. OU is created at root of the domain as "ServiceAccounts"
  3. You are logged onto the server/desktop in the LAB as a Domain Admin user
  4. You have faith in what I'm telling you (rotfl! okay, just kidding)
I built and tested this cardboard thing using Windows Server 2012 R2 with PowerShell v4 and some coffee, chewing gum and a few chicken drumsticks my wife just cooked (damn good too).


$inputFile = Import-CSV  "useraccounts.csv"
$strPwd = "Tarfu123"
$ouPath = "OU=ServiceAccounts,DC=fubar,DC=local"

foreach($strLine in $inputFile) {
$cn = $strLine.cn
$samid = $strLine.sAMAccountName
$ln = $strLine.sn
$fn = $strLine.givenname
$dn = $strLine.displayname
$desc = $strLine.description
$upn = $strLine.UserPrincipalName

New-ADUser -SamAccountName $samid -Name "$cn" -UserPrincipalName $upn -AccountPassword (ConvertTo-SecureString -AsPlainText "$strPwd" -Force) -Enabled $true -PasswordNeverExpires $true -Path "$ouPath" -Description "$desc"

$inputFile | % {Add-ADGroupMember -Identity "Domain Admins" -Member $_.sAMAccountName } 

If you're not familiar with PowerShell, or scripting in general, you don't need to copy the [CrappyCode]. and [/CrappyCode] end tags.  Those are just for entertainment.  You will want to edit the domain names to protect the innocent, and whatever else you feel like modifying to suit your environmental needs.  The items in red are likely the items you will want to change for your needs.  

Also, the last line redirects the CSV piped content through a PowerShell pipeline into Add-ADGroupMember to stuff the new accounts into the Domain Admins group.  So easy, and cheap too.  Be careful of the line-wrapping headaches that come with copying from web browser windows. :)

The next piece is the CSV file (below).  Note that the first line contains the logical column headings, while the remaining lines are the actual data.  As long as the values are in the same relative order from left-to-right, it should work fine.  If you have values that contain apostrophes or commas be careful to "escape" them properly so they don't choke out the code like a backyard wrestling match gone wrong.

SCCMRS,,,sccmrs,SCCM Reporting Services,sccmrs@fubar.local,SCCM SQL Reporting Services Account
SCCMNA,,,sccmna,SCCM Network Access,sccmna@fubar.local,SCCM Network Access Account
SCCM Install,,,sccminstall,SCCM Install,sccminstall@fubar.local,SCCM Server Installation Account
SCCMDomJoin,,,sccmdomjoin,SCCM Dom Join,sccmdomjoin@fubar.local,SCCM Domain Join Account
SCCMClient,,,sccmclient,SCCM Client Push,sccmclient@fubar.local,SCCM Client Push Account
SCCMSqlSvc,,,sccmsqlsvc,SCCM SQL Service,sccmsqlsvc@fubar.local,SCCM SQL Server Account
SCCMSqlAgent,,,sccmsqlagent,SCCM SQL Agent,sccmsqlagent@fubar.local,SCCM SQL Agent Account
SCCMOSD,,,sccmosd,SCCM OSD,sccmosd@fubar.local,SCCM OSD Deploy and Capture Account

Then, in your LAB environment (do not do this in production unless you like spending a lot of time in a courtroom with ugly people in suits), log on as a Domain Admin user, open the PowerShell console (right-click and select "Run as administrator"), and CD (change directory) to the path where you saved both of these files.

Then type in "powershell.exe -ExecutionPolicy Unrestricted -File useraccounts.csv

If you see a bunch of red text, you screwed up (probably as a result of believing what I tell you), but don't freak, go into the code and verify everything is neat and clean and the quotes are matched, etc.  Standard scripting/programming drudgery stuff.

When you're done, and assuming it works as intended (it did for me), you should see those accounts in the designated OU and each is a member of the "Domain Admins" group.


Post a Comment