ps/Modules/Alkami.PowerShell.SDK/Public/Repair-AlkamiDeveloperLoginsAndStartServices.ps1

function Repair-AlkamiDeveloperLoginsAndStartServices {
<#
.SYNOPSIS
    Repair the developer environment to start services and cleanup other things

.DESCRIPTION
    This command will do the following unless overridden
    * Flush DNS cache via ipconfig
    * Update group policy definitions to ensure you aren't missing AD concerns
      * This can take a while to complete
    * Ensures ACL are properly set on certificates
    * Reset the Windows Performance Counter cache
    * Clears the ASP.NET Temp Folder (under C:\Windows\Microsoft.NET)
      * This will restart IIS, you may want to skip that step if you don't need to clear those files.
      * Clearing those files causes WebClient to take much longer to start back up
    * Stops the Windows Services, resets their gMSA facility, and restarts them
    * Pings the WCF IIS services (such as BankService) to "warm the cache"
    * Grant logon as a service rights

    Why does the "gMSA facility" need to be "reset"?
    - This is because gMSA accounts like corp\dev.dbms$ are actually passworded accounts,
        it's just a seamlessly shared password to your machine via Active Directory.
        Those accounts can't be used for interactive login, but the credentials
        can be used to communicate with AD governed resources, such as SQL Server, or
        the use of network ports typically reserved for OS level (80, 443, etc).
        Because it _does_ have a password, and because Alkami rotates passwords,
        sometimes the "password" "stored" on your machine is stale, so AD will not
        reauthenticate the service.
        The functionality to "reset" the "gMSA facility" is maintained by SRE, so it
        stays in line with the rest of Alkami's best-practices, and you should be able
        to rely on this script being updated if SRE makes changes.

.PARAMETER SkipFlushDNS
    Skip flushing the DNS resolver cached entries and group-policy updates

.PARAMETER SkipResetCounter
    Skip resetting the Windows Performance Counter cache

.PARAMETER SkipCertificates
    Will not ensure ACLs on expected certificates

.PARAMETER SkipClrAsp
    Skip flushing the ASP Temp cache

.PARAMETER SkipResetServices
    Will not reset services (you probably wanted to do this exact function tho)

.PARAMETER SkipPingServices
    Will not ping services such as BankService to "warm the cache"

.PARAMETER SkipGrantLogonRights
    Will not grant logon rights to the default services
#>
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $false)]
        [switch]$SkipFlushDNS,
        [Parameter(Mandatory = $false)]
        [switch]$SkipResetCounter,
        [Parameter(Mandatory = $false)]
        [switch]$SkipCertificates,
        [Parameter(Mandatory = $false)]
        [Alias('SkipASPNetTemps')]
        [switch]$SkipClrAsp,
        [Parameter(Mandatory = $false)]
        [switch]$SkipResetServices,
        [Parameter(Mandatory = $false)]
        [switch]$SkipPingServices,
        [Parameter(Mandatory = $false)]
        [switch]$SkipGrantLogonRights
    )

    if (-not $SkipFlushDNS) {
        Write-Host "Flushing DNS"
        ipconfig /flushdns
        Write-Host "Updating GroupPolicy"
        gpupdate /force
    }

    if (-not $SkipResetCounter) {
        Write-Host "Resetting windows performance counters"
        try{
            lodctr /r
        } catch {
            Write-Host "Reattempting to reset windows performance counters from the C:\ directory"
            $whereWasI = Get-Location
            Set-Location -Path C:\
            lodctr /r
            $whereWasI | Set-Location
        }
    }

    if (-not $SkipCertificates) {
        $usernames = (Get-SDKUserMatrix).Where({ $_.RequiresCertAccess -eq $true }).DomainUsername
        if ($usernames -contains 'CORP\dev.dbms$') {
            $usernames += 'CORP\dev.micro$'
        }
        Repair-SDKAlkamiDeveloperCertificatePermissions -PermittedIdentities $usernames
    }

    if (-not $SkipClrAsp) {
        iisreset /stop
        Write-Host "Clearing asp.net temp files"
        Remove-DotNetTemporaryFiles
        iisreset /start
    }

    if (-not $SkipGrantLogonRights) {
        $usernames = (Get-SDKUserMatrix).DomainUsername
        if ($usernames -contains 'CORP\dev.dbms$') {
            $usernames += 'CORP\dev.micro$'
        }
        foreach ($username in $usernames) {
            Grant-UserLogonAsServiceRights -Username $username
        }
    }

    if (-not $SkipResetServices) {
        Stop-ServicesOnly
        Clear-GMSAPasswords
        $redisServices = Get-ServiceInfoByCIMFragment -Fragment "redis-"
        foreach ($redisService in $redisServices) {
            Start-AlkamiService $redisService.Name
        }
        Start-ServicesOnly
    }

    if (-not $SkipPingServices) {
        Write-Host "Pinging services"
        try{
            Ping-AlkamiServices -skipCheck
            #Ping-AlkamiWebSites
        } catch {
            Write-Host "Failed to ping services"
        }
    }
}

Set-Alias -Name FixLogins -Value Repair-AlkamiDeveloperLoginsAndStartServices
First full commit 2023-05-30 22:51:22 -07:00			`function Repair-AlkamiDeveloperLoginsAndStartServices {`
			`<#`
			`.SYNOPSIS`
			`Repair the developer environment to start services and cleanup other things`

