Pages

Oracle Identity Manager to AD script

It takes the account created by OIM and passes 2 fields 2 my script and my script enables the mailbox, sets notes and such, then creates an O drive for the user. You might not need this exact functionality but hopefully if you need any of these things you can use my script to help you.
 
###################################################################################################
#
# NAME: OIMScript.ps1
# DATE: 1/5/2011
# AUTHOR: Robert Martin
#
# COMMENT: Gets parameters from OIM call and then enables mailbox, updates AD information
# and creates network share.
#
# The script calls Exchange and AD commandline tools to gather and set information.
#
# Run the script interactively, or as a scheduled task.
#
# .\OIMScript.ps1 UserPrinicalName Location
# example .\OIMScript.ps1 otest@location1.local Location1
#
# The script was tested with Powershell v2 and Exchange 2007
#
# VERSION HISTORY:
# 1.0: Created and tested script
###################################################################################################
# Get the information needed to run the script from the command line
PARAM ($Argument1,$Argument2)
 
function Set-WindowsInfomation ($UserPrincipalName, $Location){
# Load the Exchange Management Tools
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
# Load AD module
Import-Module ActiveDirectory
#.Synopsis
#  Takes parameters from OIM and enables mailbox in Windows
#.Description
#  Gets parameters from OIM call and then enables mailbox, updates AD information and creates network share.
 
    # Mailbox Server Cluster
    $cluster = ""
    # Custom Attribute used for Everyone List
    $attribute = ""
    # The Domain Controller to run the commands against
    $server = ""
    # What AD Group do they get added to for Kix Scripts
    $Group = ""
    # What server is there O Drive stored
    $networkserver = ""
    # What drive on that server does the O drive get created
    $networkdrive = ""
    # What folder does the O drive get created in - Typically (Users)
    $networkfolder = ""
    # Windows 2000 Domain Name ex. LOCATION1
    $w2k = ""
    # Fully Qualified Domain Name ex. location1.local
    $domainname = ""
    # Gets date script is ran for notes
    $Date = date
    # This is where we determine what location the user is in and then set variables based on that
    switch -wildcard ($Location)
      {
        "LOCATION1"
        {
        $cluster = "LOC1MBCluster"
        # Add Location1 AD directory
        New-PSDrive -Name LOC1DOMAIN -PSProvider ActiveDirectory -root 'DC=location1,DC=local' -server DC1.location1.local
        $server = "DC1"
        $Group = "Location1 users"
        $attribute = "Location 1"
        $networkserver = "FILESERVER1"
        $networkdrive = "D"
        $networkfolder = "Users"
        $w2k = "LOCATION1"
        $domainname = "location1.local"
        ; break
        }
        "LOCATION2"
        {
        $cluster = "LOC2MBCluster"
        # Add Location2 AD directory
        New-PSDrive -Name LOC2DOMAIN -PSProvider ActiveDirectory -root 'DC=location2,DC=local' -server DC2.location2.local
        $server = "DC2"
        $Group = "Location2 users"
        $attribute = "Location 2"
        $networkserver = "FILESERVER2"
        $networkdrive = "D"
        $networkfolder = "Users"
        $w2k = "LOCATION2"
        $domainname = "location2.local"
        ; break
        }
        # This is where we setup the Field Users
        # Field users do not get O drive so we set flag field=On
        # Field users also get Remote in Custom Attribute 2 so we set that here
        "FIELDLOC1*"
        {
        $cluster = "LOC1MBCluster"
        # Add Location1 AD directory
        New-PSDrive -Name LOC1DOMAIN -PSProvider ActiveDirectory -root 'DC=location1,DC=local' -server DC1.location1.local
        $server = "DC1"
        $Group = "Location1 users"
        $attribute = "Location 1"
        $attribute2 = "Remote"
        $networkserver = "FILESERVER1"
        $networkdrive = "D"
        $networkfolder = "Users"
        $w2k = "LOCATION1"
        $domainname = "location1.local"
        $field = "On"
        ; break
        }
        # If the call does not have location we default to LOCATION1
        Default
        {
        $cluster = "LOC1MBCluster"
        # Add Location1 AD directory
        New-PSDrive -Name LOC1DOMAIN -PSProvider ActiveDirectory -root 'DC=location1,DC=local' -server DC1.location1.local
        $server = "DC1"
        $Group = "Location1 users"
        $attribute = "Location 1"
        $networkserver = "FILESERVER1"
        $networkdrive = "D"
        $networkfolder = "Users"
        $w2k = "LOCATION1"
        $domainname = "location1.local"
        }
        }
    # This is where we determine what mailbox store to create the mailbox in
    $LeastBusyDB = (Get-Mailbox -Server $cluster -Resultsize Unlimited | ?{$_.database -notmatch 'RSG'} | Group-Object -Property:Database | Select-Object Name,Count | Sort-Object count | select -first 1 -expand name)
 
