zjorz/Creating-And-Configuring-The-PSO-For-DSRM-Placeholder-Accounts.ps1

## Creating-And-Configuring-The-PSO-For-DSRM-Placeholder-Accounts.ps1
# SOURCE: https://gist.github.com/zjorz/83523ecb5cdffa974e959f280ab3469b/

Invoke-Command -ScriptBlock {

	Clear-Host

	$scriptMode = "ADSIorSDSP" # "ADSIorSDSP" Or "ADPoSH"

	Write-Host ""
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host "###   CREATING AND CONFIGURING PASSWORD SETTINGS OBJECT FOR DSRM ACCOUNTS   ###" -Foregroundcolor Yellow
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host ""
	Write-Host " > Script Mode...........: $scriptMode" -Foregroundcolor Yellow
	Write-Host ""

	If ($scriptMode -eq "ADSIorSDSP") {
		$adDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
		$adDomainDN = $adDomain.GetDirectoryEntry().Properties["DistinguishedName"].Value
		$rwdcPDCFSMOFQDN = $adDomain.PdcRoleOwner.Name
	}

	If ($scriptMode -eq "ADPoSH") {
		Import-Module ActiveDirectory
		$adDomain = Get-ADdomain -Current LocalComputer
		$adDomainDN = $adDomain.DistinguishedName
		$rwdcPDCFSMOFQDN = $adDomain.PDCEmulator
	}

	# Creating And Defining The PSO For DSRM PlaceHolder Accounts
	$psoName = "PSO-DSRM-PlaceHolder-Accounts"
	Write-Host " > Creating The PSO For DSRM PlaceHolder Accounts" -Foregroundcolor Yellow
	Write-Host ""

	If ($scriptMode -eq "ADSIorSDSP") {
		$psoContainerObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/CN=Password Settings Container,CN=System,$adDomainDN"
		$psoObject = $psoContainerObject.Create("msDS-PasswordSettings", "CN=$psoName")
		$psoObject.Put("adminDisplayName", $psoName)
		$psoObject.Put("displayName", $psoName)
		$psoObject.Put("description", "PSO To Manage Password And Lockout Settings For DSRM PlaceHolder Accounts")
		$psoObject.Put("msDS-MinimumPasswordAge", "0")                                          # Min Password Age = 0 Days
		$psoObject.Put("msDS-MaximumPasswordAge", "$([TimeSpan]::TicksPerDay*-1440)")           # Max Password Age = 1440 Days
		$psoObject.Put("msDS-MinimumPasswordLength", "32")                                      # Min Password Length = 3
		$psoObject.Put("msDS-PasswordComplexityEnabled", "TRUE")                                # Password Complexity Is Enabled
		$psoObject.Put("msDS-PasswordReversibleEncryptionEnabled", "FALSE")                     # Password With Reversible Encryption Is Disabled
		$psoObject.Put("msDS-PasswordHistoryLength", "0")                                       # Password History Length = 0 (IMPORTANT - So That The Account DOES NOT Have Any Hashes In The History!!!)
		$psoObject.Put("msDS-LockoutThreshold", "100")                                          # Number Of Attempts = 100
		$psoObject.Put("msDS-LockoutDuration", "$([TimeSpan]::TicksPerHour*-12)")               # Lockout Duration = 12 Hours
		$psoObject.Put("msDS-LockoutObservationWindow", "$([TimeSpan]::TicksPerMinute*-5)")     # Lockout Duration = 5 Minutes
		$psoObject.Put("msDS-PasswordSettingsPrecedence", "1")                                  # Password Settings Object Precedence
		$psoObject.SetInfo()
		$psoObject.RefreshCache()
		$psoObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/CN=$psoName,CN=Password Settings Container,CN=System,$adDomainDN"
	}

	If ($scriptMode -eq "ADPoSH") {
		$fineGranedPwdPolicyParametersHT = @{
			Name						= $psoName
			DisplayName					= $psoName
			Description					= "PSO To Manage Password And Lockout Settings For DSRM PlaceHolder Accounts"
			MinPasswordAge				= 0
			MaxPasswordAge				= 1440
			MinPasswordLength			= 32
			ComplexityEnabled			= $true
			ReversibleEncryptionEnabled = $false
			PasswordHistoryCount 		= 0	# Important So That The Account DOES NOT Have Any Hashes In The History
			LockoutThreshold			= 100
			LockoutDuration				= [TimeSpan]::Parse("0.12:00:00")
			LockoutObservationWindow	= [TimeSpan]::Parse("0.00:05:00")
			Precedence					= 1
			OtherAttributes				= @{"adminDisplayName"=$psoName}
			Server						= $rwdcPDCFSMOFQDN
		}
		New-ADFineGrainedPasswordPolicy @fineGranedPwdPolicyParametersHT
	}

