107 lines
4.3 KiB
PowerShell
107 lines
4.3 KiB
PowerShell
function Clear-GMSAPasswords {
|
|
|
|
<#
|
|
.SYNOPSIS
|
|
Sets an empty password on all Chocolatey services running as GMSA Accounts. Accepts an optional string array as a filter parameter
|
|
|
|
.DESCRIPTION
|
|
Due to bugs in the way our microservice services are created, GMSA Password rotations may result in services failing to start with logon errors (see: SDK-773)
|
|
This function is occasionally run to clear out the passwords and allow them to start. All Windows services running out of the Chocolatey folder and running as
|
|
GMSA accounts will be acted on (including NAG and Radium), unless a filter list of full Service Names is specified
|
|
|
|
.PARAMETER serviceFilter
|
|
[string[]] Optional Array of Service Names (not display names) to execute against
|
|
|
|
.EXAMPLE
|
|
Clear-GMSAPasswords
|
|
|
|
[Get-ChocolateyServices] : Finding services installed out of the chocolatey path.
|
|
[Get-ChocolateyServices] : Found 3 chocolatey services.
|
|
[Clear-GMSAPasswords] : Clearing GMSA Password for Service Alkami.Services.Subscriptions.Host running as user FH\stage.micro$
|
|
[SC] ChangeServiceConfig SUCCESS
|
|
[Clear-GMSAPasswords] : Clearing GMSA Password for Service Alkami.MicroServices.Broker.Host running as user FH\stage.micro$
|
|
[SC] ChangeServiceConfig SUCCESS
|
|
[Clear-GMSAPasswords] : Clearing GMSA Password for Service Alkami.MicroServices.Features.Beacon.Host running as user FH\stage.micro$
|
|
[SC] ChangeServiceConfig SUCCESS
|
|
[Clear-GMSAPasswords] : Cleared 3 GMSA Service Passwords
|
|
|
|
.EXAMPLE
|
|
Clear-GMSAPasswords @("Alkami.Services.Subscriptions.Host", "Alkami.MicroServices.Broker.Host") -Verbose
|
|
|
|
[Get-ChocolateyServices] : Finding services installed out of the chocolatey path.
|
|
[Get-ChocolateyServices] : Found 3 chocolatey services.
|
|
[Clear-GMSAPasswords] : Filtering for Services:
|
|
Alkami.Services.Subscriptions.Host
|
|
Alkami.MicroServices.Broker.Host
|
|
[Clear-GMSAPasswords] : Clearing GMSA Password for Service Alkami.Services.Subscriptions.Host running as user FH\stage.micro$
|
|
[SC] ChangeServiceConfig SUCCESS
|
|
[Clear-GMSAPasswords] : Clearing GMSA Password for Service Alkami.MicroServices.Broker.Host running as user FH\stage.micro$
|
|
[SC] ChangeServiceConfig SUCCESS
|
|
VERBOSE: [Clear-GMSAPasswords] : Skipping Service Alkami.MicroServices.Features.Beacon.Host as it is not in the Filter List
|
|
[Clear-GMSAPasswords] : Cleared 2 GMSA Service Passwords
|
|
|
|
#>
|
|
|
|
param(
|
|
[CmdletBinding()]
|
|
[Parameter(Mandatory=$false)]
|
|
[string[]]$serviceFilter
|
|
)
|
|
|
|
$logLead = Get-LogLeadName
|
|
$filterParamSpecified = !(Test-IsCollectionNullOrEmpty $serviceFilter)
|
|
|
|
[array]$services = Get-ChocolateyServices
|
|
|
|
[array]$nagAndRadium = Get-AlkamiServices | Where-Object {($_.Name -match "Nag|Radium")}
|
|
if (Test-IsCollectionNullOrEmpty $nagAndRadium) {
|
|
Write-Verbose "$logLead : No Nag/Radium services running on host."
|
|
} else {
|
|
$services += $nagAndRadium
|
|
}
|
|
|
|
if (Test-IsCollectionNullOrEmpty $services) {
|
|
|
|
Write-Warning "$logLead : Found no Services! Execution cannot continue";
|
|
return;
|
|
}
|
|
|
|
if ($filterParamSpecified) {
|
|
|
|
Write-Host "$logLead : Filtering for Services:"
|
|
Write-Host $serviceFilter -Separator `n
|
|
}
|
|
|
|
$clearedCount = 0
|
|
foreach ($serviceName in ($services | Select-Object -ExpandProperty Name -Unique)) {
|
|
|
|
if ($filterParamSpecified -and (!($serviceFilter -icontains $serviceName))) {
|
|
|
|
Write-Verbose "$logLead : Skipping Service $serviceName as it is not in the Filter List"
|
|
continue;
|
|
}
|
|
|
|
$userName = Get-WindowsServiceUser $serviceName
|
|
|
|
if (!($userName.EndsWith("$"))) {
|
|
|
|
Write-Warning "$logLead : Skipping Service $serviceName as it is Not Running as a GMSA Account"
|
|
continue;
|
|
}
|
|
|
|
Write-Host "$logLead : Clearing GMSA Password for Service $serviceName running as user $userName"
|
|
$params = @("config", $serviceName, "obj=$userName")
|
|
Invoke-SCExe $params
|
|
$clearedCount++
|
|
|
|
Write-Host "$logLead : Setting $serviceName to managed by LSA"
|
|
Set-ServiceAccountManagedState -ServiceName $serviceName
|
|
}
|
|
|
|
if ($filterParamSpecified -and $clearedCount -eq 0 -and $services.Count -gt 0) {
|
|
|
|
Write-Warning "$logLead : Found no matching services based on the supplied parameters"
|
|
}
|
|
|
|
Write-Host "$logLead : Updated $clearedCount GMSA Services"
|
|
} |