Added Force parameter to the Set-ADDBBootKey cmdlet

2025-03-30 07:07:11 +00:00 · 2023-02-25 08:05:38 +01:00 · 2023-02-25 08:05:38 +01:00 · c659ba601e
commit c659ba601e
parent f56b3df4c6
6 changed files with 81 additions and 11 deletions
--- a/Documentation/PowerShell/New-ADDBRestoreFromMediaScript.md
+++ b/Documentation/PowerShell/New-ADDBRestoreFromMediaScript.md
@ -170,14 +170,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock

        # Re-encrypt the DB with the new boot key.
        $currentBootKey = Get-BootKey -Online
-        Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey
+        Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey -Force

        # Clone the DC account password.
        $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
        InlineScript {
            # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity.
            $dcAccount = Get-ADDBAccount -SamAccountName 'LON-DC1$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey
-            Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey
+            Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey -Force
        }

        # Replace the database and transaction logs.
--- a/Documentation/PowerShell/Set-ADDBBootKey.md
+++ b/Documentation/PowerShell/Set-ADDBBootKey.md
@ -13,7 +13,7 @@ Re-encrypts a ntds.dit file with a new BootKey/SysKey.
 ## SYNTAX

 ```
-Set-ADDBBootKey -OldBootKey <Byte[]> [-NewBootKey <Byte[]>] -DatabasePath <String> [-LogPath <String>]
+Set-ADDBBootKey -OldBootKey <Byte[]> [-NewBootKey <Byte[]>] [-Force] -DatabasePath <String> [-LogPath <String>]
 [<CommonParameters>]
 ```

@ -49,6 +49,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```

+### -Force
+Forces the cmdlet to perform the desired operation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -LogPath
 Specifies the path to a directory where the transaction log files are located. For instance, C:\Windows\NTDS. The default log directory is the one that contains the database file itself.

--- a/Src/DSInternals.PowerShell/ADDBRestoreFromMediaScriptTemplate.ps1
+++ b/Src/DSInternals.PowerShell/ADDBRestoreFromMediaScriptTemplate.ps1
@ -1,12 +1,11 @@
 <#
 .SYNOPSIS
-Restores the {DCName} domain controller from ntds.dit.
+Restores the {DCName} domain controller from its ntds.dit file.

 .REMARKS
 This script should only be executed on a freshly installed {OSName}. Use at your own risk.
 The DSInternals PowerShell module must be installed for all users on the target server.

-
 Author: Michael Grafnetter

 #>
@ -20,7 +19,7 @@ $vssResult = ([wmiclass] 'Win32_ShadowCopy').Create("$env:SystemDrive\", 'Client
 Write-Host 'Installing the Active Directory module for Windows PowerShell...'
 Add-WindowsFeature -Name RSAT-AD-PowerShell -ErrorAction Stop 

-# All the other operations will be executed by a restartable workflow running in SYSTEM context.
+# All the other operations will be executed by a restartable workflow running in the SYSTEM context.
 Write-Host 'Registering restartable workflows...'

 # Delete any pre-existing scheduled jobs with the same names before registering new ones.
@ -73,14 +72,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock

        # Re-encrypt the DB with the new boot key.
        $currentBootKey = Get-BootKey -Online
-        Set-ADDBBootKey -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -OldBootKey {OldBootKey} -NewBootKey $currentBootKey
+        Set-ADDBBootKey -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -OldBootKey {OldBootKey} -NewBootKey $currentBootKey -Force

        # Clone the DC account password.
        $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
        InlineScript {
            # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity.
            $dcAccount = Get-ADDBAccount -SamAccountName '{DCName}$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey
-            Set-ADDBAccountPasswordHash -ObjectGuid {DCGuid} -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -BootKey $using:currentBootKey
+            Set-ADDBAccountPasswordHash -ObjectGuid {DCGuid} -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -BootKey $using:currentBootKey -Force
        }

        # Replace the database and transaction logs.
--- a/Src/DSInternals.PowerShell/Commands/Datastore/RestoreADDBAttributeCommand.cs
+++ b/Src/DSInternals.PowerShell/Commands/Datastore/RestoreADDBAttributeCommand.cs
@ -1,5 +1,6 @@
 using System;
 using System.Management.Automation;
+using DSInternals.PowerShell.Properties;

 namespace DSInternals.PowerShell.Commands
 {
@ -25,6 +26,13 @@ namespace DSInternals.PowerShell.Commands
            set;
        }