	# DSRM Admin Account For RWDCs
	$sAMAccountNameRWDCs = "dsrm.RWDCs"

	If ($scriptMode -eq "ADSIorSDSP") {
		$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
		$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
		$adsiSearcher.Filter = "(sAMAccountName=$sAMAccountNameRWDCs)"
		$dsrmAccountRWDCsObject = $adsiSearcher.FindOne()
		If (-not [string]::IsNullOrEmpty($dsrmAccountRWDCsObject)) {
			[int]$ADS_PROPERTY_APPEND = 3	# Add To Existing Values With Whatever Is Being Set
			Write-Host " > Configuring The PSO 'PSO-DSRM-PlaceHolder-Accounts' To Apply To '$sAMAccountNameRWDCs'" -Foregroundcolor Yellow
			Write-Host ""
			$psoObject.PutEx($ADS_PROPERTY_APPEND, "msDS-PSOAppliesTo", @($($dsrmAccountRWDCsObject.Properties.distinguishedname[0]))) # Password Settings Object Applies To Specified Objects
			$psoObject.SetInfo()
			$psoObject.RefreshCache()
		}
	}

	If ($scriptMode -eq "ADPoSH") {
		$dsrmAdmAccountRWDCs = Get-ADUser -SearchBase $adDomainDN -LDAPFilter "(sAMAccountName=$sAMAccountNameRWDCs)" -Server $rwdcPDCFSMOFQDN
		If (-not [string]::IsNullOrEmpty($dsrmAdmAccountRWDCs)) {
			Write-Host " > Configuring The PSO 'PSO-DSRM-PlaceHolder-Accounts' To Apply To '$sAMAccountNameRWDCs'" -Foregroundcolor Yellow
			Write-Host ""
			Add-ADFineGrainedPasswordPolicySubject "PSO-DSRM-PlaceHolder-Accounts" -Subjects $sAMAccountNameRWDCs -Server $rwdcPDCFSMOFQDN
		}
	}

	# DSRM Admin Account For RODCs
	$sAMAccountNameRODCs = "dsrm.RODCs"

	If ($scriptMode -eq "ADSIorSDSP") {
		$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
		$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
		$adsiSearcher.Filter = "(sAMAccountName=$sAMAccountNameRODCs)"
		$dsrmAccountRODCsObject = $adsiSearcher.FindOne()
		If (-not [string]::IsNullOrEmpty($dsrmAccountRODCsObject)) {
			[int]$ADS_PROPERTY_APPEND = 3	# Add To Existing Values With Whatever Is Being Set
			Write-Host " > Configuring The PSO 'PSO-DSRM-PlaceHolder-Accounts' To Apply To '$sAMAccountNameRODCs'" -Foregroundcolor Yellow
			Write-Host ""
			$psoObject.PutEx($ADS_PROPERTY_APPEND, "msDS-PSOAppliesTo", @($($dsrmAccountRODCsObject.Properties.distinguishedname[0]))) # Password Settings Object Applies To Specified Objects
			$psoObject.SetInfo()
			$psoObject.RefreshCache()
		}
	}

	If ($scriptMode -eq "ADPoSH") {
		$dsrmAdmAccountRODCs = Get-ADUser -SearchBase $adDomainDN -LDAPFilter "(sAMAccountName=$sAMAccountNameRODCs)" -Server $rwdcPDCFSMOFQDN
		If (-not [string]::IsNullOrEmpty($dsrmAdmAccountRODCs)) {
			Write-Host " > Configuring The PSO 'PSO-DSRM-PlaceHolder-Accounts' To Apply To '$sAMAccountNameRODCs'" -Foregroundcolor Yellow
			Write-Host ""
			Add-ADFineGrainedPasswordPolicySubject "PSO-DSRM-PlaceHolder-Accounts" -Subjects $sAMAccountNameRODCs -Server $rwdcPDCFSMOFQDN
		}
	}
	Write-Host ""
}
	# SOURCE: https://gist.github.com/zjorz/83523ecb5cdffa974e959f280ab3469b/

