RepoMirrors/DSInternals
1
0
Fork 0
mirror of https://github.com/MichaelGrafnetter/DSInternals synced 2025-04-08 18:25:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added Force parameter to the Set-ADDBBootKey cmdlet

Browse Source
This commit is contained in:
Michael Grafnetter 2023-02-25 08:05:38 +01:00
parent f56b3df4c6
commit c659ba601e
6 changed files with 81 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Documentation/PowerShell/New-ADDBRestoreFromMediaScript.md
View File

@ -170,14 +170,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock
# Re-encrypt the DB with the new boot key. # Re-encrypt the DB with the new boot key.
$currentBootKey = Get-BootKey -Online $currentBootKey = Get-BootKey -Online
Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey -Force
# Clone the DC account password. # Clone the DC account password.
$ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
InlineScript { InlineScript {
# Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity. # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity.
$dcAccount = Get-ADDBAccount -SamAccountName 'LON-DC1$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey $dcAccount = Get-ADDBAccount -SamAccountName 'LON-DC1$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey
Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey -Force
} }
# Replace the database and transaction logs. # Replace the database and transaction logs.

17
Documentation/PowerShell/Set-ADDBBootKey.md
View File

@ -13,7 +13,7 @@ Re-encrypts a ntds.dit file with a new BootKey/SysKey.
## SYNTAX ## SYNTAX
``` ```
Set-ADDBBootKey -OldBootKey <Byte[]> [-NewBootKey <Byte[]>] -DatabasePath <String> [-LogPath <String>] Set-ADDBBootKey -OldBootKey <Byte[]> [-NewBootKey <Byte[]>] [-Force] -DatabasePath <String> [-LogPath <String>]
[<CommonParameters>] [<CommonParameters>]
``` ```
@ -49,6 +49,21 @@ Accept pipeline input: False
Accept wildcard characters: False Accept wildcard characters: False
``` ```
### -Force
Forces the cmdlet to perform the desired operation.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -LogPath ### -LogPath
Specifies the path to a directory where the transaction log files are located. For instance, C:\Windows\NTDS. The default log directory is the one that contains the database file itself. Specifies the path to a directory where the transaction log files are located. For instance, C:\Windows\NTDS. The default log directory is the one that contains the database file itself.

9
Src/DSInternals.PowerShell/ADDBRestoreFromMediaScriptTemplate.ps1
View File

@ -1,12 +1,11 @@
<# <#
.SYNOPSIS .SYNOPSIS
Restores the {DCName} domain controller from ntds.dit. Restores the {DCName} domain controller from its ntds.dit file.
.REMARKS .REMARKS
This script should only be executed on a freshly installed {OSName}. Use at your own risk. This script should only be executed on a freshly installed {OSName}. Use at your own risk.
The DSInternals PowerShell module must be installed for all users on the target server. The DSInternals PowerShell module must be installed for all users on the target server.
Author: Michael Grafnetter Author: Michael Grafnetter
#> #>
@ -20,7 +19,7 @@ $vssResult = ([wmiclass] 'Win32_ShadowCopy').Create("$env:SystemDrive\", 'Client
Write-Host 'Installing the Active Directory module for Windows PowerShell...' Write-Host 'Installing the Active Directory module for Windows PowerShell...'
Add-WindowsFeature -Name RSAT-AD-PowerShell -ErrorAction Stop Add-WindowsFeature -Name RSAT-AD-PowerShell -ErrorAction Stop
# All the other operations will be executed by a restartable workflow running in SYSTEM context. # All the other operations will be executed by a restartable workflow running in the SYSTEM context.
Write-Host 'Registering restartable workflows...' Write-Host 'Registering restartable workflows...'
# Delete any pre-existing scheduled jobs with the same names before registering new ones. # Delete any pre-existing scheduled jobs with the same names before registering new ones.
@ -73,14 +72,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock
# Re-encrypt the DB with the new boot key. # Re-encrypt the DB with the new boot key.
$currentBootKey = Get-BootKey -Online $currentBootKey = Get-BootKey -Online
Set-ADDBBootKey -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -OldBootKey {OldBootKey} -NewBootKey $currentBootKey Set-ADDBBootKey -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -OldBootKey {OldBootKey} -NewBootKey $currentBootKey -Force
# Clone the DC account password. # Clone the DC account password.
$ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
InlineScript { InlineScript {
# Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity. # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity.
$dcAccount = Get-ADDBAccount -SamAccountName '{DCName}$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey $dcAccount = Get-ADDBAccount -SamAccountName '{DCName}$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey
Set-ADDBAccountPasswordHash -ObjectGuid {DCGuid} -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -BootKey $using:currentBootKey Set-ADDBAccountPasswordHash -ObjectGuid {DCGuid} -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath '{SourceDBPath}' -LogPath '{SourceLogDirPath}' -BootKey $using:currentBootKey -Force
} }
