78 lines
4.8 KiB
PowerShell
78 lines
4.8 KiB
PowerShell
function Get-SDKUserMatrix {
|
|
<#
|
|
.SYNOPSIS
|
|
Get the matrix of SDK Users, AppPoolIdentity, DomainUsername if on the domain, tenant DbRole, global database ServerRole, if it's a gMSA Account, and if it affects the AlkamiMaster table
|
|
|
|
.DESCRIPTION
|
|
gMSA account = Group Managed Service Account, a Microsoft AD component
|
|
DbRole = Tenant database role as assigned (and for IsMaster, those on AlkamiMaster as well)
|
|
ServerRole = SQL Server/instance role assigned if created
|
|
|
|
.PARAMETER Force
|
|
Alias -Refresh
|
|
Used to refetch the list of accounts to validate domain membership
|
|
#>
|
|
param(
|
|
[Parameter()]
|
|
[Alias('Refresh')]
|
|
[switch]$Force
|
|
)
|
|
|
|
if ($Force) {
|
|
# Clear it so we reprocess
|
|
$global:sqlUserAccountList = $null
|
|
}
|
|
|
|
if ($null -ne $global:sqlUserAccountList) {
|
|
# We calculate the AD group membership here, so don't spend the time or network resources re-querying for that
|
|
return $global:sqlUserAccountList
|
|
}
|
|
|
|
$accountList = @(
|
|
@{ Username="IIS APPPOOL\AuditService"; DomainUsername="CORP\dev.audit$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },
|
|
@{ Username="IIS APPPOOL\BankService"; DomainUsername="CORP\dev.bank$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true; },
|
|
@{ Username="IIS APPPOOL\ContentService"; DomainUsername="CORP\dev.content$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },
|
|
@{ Username="IIS APPPOOL\CoreService"; DomainUsername="CORP\dev.core$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },
|
|
@{ Username="IIS APPPOOL\MessageCenterService"; DomainUsername="CORP\dev.notify$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },
|
|
@{ Username="IIS APPPOOL\NagConfigurationService"; DomainUsername="CORP\dev.nag$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true; IsGmsaAccount = $false; IsMaster=$false; },
|
|
@{ Username="IIS APPPOOL\NotificationService"; DomainUsername="CORP\dev.notify$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },
|
|
@{ Username="IIS APPPOOL\RP-STS"; DomainUsername="CORP\dev.dbms$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true; IsGmsaAccount = $false; IsMaster=$true; },
|
|
@{ Username="IIS APPPOOL\STSConfiguration"; DomainUsername="CORP\dev.stsconfig$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true; },
|
|
@{ Username="IIS APPPOOL\SchedulerService"; DomainUsername="CORP\dev.radium$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true; IsGmsaAccount = $false; IsMaster=$false; },
|
|
@{ Username="IIS APPPOOL\SecurityManagementService"; DomainUsername="CORP\dev.securitymgr$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },
|
|
@{ Username="NT AUTHORITY\LOCAL SERVICE"; DomainUsername="NT AUTHORITY\LOCAL SERVICE"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true; }
|
|
)
|
|
|
|
# because shenanigans involving modified collections
|
|
$returnList = @()
|
|
|
|
foreach ($account in $accountList) {
|
|
if ($account.Username -match 'LOCAL SERVICE') {
|
|
# Don't try to see if Local Service is on the domain, it's _local_ for a reason
|
|
} else {
|
|
$serviceAccount = $null
|
|
try {
|
|
$serviceAccount = (Get-ADServiceAccount -Identity ($account.DomainUsername -split '\\')[1] -ErrorAction SilentlyContinue)
|
|
} catch { <# NOP #> }
|
|
if ($null -ne $serviceAccount) {
|
|
# found an AD account that matches, use that as a group managed service account (it's a service account, per above)
|
|
$account.IsGmsaAccount = $true
|
|
} else {
|
|
$account.DomainUsername = $account.Username
|
|
}
|
|
}
|
|
|
|
if ($account.Username -match "IIS APPPOOL") {
|
|
$account.AppPoolName = ($account.Username -split '\\')[1]
|
|
} else {
|
|
$account.AppPoolName = ''
|
|
}
|
|
|
|
$returnList += $account
|
|
}
|
|
|
|
# save time recalculating
|
|
$global:sqlUserAccountList = $returnList
|
|
|
|
return $returnList
|
|
} |