GH-62

CHANGELOG.Examples.md

@@ -4,6 +4,7 @@
 
 - GH-58: Configure RequireSSL attribute for ISHCM and ISHSTS web applications. After installing the web applications are configured for the **RequireSSL**.
 - GH-57: Load-ISHBootstrapperContext.ps1 fails to load json file when using Name parameter set.
+- GH-62: Use ISHServer cmdlets that manage the user profile
 
 ## pre-release v0.8
 

CHANGELOG.md

@@ -7,6 +7,7 @@
 - GH-53: Add support for docker container images.
 - GH-58: Configure RequireSSL attribute for ISHCM and ISHSTS web applications. Script `Set-IISRequireSSL.ps1` is added.
 - GH-50: Import ISHTemplate repository as a Builders folder. ISHBootstrap provides builder scripts for use with AWS EC2 AMI, Docker containers, Packer and Vagrant.
+- GH-62: Use ISHServer cmdlets that manage the user profile
 
 ## pre-release v0.8
 

Examples/Initialize-ISHServer.ps1

@@ -81,23 +81,23 @@ if($computerName)
         if($useFQDNWithCredSSP)
         {
             $fqdn=[System.Net.Dns]::GetHostByName($computerName)| FL HostName | Out-String | %{ "{0}" -f $_.Split(':')[1].Trim() };
-             & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUser.ps1 -Computer $fqdn -Credential $credential -ISHServerVersion $ishServerVersion -OSUser ($osUserCredential.UserName) -CredSSP
+             & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUser.ps1 -Computer $fqdn -Credential $credential -ISHServerVersion $ishServerVersion -OSUserCredential $osUserCredential -CredSSP
         }
         else
         {
             $sessionOptionsWithCredSSP=Get-ISHBootstrapperContextValue -ValuePath "SessionOptionsWithCredSSPExpression" -Invoke
-             & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUser.ps1 -Computer $computerName -Credential $credential -ISHServerVersion $ishServerVersion -SessionOptions $sessionOptionsWithCredSSP -OSUser ($osUserCredential.UserName) -CredSSP
+             & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUser.ps1 -Computer $computerName -Credential $credential -ISHServerVersion $ishServerVersion -SessionOptions $sessionOptionsWithCredSSP -OSUserCredential $osUserCredential -CredSSP
         }
     }
     else
     {
-         & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUser.ps1 -Computer $computerName -Credential $credential -ISHServerVersion $ishServerVersion -OSUser ($osUserCredential.UserName)
+         & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUser.ps1 -Computer $computerName -Credential $credential -ISHServerVersion $ishServerVersion -OSUserCredential $osUserCredential
     }
      & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUserRegion.ps1 -Computer $computerName -OSUserCredential $osUserCredential -ISHServerVersion $ishServerVersion
 }
 else
 {
-   & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUser.ps1 -ISHServerVersion $ishServerVersion -OSUser ($osUserCredential.UserName)
+   & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUser.ps1 -ISHServerVersion $ishServerVersion -OSUserCredential $osUserCredential
    & $serverScriptsPaths\ISHServer\Initialize-ISHServerOSUserRegion.ps1 -OSUserCredential $osUserCredential -ISHServerVersion $ishServerVersion
 }
 

