From c659ba601eefe05ed821330a73f10838d450c40b Mon Sep 17 00:00:00 2001 From: Michael Grafnetter Date: Sat, 25 Feb 2023 08:05:38 +0100 Subject: [PATCH] Added Force parameter to the Set-ADDBBootKey cmdlet --- .../New-ADDBRestoreFromMediaScript.md | 4 +-- Documentation/PowerShell/Set-ADDBBootKey.md | 17 +++++++++++- .../ADDBRestoreFromMediaScriptTemplate.ps1 | 9 +++---- .../Datastore/RestoreADDBAttributeCommand.cs | 18 ++++++++++++- .../Datastore/SetADDBBootKeyCommand.cs | 17 ++++++++++++ .../en-US/DSInternals.PowerShell.dll-Help.xml | 27 +++++++++++++++++-- 6 files changed, 81 insertions(+), 11 deletions(-) diff --git a/Documentation/PowerShell/New-ADDBRestoreFromMediaScript.md b/Documentation/PowerShell/New-ADDBRestoreFromMediaScript.md index f5a522f..fd2abc0 100644 --- a/Documentation/PowerShell/New-ADDBRestoreFromMediaScript.md +++ b/Documentation/PowerShell/New-ADDBRestoreFromMediaScript.md @@ -170,14 +170,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock # Re-encrypt the DB with the new boot key. $currentBootKey = Get-BootKey -Online - Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey + Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey -Force # Clone the DC account password. $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters InlineScript { # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity. $dcAccount = Get-ADDBAccount -SamAccountName 'LON-DC1$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey - Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey + Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey -Force } # Replace the database and transaction logs. diff --git a/Documentation/PowerShell/Set-ADDBBootKey.md b/Documentation/PowerShell/Set-ADDBBootKey.md index 026a8a2..af2c708 100644 --- a/Documentation/PowerShell/Set-ADDBBootKey.md +++ b/Documentation/PowerShell/Set-ADDBBootKey.md @@ -13,7 +13,7 @@ Re-encrypts a ntds.dit file with a new BootKey/SysKey. ## SYNTAX ``` -Set-ADDBBootKey -OldBootKey [-NewBootKey ] -DatabasePath [-LogPath ] +Set-ADDBBootKey -OldBootKey [-NewBootKey ] [-Force] -DatabasePath [-LogPath ] [] ``` @@ -49,6 +49,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Force +Forces the cmdlet to perform the desired operation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -LogPath Specifies the path to a directory where the transaction log files are located. For instance, C:\Windows\NTDS. The default log directory is the one that contains the database file itself. diff --git a/Src/DSInternals.PowerShell/ADDBRestoreFromMediaScriptTemplate.ps1 b/Src/DSInternals.PowerShell/ADDBRestoreFromMediaScriptTemplate.ps1 index 92f547f..d201f93 100644 --- a/Src/DSInternals.PowerShell/ADDBRestoreFromMediaScriptTemplate.ps1 +++ b/Src/DSInternals.PowerShell/ADDBRestoreFromMediaScriptTemplate.ps1 @@ -1,12 +1,11 @@ <# .SYNOPSIS -Restores the {DCName} domain controller from ntds.dit. +Restores the {DCName} domain controller from its ntds.dit file. .REMARKS This script should only be executed on a freshly installed {OSName}. Use at your own risk. The DSInternals PowerShell module must be installed for all users on the target server. - Author: Michael Grafnetter #> @@ -20,7 +19,7 @@ $vssResult = ([wmiclass] 'Win32_ShadowCopy').Create("$env:SystemDrive\", 'Client Write-Host 'Installing the Active Directory module for Windows PowerShell...' Add-WindowsFeature -Name RSAT-AD-PowerShell -ErrorAction Stop -# All the other operations will be executed by a restartable workflow running in SYSTEM context. +# All the other operations will be executed by a restartable workflow running in the SYSTEM context. Write-Host 'Registering restartable workflows...' # Delete any pre-existing scheduled jobs with the same names before registering new ones. @@ -73,14 +72,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock # Re-encrypt the DB with the new boot key. $currentBootKey = Get-BootKey -Online - Set-ADDBBootKey -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -OldBootKey {OldBootKey} -NewBootKey $currentBootKey + Set-ADDBBootKey -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -OldBootKey {OldBootKey} -NewBootKey $currentBootKey -Force # Clone the DC account password. $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters