Skip to content

Commit

Permalink
feat: enhanced ad group sync in wsa
Browse files Browse the repository at this point in the history 
- Enhanced `Add-WorkspaceOneDirectory` cmdlet with -domainController parameter.
- Enhanced `Add-WorkspaceOneDirectoryGroup` cmdlet with -domainController parameter.
- Enhanced `Undo-WorkspaceOneDirectoryGroup` cmdlet with -domainController parameter.
- Enhanced `Get-ADPrincipalGuid` cmdlet with -domainController parameter.
- Enhanced `Invoke-IomDeployment` cmdlet with -domainController parameter for `Add-WorkspaceOneDirectoryGroup`.
- Enhnced `Invoke-PcaDeployment` cmdlet with -domainController parameter for `Add-WorkspaceOneDirectoryGroup`.
- Enhanced `Invoke-GlobalWsaDeployment` cmdlet with -domainController parameter for `Add-WorkspaceOneDirectory`.
- Updated documentation.

Signed-off-by: Gary Blake <[email protected]>
  • Loading branch information
@GaryJBlake
GaryJBlake committed Oct 1, 2024
1 parent 6c102b8 commit c7610b6
Show file tree
Hide file tree
Showing 7 changed files with 126 additions and 103 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,13 @@
- Enhanced `Add-vCenterGlobalPermission` cmdlet to force synchronization of global permissions.
- Enhanced `Set-WorkspaceOneNtpConfig` cmdlet to handle a single NTP server.
- Enhanced `Invoke-DriDeployment` cmdlet to handle single NTP and DNS servers.
- Enhanced `Add-WorkspaceOneDirectory` cmdlet with -domainController parameter.
- Enhanced `Add-WorkspaceOneDirectoryGroup` cmdlet with -domainController parameter.
- Enhanced `Undo-WorkspaceOneDirectoryGroup` cmdlet with -domainController parameter.
- Enhanced `Get-ADPrincipalGuid` cmdlet with -domainController parameter.
- Enhanced `Invoke-IomDeployment` cmdlet with -domainController parameter for `Add-WorkspaceOneDirectoryGroup`.
- Enhanced `Invoke-PcaDeployment` cmdlet with -domainController parameter for `Add-WorkspaceOneDirectoryGroup`.
- Enhanced `Invoke-GlobalWsaDeployment` cmdlet with -domainController parameter for `Add-WorkspaceOneDirectory`.
- Removed Alias `Request-NsxToken` from `Request-NsxtToken` cmdlet.

## v2.11.1
Expand Down
2 changes: 1 addition & 1 deletion PowerValidatedSolutions.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
RootModule = 'PowerValidatedSolutions.psm1'

# Version number of this module.
ModuleVersion = '2.12.0.1046'
ModuleVersion = '2.12.0.1047'

# ID used to uniquely identify this module
GUID = 'a6dfed7b-65d2-4da2-bdcc-7f3d3df9b75d'
Expand Down
44 changes: 30 additions & 14 deletions PowerValidatedSolutions.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1602,7 +1602,7 @@ Function Add-WorkspaceOneDirectory {
- Creates an identity provider within Workspace ONE Access

.EXAMPLE
Add-WorkspaceOneDirectory -server sfo-wsa01.sfo.rainpole.io -user admin -pass VMw@re1! -domain sfo.rainpole.io -baseDnUser "OU=Security Users,DC=sfo,DC=rainpole,DC=io" -baseDnGroup "OU=Security Groups,DC=sfo,DC=rainpole,DC=io" -bindUserDn "CN=svc-wsa-ad,OU=Security Users,DC=sfo,DC=rainpole,DC=io" -bindUserPass VMw@re1! -adGroups "gg-nsx-enterprise-admins","gg-nsx-network-admins","gg-nsx-auditors","gg-wsa-admins","gg-wsa-directory-admins","gg-wsa-read-only" -protocol "ldaps" -certificate "F:\platformtools-l1-dev\certificates\Root64.pem"
Add-WorkspaceOneDirectory -server xint-idm01.rainpole.io -user admin -pass VMw@re1! -domainController sfo-ad01.sfo.rainpole.io -domain sfo.rainpole.io -baseDnUser "OU=Security Users,DC=sfo,DC=rainpole,DC=io" -baseDnGroup "OU=Security Groups,DC=sfo,DC=rainpole,DC=io" -bindUserDn "CN=svc-idm-ad,OU=Security Users,DC=sfo,DC=rainpole,DC=io" -bindUserPass VMw@re1! -adGroups "gg-idm-admins", "gg-idm-directory-admins", "gg-idm-read-only", "gg-lcm-admins", "gg-lcm-release-managers", "gg-lcm-content-developers" -protocol "ldaps" -certificate ".\Root64.pem"
This example configures the domain sfo.rainpole.io as a directory source in Workspace ONE Access Virtual Appliance and syncronises the groups provided

.PARAMETER server
Expand All @@ -1614,6 +1614,9 @@ Function Add-WorkspaceOneDirectory {
.PARAMETER pass
The admin password of the Workspace ONE Access Virtual Appliance.