Source/Builders/Initialize-ISH.Instance.ps1

@@ -53,37 +53,9 @@ Write-Host $blockName
 $softwareVersion=Get-ISHDeployment |Select-Object -First 1 -ExpandProperty SoftwareVersion
 $ishVersion="$($softwareVersion.Major).0.$($softwareVersion.Revision)"
 $ishServerVersion=($ishVersion -split "\.")[0]
-
-if($OsUserCredentials.UserName.StartsWith("$($env:computername)\"))
-{
-    $createLocalUser=$true
-}
-elseif($OsUserCredentials.UserName.StartsWith(".\"))
-{
-    Write-Host "Credentials normalization.Replaced .\ with $env:COMPUTERNAME"
-    $OsUserCredentials=New-Object System.Management.Automation.PSCredential($OsUserCredentials.UserName.Replace(".",$env:COMPUTERNAME),$OsUserCredentials.Password)
-    $createLocalUser=$true
-}
-elseif($OsUserCredentials.UserName.indexOf("\") -lt 0)
-{
-    Write-Host "Credentials normalization.Prefixed with $env:COMPUTERNAME"
-    $OsUserCredentials=New-Object System.Management.Automation.PSCredential("$env:COMPUTERNAME\$($OsUserCredentials.UserName)",$OsUserCredentials.Password)
-    $createLocalUser=$true
-}
-else
-{
-    $createLocalUser=$false
-}
-
-
+$OsUserCredentials=Get-ISHNormalizedCredential -Credentials $OsUserCredentials
 $osUserName=$OsUserCredentials.UserName
 Write-Host "osUserName=$osUserName"
-Write-Host "createLocalUser=$createLocalUser"
-if($createLocalUser)
-{
-    $localUserNameToAdd=$osUserName.Substring($osUserName.IndexOf('\')+1)
-    Write-Host "localUserNameToAdd=$localUserNameToAdd"
-}
 $osUserPassword=$OsUserCredentials.GetNetworkCredential().Password
 
 #endregion
@@ -126,73 +98,10 @@ $blockName="Initializing osuser"
 Write-Progress @scriptProgress -Status $blockName
 Write-Host $blockName
 
-if($createLocalUser)
-{
-    Write-Debug "Adding $localUserNameToAdd local user"
-    if(Get-Module Microsoft.PowerShell.LocalAccounts -ListAvailable)
-    {
-        if(-not (Get-LocalUser -Name $localUserNameToAdd -ErrorAction SilentlyContinue))
-        {
-            New-LocalUser -Name $localUserNameToAdd -Password $OsUserCredentials.Password -AccountNeverExpires -PasswordNeverExpires
-        }
-    }
-    else
-    {
-        NET USER $localUserNameToAdd $osUserPassword /ADD
-        $user = [adsi]"WinNT://$env:computername/$localUserNameToAdd"
-        $user.UserFlags.value = $user.UserFlags.value -bor 0x10000
-        $user.CommitChanges()    
-    }
-    Write-Verbose "Added $localUserNameToAdd local user"
-}
-
-$arguments=@(
-    "-Command"
-    "' { Initialize-ISHRegional } '"
-)
-Initialize-ISHUser -OSUser $osUserName
-$powerShellPath=& C:\Windows\System32\where.exe powershell
+Set-ISHUserLocal -OSUserCredentials $OSUserCredential
+Set-ISHUserAdministrator -OSUser $osUserName
+Initialize-ISHUserLocalProfile -OSUserCredentials $OSUserCredential
 
-if(Test-Path -Path Variable:\PSSenderInfo)
-{
-    $useScheduledTask=$true
-}
-elseif($env:USERNAME -eq "NT AUTHORITY\SYSTEM")
-{
-    $useScheduledTask=$true
-}
-elseif($env:USERNAME -eq "$($env:computername)`$")
-{
-    $useScheduledTask=$true
-}
-else
-{
-    $useScheduledTask=$false
-}
-
-if($useScheduledTask)
-{
-    Write-Warning "Using a scheduled task to initialize $osUserName"
-    Add-Privilege -AccountName $osUserName -Privilege SeBatchLogonRight
-    $argumentList=$arguments -join ' '
-    $command="Start-Process -FilePath powershell -LoadUserProfile -Wait -ArgumentList ""$argumentList"""
-    $action = New-ScheduledTaskAction -Execute $powerShellPath -Argument "-Command '& { $command }'"
-    $task = Register-ScheduledTask "Install Alex" -Action $action -User $osUserName -Password $osUserPassword
-    Start-ScheduledTask -InputObject $task
-
-    $state=($task|Get-ScheduledTask).State
-    while($state -eq "Ready")
-    {
-        Start-Sleep -Milliseconds 500
-        $state=($task|Get-ScheduledTask).State
-    }
-    $task|Unregister-ScheduledTask -Confirm:$false
-    Remove-Privilege -AccountName $osUserName -Privilege SeBatchLogonRight
-}
-else
-{
-    Start-Process -FilePath $powerShellPath -ArgumentList $arguments -Credential $OsUserCredentials -LoadUserProfile -NoNewWindow  -Wait
-}
 
