• State Verified Answer
  • Replies 3 replies
  • Subscribers 63 subscribers
  • Views 722 views
  • Users 0 members are here
Options
Related

retrieve PowerShell command in web interface

yosefc
10 months ago

I have script in workflow to check LAPS password from ms-Mcs-AdmPwd and send it to initiator mail,
The workflow in WI task. it's possible to retrieve the password to Web Interface and not to mail?

Top Replies

  • 10 months ago +2 verified

    Hi  

    Yes, there are a couple of ways of doing this, but the easiest for POC would be to use a policy script

    The example below has two functions, 

     * Get-LAPS would be the function where you write…

  • 0 10 months ago

    Hi  

    A good starting point might be the below Policy Script, it is using the "OnGetEffectivePolicy" event handler, to populate a virtual attribute (in my case) with the value retrieves from another function (which you could replace with a function to retrieve your actual LAP Password.. In my case it always returns "Some Value"

    The script checks the request is for a computer object, before setting the effective policy on the objects $AttributeNAme to be server side  generated, automatically generated, then finally setting the value of the column

    function Get-LAPS($Request)
{
    return "Some value"
}

function onGetEffectivePolicy($Request)
{
    $AttributeName = "edsvaLAPS"
    
    # If the object class is not a computer object, stop
    if ($Request.Class -ne "computer")
    {
        return
    }

    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Is a $($Request.class) object")
    
    # Mark Attribute as server-side generated,
    $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $true)
    $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_AUTO_GENERATED, $true)

    $Password = Get-LAPS $Request

    $Request.SetEffectivePolicyInfo($AttributeName,$Constants.EDS_EPI_UI_GENERATED_VALUE,$Password)
    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Attribute set")

}

    Clicking the generate (or lightening bolt) button will then display whatever the script returns

    However, if you don't want the retrieved value to get written back to the VA permantely, you'll either need to remove it from the request via workflow, or in the script onPreModify/OnPreCreate etc

  • +1 10 months ago

    Hi  

    Yes, there are a couple of ways of doing this, but the easiest for POC would be to use a policy script

    The example below has two functions, 

     * Get-LAPS would be the function where you write the code to retrieve the LAPS password

     * OnGetEffectivePolicy is an event handler in Active Role, its used in a couple of places, and can be used to do some very complex things.

    In this example the OnEffecitvePolicy function does the following

    1) Define the value of $AttributeName to be "edsvaLAPS" which is a virtual attribute in my lab

    2) Check if the current request is for anything other than a computer object, if its not a computer, the script stops, otherwise if it is a computer, it continues

    3) Write the "Is a compuer object" to the event log

    4) It sets an effective policy of the $AttributeName property saying it is server side generated

    5) It sets an effective policy of the $AttributeName property saying it is automatically generated

    6) It calls the Get-LAPS function to retrieve the value

    7) It sets an effective policy of the $AttributeName property parsing it the password value retrived in the previous set

    8) Write to the event log it has been set

    function Get-LAPS($Request)
{
    return "Some value"
}

function onGetEffectivePolicy($Request)
{
    $AttributeName = "edsvaLAPS"
    
    # If the object class is not a computer object, stop
    if ($Request.Class -ne "computer")
    {
        return
    }

    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Is a $($Request.class) object")
    
    # Mark Attribute as server-side generated,
    $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $true)
    $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_AUTO_GENERATED, $true)

    $Password = Get-LAPS $Request

    $Request.SetEffectivePolicyInfo($AttributeName,$Constants.EDS_EPI_UI_GENERATED_VALUE,$Password)
    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Attribute set")

}

    If I then add the edsvaLAPS to the WI, in this case in the computers properties page, under a custom tab called "LAPS" it will displayed the LAPS field, but empty

    If I check the generate (lightening bolt) button, the value will be displayed

    One note, is that if you click SAVE it will be written and store in the VA (IF it is a stored VA), but even if not, it would be written in the history

    So you would need to remove the value of edsvaLAPS from any modification. This could be done in the script within the "OnPreCreate" or "OnPreModify" method, or within a workflow where using a "Modiofy Requested Changes" you remove edsvaLAPS from the request

  • 0 10 months ago in reply to Stu.Pollock

    Also make sure you limit permissions to read that attribute to only people you want to know the password, and/or put a check in your script to ensure that the person requesting the password is authorised to retrieve the password,