.PARAMETER domainController
The FQDN of the Domain Controller.

.PARAMETER domain
The domain name of the Active Directory Domain.

Expand Down Expand Up @@ -1643,6 +1646,7 @@ Function Add-WorkspaceOneDirectory {
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainController,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$baseDnUser,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$baseDnGroup,
Expand Down Expand Up @@ -1685,7 +1689,7 @@ Function Add-WorkspaceOneDirectory {
$adUserJson = '{ "identityUserInfo": { "' + $bindUserDn + '": { "selected": true }, "' + $baseDnUser + '": { "selected": true }}}'
$mappedGroupObject = @()
foreach ($group in $adGroups) {
$adGroupDetails = Get-ADPrincipalGuid -domain $domain -user ($bindUserDn.Split(',')[0]).Split('=')[1] -pass $bindUserPass -principal $group
$adGroupDetails = Get-ADPrincipalGuid -domainController $domainController -domain $domain -user ($bindUserDn.Split(',')[0]).Split('=')[1] -pass $bindUserPass -principal $group
if ($adGroupDetails) {
$groupsObject = @()
$groupsObject += [pscustomobject]@{
Expand Down Expand Up @@ -17783,7 +17787,7 @@ Function Invoke-IomDeployment {

if (!$failureDetected) {
Show-PowerValidatedSolutionsOutput -message "Synchronizing the Active Directory Groups for $operationsProductName in Workspace ONE Access"
$StatusMsg = Add-WorkspaceOneDirectoryGroup -server (Get-VCFWSA).loadbalancerfqdn -user $jsonInput.wsaUser -pass $jsonInput.wsaPass -domain $jsonInput.domainFqdn -bindUser $jsonInput.wsaBindUser -bindPass $jsonInput.wsaBindPass -baseDnGroup $jsonInput.baseDnGroup -adGroups $jsonInput.adGroups -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg
$StatusMsg = Add-WorkspaceOneDirectoryGroup -server (Get-VCFWSA).loadbalancerfqdn -user $jsonInput.wsaUser -pass $jsonInput.wsaPass -domainController ($jsonInput.domainControllerMachineName + "." + $jsonInput.domainFqdn) -domain $jsonInput.domainFqdn -bindUser $jsonInput.wsaBindUser -bindPass $jsonInput.wsaBindPass -baseDnGroup $jsonInput.baseDnGroup -adGroups $jsonInput.adGroups -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg
messageHandler -statusMessage $StatusMsg -warningMessage $WarnMsg -errorMessage $ErrorMsg; if ($ErrorMsg) { $failureDetected = $true }
}

Expand Down Expand Up @@ -24066,7 +24070,7 @@ Function Invoke-PcaDeployment {

if (!$failureDetected) {
Show-PowerValidatedSolutionsOutput -message "Synchronizing the Active Directory Groups for $automationProductName in Workspace ONE Access"
$StatusMsg = Add-WorkspaceOneDirectoryGroup -server (Get-VCFWSA).loadbalancerfqdn -user $jsonInput.wsaUser -pass $jsonInput.wsaPass -domain $jsonInput.domainFqdn -bindUser $jsonInput.domainBindUserWsa -bindPass $jsonInput.domainBindPassWsa -baseDnGroup $jsonInput.baseDnGroup -adGroups $jsonInput.adGroups -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg
$StatusMsg = Add-WorkspaceOneDirectoryGroup -server (Get-VCFWSA).loadbalancerfqdn -user $jsonInput.wsaUser -pass $jsonInput.wsaPass -domainController ($jsonInput.domainControllerMachineName + "." + $jsonInput.domainFqdn) -domain $jsonInput.domainFqdn -bindUser $jsonInput.domainBindUserWsa -bindPass $jsonInput.domainBindPassWsa -baseDnGroup $jsonInput.baseDnGroup -adGroups $jsonInput.adGroups -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg
messageHandler -statusMessage $StatusMsg -warningMessage $WarnMsg -errorMessage $ErrorMsg; if ($ErrorMsg) { $failureDetected = $true }
}

