retrieve PowerShell command in web interface

Hi yosefc 

Yes, there are a couple of ways of doing this, but the easiest for POC would be to use a policy script

The example below has two functions, 

 * Get-LAPS would be the function where you write the code to retrieve the LAPS password

 * OnGetEffectivePolicy is an event handler in Active Role, its used in a couple of places, and can be used to do some very complex things.

In this example the OnEffecitvePolicy function does the following

1) Define the value of $AttributeName to be "edsvaLAPS" which is a virtual attribute in my lab

2) Check if the current request is for anything other than a computer object, if its not a computer, the script stops, otherwise if it is a computer, it continues

3) Write the "Is a compuer object" to the event log

4) It sets an effective policy of the $AttributeName property saying it is server side generated

5) It sets an effective policy of the $AttributeName property saying it is automatically generated

6) It calls the Get-LAPS function to retrieve the value

7) It sets an effective policy of the $AttributeName property parsing it the password value retrived in the previous set

8) Write to the event log it has been set

function Get-LAPS($Request)
{
    return "Some value"
}

function onGetEffectivePolicy($Request)
{
    $AttributeName = "edsvaLAPS"
    
    # If the object class is not a computer object, stop
    if ($Request.Class -ne "computer")
    {
        return
    }

    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Is a $($Request.class) object")
    
    # Mark Attribute as server-side generated,
    $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $true)
    $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_AUTO_GENERATED, $true)

    $Password = Get-LAPS $Request

    $Request.SetEffectivePolicyInfo($AttributeName,$Constants.EDS_EPI_UI_GENERATED_VALUE,$Password)
    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Attribute set")

}

If I then add the edsvaLAPS to the WI, in this case in the computers properties page, under a custom tab called "LAPS" it will displayed the LAPS field, but empty

If I check the generate (lightening bolt) button, the value will be displayed

One note, is that if you click SAVE it will be written and store in the VA (IF it is a stored VA), but even if not, it would be written in the history

So you would need to remove the value of edsvaLAPS from any modification. This could be done in the script within the "OnPreCreate" or "OnPreModify" method, or within a workflow where using a "Modiofy Requested Changes" you remove edsvaLAPS from the request

Hi yosefc 

Yes, there are a couple of ways of doing this, but the easiest for POC would be to use a policy script

The example below has two functions, 

 * Get-LAPS would be the function where you write the code to retrieve the LAPS password

 * OnGetEffectivePolicy is an event handler in Active Role, its used in a couple of places, and can be used to do some very complex things.

In this example the OnEffecitvePolicy function does the following

1) Define the value of $AttributeName to be "edsvaLAPS" which is a virtual attribute in my lab

2) Check if the current request is for anything other than a computer object, if its not a computer, the script stops, otherwise if it is a computer, it continues

3) Write the "Is a compuer object" to the event log

4) It sets an effective policy of the $AttributeName property saying it is server side generated

5) It sets an effective policy of the $AttributeName property saying it is automatically generated

6) It calls the Get-LAPS function to retrieve the value

7) It sets an effective policy of the $AttributeName property parsing it the password value retrived in the previous set

8) Write to the event log it has been set

function Get-LAPS($Request)
{
    return "Some value"
}

function onGetEffectivePolicy($Request)
{
    $AttributeName = "edsvaLAPS"
    
    # If the object class is not a computer object, stop
    if ($Request.Class -ne "computer")
    {
        return
    }

    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Is a $($Request.class) object")
    
    # Mark Attribute as server-side generated,
    $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_SERVER_SIDE_GENERATED, $true)
    $Request.SetEffectivePolicyInfo($AttributeName, $Constants.EDS_EPI_UI_AUTO_GENERATED, $true)

    $Password = Get-LAPS $Request

    $Request.SetEffectivePolicyInfo($AttributeName,$Constants.EDS_EPI_UI_GENERATED_VALUE,$Password)
    $EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE, "Attribute set")

}

If I then add the edsvaLAPS to the WI, in this case in the computers properties page, under a custom tab called "LAPS" it will displayed the LAPS field, but empty

If I check the generate (lightening bolt) button, the value will be displayed

One note, is that if you click SAVE it will be written and store in the VA (IF it is a stored VA), but even if not, it would be written in the history

So you would need to remove the value of edsvaLAPS from any modification. This could be done in the script within the "OnPreCreate" or "OnPreModify" method, or within a workflow where using a "Modiofy Requested Changes" you remove edsvaLAPS from the request

Also make sure you limit permissions to read that attribute to only people you want to know the password, and/or put a check in your script to ensure that the person requesting the password is authorised to retrieve the password,