139 lines
5.0 KiB
PowerShell
139 lines
5.0 KiB
PowerShell
|
function Repair-AlkamiDeveloperLoginsAndStartServices {
|
||
|
<#
|
||
|
.SYNOPSIS
|
||
|
Repair the developer environment to start services and cleanup other things
|
||
|
|
||
|
.DESCRIPTION
|
||
|
This command will do the following unless overridden
|
||
|
* Flush DNS cache via ipconfig
|
||
|
* Update group policy definitions to ensure you aren't missing AD concerns
|
||
|
* This can take a while to complete
|
||
|
* Ensures ACL are properly set on certificates
|
||
|
* Reset the Windows Performance Counter cache
|
||
|
* Clears the ASP.NET Temp Folder (under C:\Windows\Microsoft.NET)
|
||
|
* This will restart IIS, you may want to skip that step if you don't need to clear those files.
|
||
|
* Clearing those files causes WebClient to take much longer to start back up
|
||
|
* Stops the Windows Services, resets their gMSA facility, and restarts them
|
||
|
* Pings the WCF IIS services (such as BankService) to "warm the cache"
|
||
|
* Grant logon as a service rights
|
||
|
|
||
|
Why does the "gMSA facility" need to be "reset"?
|
||
|
- This is because gMSA accounts like corp\dev.dbms$ are actually passworded accounts,
|
||
|
it's just a seamlessly shared password to your machine via Active Directory.
|
||
|
Those accounts can't be used for interactive login, but the credentials
|
||
|
can be used to communicate with AD governed resources, such as SQL Server, or
|
||
|
the use of network ports typically reserved for OS level (80, 443, etc).
|
||
|
Because it _does_ have a password, and because Alkami rotates passwords,
|
||
|
sometimes the "password" "stored" on your machine is stale, so AD will not
|
||
|
reauthenticate the service.
|
||
|
The functionality to "reset" the "gMSA facility" is maintained by SRE, so it
|
||
|
stays in line with the rest of Alkami's best-practices, and you should be able
|
||
|
to rely on this script being updated if SRE makes changes.
|
||
|
|
||
|
.PARAMETER SkipFlushDNS
|
||
|
Skip flushing the DNS resolver cached entries and group-policy updates
|
||
|
|
||
|
.PARAMETER SkipResetCounter
|
||
|
Skip resetting the Windows Performance Counter cache
|
||
|
|
||
|
.PARAMETER SkipCertificates
|
||
|
Will not ensure ACLs on expected certificates
|
||
|
|
||
|
.PARAMETER SkipClrAsp
|
||
|
Skip flushing the ASP Temp cache
|
||
|
|
||
|
.PARAMETER SkipResetServices
|
||
|
Will not reset services (you probably wanted to do this exact function tho)
|
||
|
|
||
|
.PARAMETER SkipPingServices
|
||
|
Will not ping services such as BankService to "warm the cache"
|
||
|
|
||
|
.PARAMETER SkipGrantLogonRights
|
||
|
Will not grant logon rights to the default services
|
||
|
#>
|
||
|
[CmdletBinding()]
|
||
|
param(
|
||
|
[Parameter(Mandatory = $false)]
|
||
|
[switch]$SkipFlushDNS,
|
||
|
[Parameter(Mandatory = $false)]
|
||
|
[switch]$SkipResetCounter,
|
||
|
[Parameter(Mandatory = $false)]
|
||
|
[switch]$SkipCertificates,
|
||
|
[Parameter(Mandatory = $false)]
|
||
|
[Alias('SkipASPNetTemps')]
|
||
|
[switch]$SkipClrAsp,
|
||
|
[Parameter(Mandatory = $false)]
|
||
|
[switch]$SkipResetServices,
|
||
|
[Parameter(Mandatory = $false)]
|
||
|
[switch]$SkipPingServices,
|
||
|
[Parameter(Mandatory = $false)]
|
||
|
[switch]$SkipGrantLogonRights
|
||
|
)
|
||
|
|
||
|
if (-not $SkipFlushDNS) {
|
||
|
Write-Host "Flushing DNS"
|
||
|
ipconfig /flushdns
|
||
|
Write-Host "Updating GroupPolicy"
|
||
|
gpupdate /force
|
||
|
}
|
||
|
|
||
|
if (-not $SkipResetCounter) {
|
||
|
Write-Host "Resetting windows performance counters"
|
||
|
try{
|
||
|
lodctr /r
|
||
|
} catch {
|
||
|
Write-Host "Reattempting to reset windows performance counters from the C:\ directory"
|
||
|
$whereWasI = Get-Location
|
||
|
Set-Location -Path C:\
|
||
|
lodctr /r
|
||
|
$whereWasI | Set-Location
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (-not $SkipCertificates) {
|
||
|
$usernames = (Get-SDKUserMatrix).Where({ $_.RequiresCertAccess -eq $true }).DomainUsername
|
||
|
if ($usernames -contains 'CORP\dev.dbms$') {
|
||
|
$usernames += 'CORP\dev.micro$'
|
||
|
}
|
||
|
Repair-SDKAlkamiDeveloperCertificatePermissions -PermittedIdentities $usernames
|
||
|
}
|
||
|
|
||
|
if (-not $SkipClrAsp) {
|
||
|
iisreset /stop
|
||
|
Write-Host "Clearing asp.net temp files"
|
||
|
Remove-DotNetTemporaryFiles
|
||
|
iisreset /start
|
||
|
}
|
||
|
|
||
|
if (-not $SkipGrantLogonRights) {
|
||
|
$usernames = (Get-SDKUserMatrix).DomainUsername
|
||
|
if ($usernames -contains 'CORP\dev.dbms$') {
|
||
|
$usernames += 'CORP\dev.micro$'
|
||
|
}
|
||
|
foreach ($username in $usernames) {
|
||
|
Grant-UserLogonAsServiceRights -Username $username
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (-not $SkipResetServices) {
|
||
|
Stop-ServicesOnly
|
||
|
Clear-GMSAPasswords
|
||
|
$redisServices = Get-ServiceInfoByCIMFragment -Fragment "redis-"
|
||
|
foreach ($redisService in $redisServices) {
|
||
|
Start-AlkamiService $redisService.Name
|
||
|
}
|
||
|
Start-ServicesOnly
|
||
|
}
|
||
|
|
||
|
if (-not $SkipPingServices) {
|
||
|
Write-Host "Pinging services"
|
||
|
try{
|
||
|
Ping-AlkamiServices -skipCheck
|
||
|
#Ping-AlkamiWebSites
|
||
|
} catch {
|
||
|
Write-Host "Failed to ping services"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
Set-Alias -Name FixLogins -Value Repair-AlkamiDeveloperLoginsAndStartServices
|