 #endregion
 

Source/Builders/Initialize-ISHImage.ps1

@@ -142,7 +142,7 @@ else
     $user.UserFlags.value = $user.UserFlags.value -bor 0x10000
     $user.CommitChanges()    
 }
-& $serverScriptsPath\ISHServer\Initialize-ISHServerOSUser.ps1 -ISHServerVersion $ishServerVersion -OSUser ($mockOSUserCredential.UserName)
+& $serverScriptsPath\ISHServer\Initialize-ISHServerOSUser.ps1 -ISHServerVersion $ishServerVersion -OSUserCredential $mockOSUserCredential
 
 #endregion
 

Source/Server/ISHServer/Initialize-ISHServerOSUser.ps1

@@ -24,8 +24,8 @@ param (
     [Parameter(Mandatory=$false,ParameterSetName="Remote")]
     [switch]$CredSSP,
     [Parameter(Mandatory=$true,ParameterSetName="Local")]
-    [Parameter(ParameterSetName="Remote")]
-    [string]$OSUser,
+    [Parameter(Mandatory=$true,ParameterSetName="Remote")]
+    [PSCredential]$OSUserCredential,
     [Parameter(Mandatory=$true,ParameterSetName="Local")]
     [Parameter(ParameterSetName="Remote")]
     [ValidateSet("12","13")]
@@ -70,8 +70,13 @@ try
         $session=$null
     }
 
-    Write-Progress @scriptProgress -Status "Initializing $OSUser"
-    Initialize-ISHUser -OSUser $OSUser
+
+    $OSUserCredential=Get-ISHNormalizedCredential -Credentials $OSUserCredential
+    Write-Progress @scriptProgress -Status "Initializing $($OSUserCredential.UserName)"
+
+    Set-ISHUserLocal -OSUserCredentials $OSUserCredential
+    Set-ISHUserAdministrator -OSUser $OSUserCredential.Username
+    Initialize-ISHUserLocalProfile -OSUserCredentials $OSUserCredential
 }
 
 finally

Source/Server/ISHServer/Install-ISHServerPrerequisites.ps1

@@ -104,6 +104,8 @@ try
     {
         Write-Warning "Windows Firewall service is not running"
     }
+
+    Initialize-ISHRegistry
 }
 
 finally

Tutorials/How to use the repository (Examples).md

@@ -182,7 +182,7 @@ The values of `CredentialForCredSSPExpression` and `OSUserCredentialExpression`
 Behind the scenes the `Invoke-Expression` is used to execute the specified cmdlet. In my profile scripts I've made sure that cmdlets `New-MyCredential` and `New-InfoShareServiceUserCredential` are always available.
 
 Behind the scenes the scripts in folder `Source\Server\ISHServer` are executed. 
-The `Initialize-ISHServerOSUser.ps1` is the most tricky one because it needs to add the `osuser` to the local administrator group. 
+The `Initialize-ISHServerOSUser.ps1` is the most tricky one because it needs to add the `osuser` to the local user repository, set it as local administrator group and fully create it's local user profile. 
 To do that the remote call needs to access the active directory and this is where the double hop issue appears. Read more on [About CredSSP authentication for PSSession](About CredSSP authentication for PSSession.md). 
 CredSSP requires secure SSL. That means that a session must be created using the Fully Qualified Domain Name of the computer because the certificate should have as Common Name (CN) the same. 
 As an example if the server is `server` and the FQDN is `server.x1.x2.x3` the code that imports implicitly a module looks like