+        [Parameter]
+        public SwitchParameter Force
+        {
+            get;
+            set;
+        }
+
        protected override bool ReadOnly
        {
            get
@ -36,6 +44,14 @@ namespace DSInternals.PowerShell.Commands
        protected override void ProcessRecord()
        {
            throw new NotImplementedException();
+
+            if (!Force.IsPresent)
+            {
+                // Do not continue with operation until the user enforces it.
+                var exception = new ArgumentException(Resources.WarningMessage);
+                var error = new ErrorRecord(exception, "RestoreADDBAttribute_ForceRequired", ErrorCategory.InvalidArgument, null);
+                this.ThrowTerminatingError(error);
+            }
        }
    }
-}
+}
--- a/Src/DSInternals.PowerShell/Commands/Datastore/SetADDBBootKeyCommand.cs
+++ b/Src/DSInternals.PowerShell/Commands/Datastore/SetADDBBootKeyCommand.cs
@ -1,7 +1,9 @@
 namespace DSInternals.PowerShell.Commands
 {
+    using System;
    using System.Management.Automation;
    using DSInternals.DataStore;
+    using DSInternals.PowerShell.Properties;

    [Cmdlet(VerbsCommon.Set, "ADDBBootKey")]
    [OutputType("None")]
@ -29,8 +31,23 @@
            set;
        }

+        [Parameter]
+        public SwitchParameter Force
+        {
+            get;
+            set;
+        }
+
        protected override void BeginProcessing()
        {
+            if (!Force.IsPresent)
+            {
+                // Do not continue with operation until the user enforces it.
+                var exception = new ArgumentException(Resources.WarningMessage);
+                var error = new ErrorRecord(exception, "SetADDBBootKey_ForceRequired", ErrorCategory.InvalidArgument, null);
+                this.ThrowTerminatingError(error);
+            }
+
            base.BeginProcessing();
            using(var directoryAgent = new DirectoryAgent(this.DirectoryContext))
            {
--- a/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml
+++ b/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml
@ -7101,14 +7101,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock

        # Re-encrypt the DB with the new boot key.
        $currentBootKey = Get-BootKey -Online
-        Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey
+        Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey -Force

        # Clone the DC account password.
        $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
        InlineScript {
            # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity.
            $dcAccount = Get-ADDBAccount -SamAccountName 'LON-DC1$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey
-            Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey
+            Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey -Force
        }

        # Replace the database and transaction logs.
@ -8978,6 +8978,17 @@ PS C:\&gt; Set-ADDBAccountPasswordHash -SamAccountName john `
          </dev:type>
          <dev:defaultValue>None</dev:defaultValue>
        </command:parameter>
+        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+          <maml:name>Force</maml:name>
+          <maml:Description>
+            <maml:para>Forces the cmdlet to perform the desired operation.</maml:para>
+          </maml:Description>
+          <dev:type>
+            <maml:name>SwitchParameter</maml:name>
+            <maml:uri />
+          </dev:type>
+          <dev:defaultValue>False</dev:defaultValue>
+        </command:parameter>
        <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Log, TransactionLogPath">
          <maml:name>LogPath</maml:name>
          <maml:Description>
@ -9029,6 +9040,18 @@ PS C:\&gt; Set-ADDBAccountPasswordHash -SamAccountName john `
        </dev:type>
        <dev:defaultValue>None</dev:defaultValue>
      </command:parameter>
+      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
+        <maml:name>Force</maml:name>
+        <maml:Description>
+          <maml:para>Forces the cmdlet to perform the desired operation.</maml:para>
+        </maml:Description>
+        <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue>
+        <dev:type>
+          <maml:name>SwitchParameter</maml:name>
+          <maml:uri />
+        </dev:type>
+        <dev:defaultValue>False</dev:defaultValue>
+      </command:parameter>
      <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Log, TransactionLogPath">
        <maml:name>LogPath</maml:name>
        <maml:Description>