			`.DESCRIPTION`
			`This command will do the following unless overridden`
			`* Flush DNS cache via ipconfig`
			`* Update group policy definitions to ensure you aren't missing AD concerns`
			`* This can take a while to complete`
			`* Ensures ACL are properly set on certificates`
			`* Reset the Windows Performance Counter cache`
			`* Clears the ASP.NET Temp Folder (under C:\Windows\Microsoft.NET)`
			`* This will restart IIS, you may want to skip that step if you don't need to clear those files.`
			`* Clearing those files causes WebClient to take much longer to start back up`
			`* Stops the Windows Services, resets their gMSA facility, and restarts them`
			`* Pings the WCF IIS services (such as BankService) to "warm the cache"`
			`* Grant logon as a service rights`

			`Why does the "gMSA facility" need to be "reset"?`
			`- This is because gMSA accounts like corp\dev.dbms$ are actually passworded accounts,`
			`it's just a seamlessly shared password to your machine via Active Directory.`
			`Those accounts can't be used for interactive login, but the credentials`
			`can be used to communicate with AD governed resources, such as SQL Server, or`
			`the use of network ports typically reserved for OS level (80, 443, etc).`
			`Because it _does_ have a password, and because Alkami rotates passwords,`
			`sometimes the "password" "stored" on your machine is stale, so AD will not`
			`reauthenticate the service.`
			`The functionality to "reset" the "gMSA facility" is maintained by SRE, so it`
			`stays in line with the rest of Alkami's best-practices, and you should be able`
			`to rely on this script being updated if SRE makes changes.`

			`.PARAMETER SkipFlushDNS`
			`Skip flushing the DNS resolver cached entries and group-policy updates`

			`.PARAMETER SkipResetCounter`
			`Skip resetting the Windows Performance Counter cache`

			`.PARAMETER SkipCertificates`
			`Will not ensure ACLs on expected certificates`

			`.PARAMETER SkipClrAsp`
			`Skip flushing the ASP Temp cache`

			`.PARAMETER SkipResetServices`
			`Will not reset services (you probably wanted to do this exact function tho)`

			`.PARAMETER SkipPingServices`
			`Will not ping services such as BankService to "warm the cache"`

			`.PARAMETER SkipGrantLogonRights`
			`Will not grant logon rights to the default services`
			`#>`
			`[CmdletBinding()]`
			`param(`
			`[Parameter(Mandatory = $false)]`
			`[switch]$SkipFlushDNS,`
			`[Parameter(Mandatory = $false)]`
			`[switch]$SkipResetCounter,`
			`[Parameter(Mandatory = $false)]`
			`[switch]$SkipCertificates,`
			`[Parameter(Mandatory = $false)]`
			`[Alias('SkipASPNetTemps')]`
			`[switch]$SkipClrAsp,`
			`[Parameter(Mandatory = $false)]`
			`[switch]$SkipResetServices,`
			`[Parameter(Mandatory = $false)]`
			`[switch]$SkipPingServices,`
			`[Parameter(Mandatory = $false)]`
			`[switch]$SkipGrantLogonRights`
			`)`

			`if (-not $SkipFlushDNS) {`
			`Write-Host "Flushing DNS"`
			`ipconfig /flushdns`
			`Write-Host "Updating GroupPolicy"`
			`gpupdate /force`
			`}`

			`if (-not $SkipResetCounter) {`
			`Write-Host "Resetting windows performance counters"`
			`try{`
			`lodctr /r`
			`} catch {`
			`Write-Host "Reattempting to reset windows performance counters from the C:\ directory"`
			`$whereWasI = Get-Location`
			`Set-Location -Path C:\`
			`lodctr /r`
			`$whereWasI \| Set-Location`
			`}`
			`}`

			`if (-not $SkipCertificates) {`
			`$usernames = (Get-SDKUserMatrix).Where({ $_.RequiresCertAccess -eq $true }).DomainUsername`
			`if ($usernames -contains 'CORP\dev.dbms$') {`
			`$usernames += 'CORP\dev.micro$'`
			`}`
			`Repair-SDKAlkamiDeveloperCertificatePermissions -PermittedIdentities $usernames`
			`}`

			`if (-not $SkipClrAsp) {`
			`iisreset /stop`
			`Write-Host "Clearing asp.net temp files"`
			`Remove-DotNetTemporaryFiles`
			`iisreset /start`
			`}`

			`if (-not $SkipGrantLogonRights) {`
			`$usernames = (Get-SDKUserMatrix).DomainUsername`
			`if ($usernames -contains 'CORP\dev.dbms$') {`
			`$usernames += 'CORP\dev.micro$'`
			`}`
			`foreach ($username in $usernames) {`
			`Grant-UserLogonAsServiceRights -Username $username`
			`}`
			`}`

			`if (-not $SkipResetServices) {`
			`Stop-ServicesOnly`
			`Clear-GMSAPasswords`
			`$redisServices = Get-ServiceInfoByCIMFragment -Fragment "redis-"`
			`foreach ($redisService in $redisServices) {`
			`Start-AlkamiService $redisService.Name`
			`}`
			`Start-ServicesOnly`
			`}`

			`if (-not $SkipPingServices) {`
			`Write-Host "Pinging services"`
			`try{`
			`Ping-AlkamiServices -skipCheck`
			`#Ping-AlkamiWebSites`
			`} catch {`
			`Write-Host "Failed to ping services"`
			`}`
			`}`
			`}`

			`Set-Alias -Name FixLogins -Value Repair-AlkamiDeveloperLoginsAndStartServices`