Expand Down Expand Up @@ -30535,10 +30539,10 @@ Function Invoke-GlobalWsaDeployment {
if (!$failureDetected) {
Show-PowerValidatedSolutionsOutput -message "Configuring an Identity Source for $wsaProductName"
if ($PsBoundParameters.ContainsKey("standard")) {
$StatusMsg = Add-WorkspaceOneDirectory -server $jsonInput.clusterFqdn -user $jsonInput.adminUserName -pass $jsonInput.adminPassword -domain $jsonInput.domainFqdn -baseDnUser $jsonInput.baseUserDn -baseDnGroup $jsonInput.baseGroupDN -bindUserDn $jsonInput.domainBindDn -bindUserPass $jsonInput.domainBindPass -adGroups $jsonInput.adGroups -protocol ldaps -certificate $rootPem -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg
$StatusMsg = Add-WorkspaceOneDirectory -server $jsonInput.clusterFqdn -user $jsonInput.adminUserName -pass $jsonInput.adminPassword -domainController ($jsonInput.domainControllerMachineName + "." + $jsonInput.domainFqdn) -domain $jsonInput.domainFqdn -baseDnUser $jsonInput.baseUserDn -baseDnGroup $jsonInput.baseGroupDN -bindUserDn $jsonInput.domainBindDn -bindUserPass $jsonInput.domainBindPass -adGroups $jsonInput.adGroups -protocol ldaps -certificate $rootPem -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg
messageHandler -statusMessage $StatusMsg -warningMessage $WarnMsg -errorMessage $ErrorMsg; if ($ErrorMsg) { $failureDetected = $true }
} else {
$StatusMsg = Add-WorkspaceOneDirectory -server $jsonInput.hostNameNodeA -user $jsonInput.adminUserName -pass $jsonInput.adminPassword -domain $jsonInput.domainFqdn -baseDnUser $jsonInput.baseUserDn -baseDnGroup $jsonInput.baseGroupDN -bindUserDn $jsonInput.domainBindDn -bindUserPass $jsonInput.domainBindPass -adGroups $jsonInput.adGroups -protocol ldaps -certificate $rootPem -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg
$StatusMsg = Add-WorkspaceOneDirectory -server $jsonInput.hostNameNodeA -user $jsonInput.adminUserName -pass $jsonInput.adminPassword -domainController ($jsonInput.domainControllerMachineName + "." + $jsonInput.domainFqdn) -domain $jsonInput.domainFqdn -baseDnUser $jsonInput.baseUserDn -baseDnGroup $jsonInput.baseGroupDN -bindUserDn $jsonInput.domainBindDn -bindUserPass $jsonInput.domainBindPass -adGroups $jsonInput.adGroups -protocol ldaps -certificate $rootPem -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg
messageHandler -statusMessage $StatusMsg -warningMessage $WarnMsg -errorMessage $ErrorMsg; if ($ErrorMsg) { $failureDetected = $true }
}
}
Expand Down Expand Up @@ -36694,7 +36698,7 @@ Function Add-WorkspaceOneDirectoryGroup {
- Adds Active Directory Groups to Workspace ONE Access

.EXAMPLE
Add-WorkspaceOneDirectoryGroup -server sfo-wsa01.sfo.rainpole.io -user admin -pass VMw@re1! -domain sfo.rainpole.io -bindUser svc-vsphere-ad -bindPass VMw@re1! -baseDnGroup "ou=Security Groups,dc=sfo,dc=rainpole,dc=io" -adGroups "gg-vrli-admins","gg-vrli-users","gg-vrli-viewers"
Add-WorkspaceOneDirectoryGroup -server xint-idm01.rainpole.io -user admin -pass VMw@re1! -domainController sfo-ad01.sfo.rainpole.io -domain sfo.rainpole.io -bindUser svc-idm-ad -bindPass VMw@re1! -baseDnGroup "ou=Security Groups,dc=sfo,dc=rainpole,dc=io" -adGroups "gg-ops-admins", "gg-ops-content-admins", "gg-ops-read-only"
This example adds Active Directory groups to Workspace ONE Access directory.

.PARAMETER server
Expand All @@ -36706,6 +36710,9 @@ Function Add-WorkspaceOneDirectoryGroup {
.PARAMETER pass
The Workspace ONE Access Appliance admin password.

.PARAMETER domainController
The FQDN of the Domain Controller.

.PARAMETER domain
The Active Directory Domain name.