InlineScript { # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity. $dcAccount = Get-ADDBAccount -SamAccountName '{DCName}$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey - Set-ADDBAccountPasswordHash -ObjectGuid {DCGuid} -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -BootKey $using:currentBootKey + Set-ADDBAccountPasswordHash -ObjectGuid {DCGuid} -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -BootKey $using:currentBootKey -Force } # Replace the database and transaction logs. diff --git a/Src/DSInternals.PowerShell/Commands/Datastore/RestoreADDBAttributeCommand.cs b/Src/DSInternals.PowerShell/Commands/Datastore/RestoreADDBAttributeCommand.cs index 2073f1d..8b5a451 100644 --- a/Src/DSInternals.PowerShell/Commands/Datastore/RestoreADDBAttributeCommand.cs +++ b/Src/DSInternals.PowerShell/Commands/Datastore/RestoreADDBAttributeCommand.cs @@ -1,5 +1,6 @@ using System; using System.Management.Automation; +using DSInternals.PowerShell.Properties; namespace DSInternals.PowerShell.Commands { @@ -25,6 +26,13 @@ namespace DSInternals.PowerShell.Commands set; } + [Parameter] + public SwitchParameter Force + { + get; + set; + } + protected override bool ReadOnly { get @@ -36,6 +44,14 @@ namespace DSInternals.PowerShell.Commands protected override void ProcessRecord() { throw new NotImplementedException(); + + if (!Force.IsPresent) + { + // Do not continue with operation until the user enforces it. + var exception = new ArgumentException(Resources.WarningMessage); + var error = new ErrorRecord(exception, "RestoreADDBAttribute_ForceRequired", ErrorCategory.InvalidArgument, null); + this.ThrowTerminatingError(error); + } } } -} \ No newline at end of file +} diff --git a/Src/DSInternals.PowerShell/Commands/Datastore/SetADDBBootKeyCommand.cs b/Src/DSInternals.PowerShell/Commands/Datastore/SetADDBBootKeyCommand.cs index 454e622..6bd87bc 100644 --- a/Src/DSInternals.PowerShell/Commands/Datastore/SetADDBBootKeyCommand.cs +++ b/Src/DSInternals.PowerShell/Commands/Datastore/SetADDBBootKeyCommand.cs @@ -1,7 +1,9 @@ namespace DSInternals.PowerShell.Commands { + using System; using System.Management.Automation; using DSInternals.DataStore; + using DSInternals.PowerShell.Properties; [Cmdlet(VerbsCommon.Set, "ADDBBootKey")] [OutputType("None")] @@ -29,8 +31,23 @@ set; } + [Parameter] + public SwitchParameter Force + { + get; + set; + } + protected override void BeginProcessing() { + if (!Force.IsPresent) + { + // Do not continue with operation until the user enforces it. + var exception = new ArgumentException(Resources.WarningMessage); + var error = new ErrorRecord(exception, "SetADDBBootKey_ForceRequired", ErrorCategory.InvalidArgument, null); + this.ThrowTerminatingError(error); + } + base.BeginProcessing(); using(var directoryAgent = new DirectoryAgent(this.DirectoryContext)) { diff --git a/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml b/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml index 3de0e73..d9b8648 100644 --- a/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml +++ b/Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml @@ -7101,14 +7101,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock # Re-encrypt the DB with the new boot key. $currentBootKey = Get-BootKey -Online - Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey + Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey -Force # Clone the DC account password. $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters InlineScript { # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity. $dcAccount = Get-ADDBAccount -SamAccountName 'LON-DC1$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey - Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey + Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey -Force } # Replace the database and transaction logs. @@ -8978,6 +8978,17 @@ PS C:\> Set-ADDBAccountPasswordHash -SamAccountName john ` None + + Force + + Forces the cmdlet to perform the desired operation. + + + SwitchParameter + + + False + LogPath @@ -9029,6 +9040,18 @@ PS C:\> Set-ADDBAccountPasswordHash -SamAccountName john ` None + + Force + + Forces the cmdlet to perform the desired operation. + + SwitchParameter + + SwitchParameter + + + False + LogPath