retrieve PowerShell command in web interface

Question

I have script in workflow to check LAPS password from ms-Mcs-AdmPwd and send it to initiator mail, The workflow in WI task. it's possible to retrieve the password to Web Interface and not to mail?

Stu.Pollock · Accepted Answer

Hi yosefc 
 
 Yes, there are a couple of ways of doing this, but the easiest for POC would be to use a policy script 
 
 The example below has two functions, 
 * Get-LAPS would be the function where you write the code to retrieve the LAPS password 
 * OnGetEffectivePolicy is an event handler in Active Role, its used in a couple of places, and can be used to do some very complex things. 
 In this example the OnEffecitvePolicy function does the following 
 1) Define the value of $AttributeName to be "edsvaLAPS" which is a virtual attribute in my lab 
 2) Check if the current request is for anything other than a computer object, if its not a computer, the script stops, otherwise if it is a computer, it continues 
 3) Write the "Is a compuer object" to the event log 
 4) It sets an effective policy of the $AttributeName property saying it is server side generated 
 5) It sets an effective policy of the $AttributeName property saying it is automatically generated 
 6) It calls the Get-LAPS function to retrieve the value 
 7) It sets an effective policy of the $AttributeName property parsing it the password value retrived in the previous set 
 8) Write to the event log it has been set 
 function Get-LAPS($Request)
{
 return "Some value"
}

function onGetEffectivePolicy($Request)
{
 $AttributeName = "edsvaLAPS"
 
 # If the object class is not a computer object, stop
 if ($Request.Class -ne "computer")
 {
 return
 }

 $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Is a $($Request.class) object")
 
 # Mark Attribute as server-side generated,
 $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $true)
 $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_AUTO_GENERATED, $true)

 $Password = Get-LAPS $Request

 $Request.SetEffectivePolicyInfo($AttributeName,$Constants.EDS_EPI_UI_GENERATED_VALUE,$Password)
 $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Attribute set")

} 
 If I then add the edsvaLAPS to the WI, in this case in the computers properties page, under a custom tab called "LAPS" it will displayed the LAPS field, but empty 
 
 If I check the generate (lightening bolt) button, the value will be displayed 
 
 One note, is that if you click SAVE it will be written and store in the VA (IF it is a stored VA), but even if not, it would be written in the history 
 
 So you would need to remove the value of edsvaLAPS from any modification. This could be done in the script within the "OnPreCreate" or "OnPreModify" method, or within a workflow where using a "Modiofy Requested Changes" you remove edsvaLAPS from the request

Endpoint Privilege Management

retrieve PowerShell command in web interface

Top Replies