# Replace the database and transaction logs. # Replace the database and transaction logs.

16
Src/DSInternals.PowerShell/Commands/Datastore/RestoreADDBAttributeCommand.cs
View File

@ -1,5 +1,6 @@
using System; using System;
using System.Management.Automation; using System.Management.Automation;
using DSInternals.PowerShell.Properties;
namespace DSInternals.PowerShell.Commands namespace DSInternals.PowerShell.Commands
{ {
@ -25,6 +26,13 @@ namespace DSInternals.PowerShell.Commands
set; set;
} }
[Parameter]
public SwitchParameter Force
{
get;
set;
}
protected override bool ReadOnly protected override bool ReadOnly
{ {
get get
@ -36,6 +44,14 @@ namespace DSInternals.PowerShell.Commands
protected override void ProcessRecord() protected override void ProcessRecord()
{ {
throw new NotImplementedException(); throw new NotImplementedException();
if (!Force.IsPresent)
{
// Do not continue with operation until the user enforces it.
var exception = new ArgumentException(Resources.WarningMessage);
var error = new ErrorRecord(exception, "RestoreADDBAttribute_ForceRequired", ErrorCategory.InvalidArgument, null);
this.ThrowTerminatingError(error);
}
} }
} }
} }

17
Src/DSInternals.PowerShell/Commands/Datastore/SetADDBBootKeyCommand.cs
View File

@ -1,7 +1,9 @@
namespace DSInternals.PowerShell.Commands namespace DSInternals.PowerShell.Commands
{ {
using System;
using System.Management.Automation; using System.Management.Automation;
using DSInternals.DataStore; using DSInternals.DataStore;
using DSInternals.PowerShell.Properties;
[Cmdlet(VerbsCommon.Set, "ADDBBootKey")] [Cmdlet(VerbsCommon.Set, "ADDBBootKey")]
[OutputType("None")] [OutputType("None")]
@ -29,8 +31,23 @@
set; set;
} }
[Parameter]
public SwitchParameter Force
{
get;
set;
}
protected override void BeginProcessing() protected override void BeginProcessing()
{ {
if (!Force.IsPresent)
{
// Do not continue with operation until the user enforces it.
var exception = new ArgumentException(Resources.WarningMessage);
var error = new ErrorRecord(exception, "SetADDBBootKey_ForceRequired", ErrorCategory.InvalidArgument, null);
this.ThrowTerminatingError(error);
}
base.BeginProcessing(); base.BeginProcessing();
using(var directoryAgent = new DirectoryAgent(this.DirectoryContext)) using(var directoryAgent = new DirectoryAgent(this.DirectoryContext))
{ {

27
Src/DSInternals.PowerShell/en-US/DSInternals.PowerShell.dll-Help.xml
View File

@ -7101,14 +7101,14 @@ $initTask = Register-ScheduledJob -Name DSInternals-RFM-Initializer -ScriptBlock
# Re-encrypt the DB with the new boot key. # Re-encrypt the DB with the new boot key.
$currentBootKey = Get-BootKey -Online $currentBootKey = Get-BootKey -Online
Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 -NewBootKey $currentBootKey -Force
# Clone the DC account password. # Clone the DC account password.
$ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters $ntdsParams = Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
InlineScript { InlineScript {
# Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity. # Note: SupplementalCredentials do not get serialized properly without using the InlineScript activity.
$dcAccount = Get-ADDBAccount -SamAccountName 'LON-DC1$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey $dcAccount = Get-ADDBAccount -SamAccountName 'LON-DC1$' -DatabasePath $using:ntdsParams.'DSA Database file' -LogPath $using:ntdsParams.'Database log files path' -BootKey $using:currentBootKey
Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey Set-ADDBAccountPasswordHash -ObjectGuid 9bb4d6f4-060a-4585-9f18-625774e7c088 -NTHash $dcAccount.NTHash -SupplementalCredentials $dcAccount.SupplementalCredentials -DatabasePath 'C:\Backup\Active Directory\ntds.dit' -LogPath 'C:\Backup\Active Directory' -BootKey $using:currentBootKey -Force
} }
# Replace the database and transaction logs. # Replace the database and transaction logs.
@ -8978,6 +8978,17 @@ PS C:\&gt; Set-ADDBAccountPasswordHash -SamAccountName john `
</dev:type> </dev:type>
<dev:defaultValue>None</dev:defaultValue> <dev:defaultValue>None</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>Force</maml:name>
<maml:Description>
<maml:para>Forces the cmdlet to perform the desired operation.</maml:para>
</maml:Description>
<dev:type>
<maml:name>SwitchParameter</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>False</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Log, TransactionLogPath"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Log, TransactionLogPath">
<maml:name>LogPath</maml:name> <maml:name>LogPath</maml:name>
<maml:Description> <maml:Description>
@ -9029,6 +9040,18 @@ PS C:\&gt; Set-ADDBAccountPasswordHash -SamAccountName john `
</dev:type> </dev:type>
<dev:defaultValue>None</dev:defaultValue> <dev:defaultValue>None</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>Force</maml:name>
<maml:Description>
<maml:para>Forces the cmdlet to perform the desired operation.</maml:para>
</maml:Description>
<command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue>
<dev:type>
<maml:name>SwitchParameter</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>False</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Log, TransactionLogPath"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Log, TransactionLogPath">
<maml:name>LogPath</maml:name> <maml:name>LogPath</maml:name>
<maml:Description> <maml:Description>