From f45f8cf2dc5672cff3e03a01bc2d056d60addf86 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 5 Dec 2024 14:36:32 -0600 Subject: [PATCH] Update AD creation scripts so that AD user passwords never expire --- AD-SETUP.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/AD-SETUP.md b/AD-SETUP.md index 2957f076c..a59e63b7d 100644 --- a/AD-SETUP.md +++ b/AD-SETUP.md @@ -37,13 +37,14 @@ gcloud compute networks subnets create domain-controllers \ --enable-private-ip-google-access # Create a firewall rule to allow RDP. Find out what your public IP address is by going to https://whatismyipaddress.com. -# Copy/paste your IPv4 address into this rule. Replace the X.X.X.X placeholder address shown here with your real IP. +# Replace the X.X.X.X placeholder address shown here with your real IPv4 address. +my_ip=X.X.X.X gcloud compute firewall-rules create allow-rdp-ingress-to-addc \ --project ${project} \ --direction INGRESS \ --action allow \ --rules tcp:3389 \ - --source-ranges "X.X.X.X/32" \ + --source-ranges "${my_ip}/32" \ --target-tags ad-domaincontroller \ --network ${vpc_name} \ --priority 10000 @@ -100,7 +101,7 @@ gcloud secrets add-iam-policy-binding active-directory-dc1-password \ --role=roles/secretmanager.secretAccessor \ --condition="title=Expires after 1h,expression=request.time < timestamp('$one_hour_from_now')" -# Optional: list all bindings to see the binding that you just created. +# Optional: list all bindings to see the binding that you just created. gcloud secrets get-iam-policy active-directory-dc1-password \ --project ${project} @@ -256,7 +257,7 @@ New-ADUser -Name "Bind User" -SamAccountName "bind-user" -GivenName "Bind" -Surn -UserPrincipalName "bind-user@activedirectory.test.pinniped.dev" ` -Path "OU=Users,OU=pinniped-ad,DC=activedirectory,DC=test,DC=pinniped,DC=dev" ` -AccountPassword (ConvertTo-SecureString "REDACTED_BIND_USER_PASSWORD" -AsPlainText -Force) ` - -Enabled $true + -Enabled $true -PasswordNeverExpires $true # Note that the value of EmailAddress is not a real email address, but that's okay. New-ADUser -Name "Pinny Seal" -SamAccountName "pinny" -GivenName "Pinny" -Surname "Seal" -DisplayName "Pinny Seal" ` @@ -264,13 +265,13 @@ New-ADUser -Name "Pinny Seal" -SamAccountName "pinny" -GivenName "Pinny" -Surnam -Path "OU=Users,OU=pinniped-ad,DC=activedirectory,DC=test,DC=pinniped,DC=dev" ` -EmailAddress "tanzu-user-authentication@groups.vmware.com" ` -AccountPassword (ConvertTo-SecureString "REDACTED_PINNY_USER_PASSWORD" -AsPlainText -Force) ` - -Enabled $true + -Enabled $true -PasswordNeverExpires $true New-ADUser -Name "Deactivated User" -SamAccountName "deactivated-user" -GivenName "Deactivated" -Surname "User" -DisplayName "Deactivated User" ` -UserPrincipalName "deactivated-user@activedirectory.test.pinniped.dev" ` -Path "OU=Users,OU=pinniped-ad,DC=activedirectory,DC=test,DC=pinniped,DC=dev" ` -AccountPassword (ConvertTo-SecureString "REDACTED_DEACTIVATED_USER_PASSWORD" -AsPlainText -Force) ` - -Enabled $false + -Enabled $false -PasswordNeverExpires $true # Take note of the pinny account's ObjectGUID. You will need to edit the concourse-secrets secret later to update this GUID value. # This value should look something like "288188dd-ab76-4f61-b6e4-c72e081502c5".