	Invoke-Command -ScriptBlock {

	Clear-Host

	$scriptMode = "ADSIorSDSP" # "ADSIorSDSP" Or "ADPoSH"

	Write-Host ""
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host "### CREATING AND CONFIGURING PASSWORD SETTINGS OBJECT FOR DSRM ACCOUNTS ###" -Foregroundcolor Yellow
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host ""
	Write-Host " > Script Mode...........: $scriptMode" -Foregroundcolor Yellow
	Write-Host ""

	If ($scriptMode -eq "ADSIorSDSP") {
	$adDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
	$adDomainDN = $adDomain.GetDirectoryEntry().Properties["DistinguishedName"].Value
	$rwdcPDCFSMOFQDN = $adDomain.PdcRoleOwner.Name
	}

	If ($scriptMode -eq "ADPoSH") {
	Import-Module ActiveDirectory
	$adDomain = Get-ADdomain -Current LocalComputer
	$adDomainDN = $adDomain.DistinguishedName
	$rwdcPDCFSMOFQDN = $adDomain.PDCEmulator
	}

	# Creating And Defining The PSO For DSRM PlaceHolder Accounts
	$psoName = "PSO-DSRM-PlaceHolder-Accounts"
	Write-Host " > Creating The PSO For DSRM PlaceHolder Accounts" -Foregroundcolor Yellow
	Write-Host ""

	If ($scriptMode -eq "ADSIorSDSP") {
	$psoContainerObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/CN=Password Settings Container,CN=System,$adDomainDN"
	$psoObject = $psoContainerObject.Create("msDS-PasswordSettings", "CN=$psoName")
	$psoObject.Put("adminDisplayName", $psoName)
	$psoObject.Put("displayName", $psoName)
	$psoObject.Put("description", "PSO To Manage Password And Lockout Settings For DSRM PlaceHolder Accounts")
	$psoObject.Put("msDS-MinimumPasswordAge", "0") # Min Password Age = 0 Days
	$psoObject.Put("msDS-MaximumPasswordAge", "$([TimeSpan]::TicksPerDay*-1440)") # Max Password Age = 1440 Days
	$psoObject.Put("msDS-MinimumPasswordLength", "32") # Min Password Length = 3
	$psoObject.Put("msDS-PasswordComplexityEnabled", "TRUE") # Password Complexity Is Enabled
	$psoObject.Put("msDS-PasswordReversibleEncryptionEnabled", "FALSE") # Password With Reversible Encryption Is Disabled
	$psoObject.Put("msDS-PasswordHistoryLength", "0") # Password History Length = 0 (IMPORTANT - So That The Account DOES NOT Have Any Hashes In The History!!!)
	$psoObject.Put("msDS-LockoutThreshold", "100") # Number Of Attempts = 100
	$psoObject.Put("msDS-LockoutDuration", "$([TimeSpan]::TicksPerHour*-12)") # Lockout Duration = 12 Hours
	$psoObject.Put("msDS-LockoutObservationWindow", "$([TimeSpan]::TicksPerMinute*-5)") # Lockout Duration = 5 Minutes
	$psoObject.Put("msDS-PasswordSettingsPrecedence", "1") # Password Settings Object Precedence
	$psoObject.SetInfo()
	$psoObject.RefreshCache()
	$psoObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/CN=$psoName,CN=Password Settings Container,CN=System,$adDomainDN"
	}

	If ($scriptMode -eq "ADPoSH") {
	$fineGranedPwdPolicyParametersHT = @{
	Name = $psoName
	DisplayName = $psoName
	Description = "PSO To Manage Password And Lockout Settings For DSRM PlaceHolder Accounts"
	MinPasswordAge = 0
	MaxPasswordAge = 1440
	MinPasswordLength = 32
	ComplexityEnabled = $true
	ReversibleEncryptionEnabled = $false
	PasswordHistoryCount = 0 # Important So That The Account DOES NOT Have Any Hashes In The History
	LockoutThreshold = 100
	LockoutDuration = [TimeSpan]::Parse("0.12:00:00")
	LockoutObservationWindow = [TimeSpan]::Parse("0.00:05:00")
	Precedence = 1
	OtherAttributes = @{"adminDisplayName"=$psoName}
	Server = $rwdcPDCFSMOFQDN
	}
	New-ADFineGrainedPasswordPolicy @fineGranedPwdPolicyParametersHT
	}