Expand All @@ -36726,6 +36733,7 @@ Function Add-WorkspaceOneDirectoryGroup {
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainController,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$bindUser,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$bindPass,
Expand Down Expand Up @@ -36754,7 +36762,7 @@ Function Add-WorkspaceOneDirectoryGroup {

$mappedGroupObject = @()
foreach ($group in $allGroups) {
$adGroupDetails = Get-ADPrincipalGuid -domain $domain -user $bindUser -pass $bindPass -principal $group
$adGroupDetails = Get-ADPrincipalGuid -domainController $domainController -domain $domain -user $bindUser -pass $bindPass -principal $group
if ($adGroupDetails) {
$groupsObject = @()
$groupsObject += [pscustomobject]@{
Expand Down Expand Up @@ -36819,7 +36827,7 @@ Function Undo-WorkspaceOneDirectoryGroup {
- Remove Active Directory Groups from Workspace ONE Access

.EXAMPLE
Undo-WorkspaceOneDirectoryGroup -server sfo-wsa01.sfo.rainpole.io -user admin -pass VMw@re1! -domain sfo.rainpole.io -bindUser svc-vsphere-ad -bindPass VMw@re1! -baseDnGroup "ou=Security Groups,dc=sfo,dc=rainpole,dc=io" -adGroups "gg-vrli-admins","gg-vrli-users","gg-vrli-viewers"
Undo-WorkspaceOneDirectoryGroup -server xint-idm01.rainpole.io -user admin -pass VMw@re1! -domainController sfo-ad01.sfo.rainpole.io -domain sfo.rainpole.io -bindUser svc-idm-ad -bindPass VMw@re1! -baseDnGroup "ou=Security Groups,dc=sfo,dc=rainpole,dc=io" -adGroups "gg-ops-admins", "gg-ops-content-admins", "gg-ops-read-only"
This example removes Active Directory groups from Workspace ONE Access directory.

.PARAMETER server
Expand All @@ -36831,6 +36839,9 @@ Function Undo-WorkspaceOneDirectoryGroup {
.PARAMETER pass
The Workspace ONE Access Appliance administrator password.

.PARAMETER domainController
The FQDN of the Domain Controller.

.PARAMETER domain
The Active Directory Domain name.

Expand All @@ -36851,6 +36862,7 @@ Function Undo-WorkspaceOneDirectoryGroup {
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainController,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$bindUser,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$bindPass,
Expand All @@ -36877,7 +36889,7 @@ Function Undo-WorkspaceOneDirectoryGroup {
$allGroups.ToArray() | Out-Null
$mappedGroupObject = @()
foreach ($group in $allGroups) {
$adGroupDetails = Get-ADPrincipalGuid -domain $domain -user $bindUser -pass $bindPass -principal $group
$adGroupDetails = Get-ADPrincipalGuid -domainController $domainController -domain $domain -user $bindUser -pass $bindPass -principal $group
if ($adGroupDetails) {
$groupsObject = @()
$groupsObject += [pscustomobject]@{
Expand Down Expand Up @@ -37447,8 +37459,11 @@ Function Get-ADPrincipalGuid {
The Get-ADPrincipalGuid cmdlet retrieves the GUID details for an Active Directory user or group from a domain.

.EXAMPLE
Get-ADPrincipalGuid -domain sfo.rainpole.io -user svc-vsphere-ad -pass VMw@re1! -principal gg-sso-admin
This example retrieves the details for the group gg-sso-admin from the domain.
Get-ADPrincipalGuid -domainController sfo-ad01.sfo.rainpole.io -domain sfo.rainpole.io -user svc-vsphere-ad -pass VMw@re1! -principal gg-vc-admins
This example retrieves the details for the group gg-vc-admins from the domain.

.PARAMETER domainController
The FQDN of the Domain Controller.

.PARAMETER domain
The Active Directory Domain name.
Expand All @@ -37464,18 +37479,19 @@ Function Get-ADPrincipalGuid {
#>

Param (
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainController,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
[Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal
)

Try {
$checkAdAuthentication = Test-ADAuthentication -user $user -pass $pass -server $domain -domain $domain
$checkAdAuthentication = Test-ADAuthentication -user $user -pass $pass -server $domainController -domain $domain
if ($checkAdAuthentication[1] -match "AD Authentication Successful") {
$securePassword = ConvertTo-SecureString -String $pass -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($user, $securePassword)
$nsxAdminGroupObject = (Get-ADGroup -Server $domain -Credential $creds -Filter { SamAccountName -eq $principal })
$nsxAdminGroupObject = (Get-ADGroup -Server $domainController -Credential $creds -Filter { SamAccountName -eq $principal})
$nsxAdminGroupObject
} else {
Write-Error "Domain User $user Authentication Failed"
Expand Down
Loading

0 comments on commit c7610b6

Please sign in to comment.