	# DSRM Admin Account For RWDCs
	$sAMAccountNameRWDCs = "dsrm.RWDCs"

	If ($scriptMode -eq "ADSIorSDSP") {
	$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
	$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
	$adsiSearcher.Filter = "(sAMAccountName=$sAMAccountNameRWDCs)"
	$dsrmAccountRWDCsObject = $adsiSearcher.FindOne()
	If (-not [string]::IsNullOrEmpty($dsrmAccountRWDCsObject)) {
	[int]$ADS_PROPERTY_APPEND = 3 # Add To Existing Values With Whatever Is Being Set
	Write-Host " > Configuring The PSO 'PSO-DSRM-PlaceHolder-Accounts' To Apply To '$sAMAccountNameRWDCs'" -Foregroundcolor Yellow
	Write-Host ""
	$psoObject.PutEx($ADS_PROPERTY_APPEND, "msDS-PSOAppliesTo", @($($dsrmAccountRWDCsObject.Properties.distinguishedname[0]))) # Password Settings Object Applies To Specified Objects
	$psoObject.SetInfo()
	$psoObject.RefreshCache()
	}
	}

	If ($scriptMode -eq "ADPoSH") {
	$dsrmAdmAccountRWDCs = Get-ADUser -SearchBase $adDomainDN -LDAPFilter "(sAMAccountName=$sAMAccountNameRWDCs)" -Server $rwdcPDCFSMOFQDN
	If (-not [string]::IsNullOrEmpty($dsrmAdmAccountRWDCs)) {
	Write-Host " > Configuring The PSO 'PSO-DSRM-PlaceHolder-Accounts' To Apply To '$sAMAccountNameRWDCs'" -Foregroundcolor Yellow
	Write-Host ""
	Add-ADFineGrainedPasswordPolicySubject "PSO-DSRM-PlaceHolder-Accounts" -Subjects $sAMAccountNameRWDCs -Server $rwdcPDCFSMOFQDN
	}
	}

	# DSRM Admin Account For RODCs
	$sAMAccountNameRODCs = "dsrm.RODCs"

	If ($scriptMode -eq "ADSIorSDSP") {
	$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
	$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
	$adsiSearcher.Filter = "(sAMAccountName=$sAMAccountNameRODCs)"
	$dsrmAccountRODCsObject = $adsiSearcher.FindOne()
	If (-not [string]::IsNullOrEmpty($dsrmAccountRODCsObject)) {
	[int]$ADS_PROPERTY_APPEND = 3 # Add To Existing Values With Whatever Is Being Set
	Write-Host " > Configuring The PSO 'PSO-DSRM-PlaceHolder-Accounts' To Apply To '$sAMAccountNameRODCs'" -Foregroundcolor Yellow
	Write-Host ""
	$psoObject.PutEx($ADS_PROPERTY_APPEND, "msDS-PSOAppliesTo", @($($dsrmAccountRODCsObject.Properties.distinguishedname[0]))) # Password Settings Object Applies To Specified Objects
	$psoObject.SetInfo()
	$psoObject.RefreshCache()
	}
	}

	If ($scriptMode -eq "ADPoSH") {
	$dsrmAdmAccountRODCs = Get-ADUser -SearchBase $adDomainDN -LDAPFilter "(sAMAccountName=$sAMAccountNameRODCs)" -Server $rwdcPDCFSMOFQDN
	If (-not [string]::IsNullOrEmpty($dsrmAdmAccountRODCs)) {
	Write-Host " > Configuring The PSO 'PSO-DSRM-PlaceHolder-Accounts' To Apply To '$sAMAccountNameRODCs'" -Foregroundcolor Yellow
	Write-Host ""
	Add-ADFineGrainedPasswordPolicySubject "PSO-DSRM-PlaceHolder-Accounts" -Subjects $sAMAccountNameRODCs -Server $rwdcPDCFSMOFQDN
	}
	}
	Write-Host ""
	}
No results found