   ##############################################
   ### STEP 1: Enable Exchange Account for user
   Enable-Mailbox -Identity $UserPrincipalName -Database $LeastBusyDB -ManagedFolderMailboxPolicy CleanDeletedItems60Days -ManagedFolderMailboxPolicyAllowed
   # Pause for 30 seconds before we move on
   Start-Sleep -s 30
   ##############################################
   ### STEP 2: Update Exchange Information with custom attributes
   Set-Mailbox -Identity $UserPrincipalName -CustomAttribute1 $attribute -CustomAttribute2 $attribute2
   # Pause for 20 seconds before we move on
   Start-Sleep -s 20
   ##############################################
   ### STEP 3: Update User Information
   Set-User -Identity $UserPrincipalName -Notes "Account created on $Date by OIM" -Company "Your Corporate Name"
   # Get Alias for use in later calls
   $alias = Get-Mailbox $UserPrincipalName | Select Alias
   ##############################################
   ### STEP 4: Add user to group for Kixscript
   if ($Group -ne "")
        {
            Add-ADGroupMember $Group $alias.alias -Server $server -Confirm:$false
        }
   ##############################################
   ### Check to see if they are field user, field users do not get an O drive
   if($field -ne "On"){
   ##############################################
   ### STEP 5: Create Network Share and set permissions
   # Create sharename with $ at end
   $sharename = $alias.alias + "$"
   # Get string version of Alias
   $rawalias = $alias.alias
   # Format the user drive for call
   $userdrive = "$networkdrive" + ":\$networkfolder\$rawalias"
   # Create Folder for user
   New-Item -Path "\\$networkserver\$networkdrive$\$networkfolder\$rawalias" -type directory | Out-Null
   # Create share out of that folder we created above
   (Get-WmiObject -List -ComputerName $networkserver | Where-Object -FilterScript {$_.Name -eq "Win32_Share"}).InvokeMethod("Create",("$userdrive","$sharename",0,16777216,"Created by OIM"))
   # Setup Access List on share
   $GetACL = Get-Acl "\\$networkserver\$networkdrive$\$networkfolder\$rawalias"
   $Allinherit = [system.security.accesscontrol.InheritanceFlags]'ContainerInherit, ObjectInherit'
   $Allpropagation = [system.security.accesscontrol.PropagationFlags]'None'
   $AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule("$w2k\$rawalias", "Modify", $AllInherit, $Allpropagation, 'Allow')
   $GetACL.AddAccessRule($AccessRule)
   Set-Acl -aclobject $GetACL -Path "\\$networkserver\$networkdrive$\$networkfolder\$rawalias"
   # Pause for 30 seconds
   Start-Sleep -s 30
   # Call Function to setup the correct permissions for share for user
   set-Sharepermissions -share "$sharename" -server "$networkserver" -user "$rawalias" -Domain "$domainname" -mode "Change"
   ##############################################
   ### STEP 6: Set Logon Script in AD
   Set-ADuser -Identity $rawalias -ScriptPath "kix32.exe"
   }
 
}
 
Function set-Sharepermissions ($share,$server,$user,$Domain,$mode) {
    $sd = (new-object management.managementclass Win32_SecurityDescriptor).CreateInstance()
    $ace = (new-object management.managementclass Win32_ace).CreateInstance()
    $Trustee = (new-object management.managementclass win32_trustee).CreateInstance()
    $Account = new-object system.security.principal.NtAccount($user)
    $SID = $Account.translate([system.security.principal.securityidentifier])
    $Trustee.Domain = $Domain
    $Trustee.Name = $user
    $Trustee.SIDString = $sid.Value
     switch ($mode)
        {
        "Full" {$ace.AccessMask = 2032127}
        "Change" {$ace.AccessMask = 1245631}
        "Read" {$ace.AccessMask = 1179817}
        }
    $ace.AceType = 0
    $ace.AceFlags = 3
    $ace.trustee = $trustee
    $SD.DACL = @($ACE.psobject.baseObject)
    $share = get-wmiObject -ComputerName $server win32_share -filter "name='$share'"
    $inparams = $share.GetMethodParameters("setShareInfo")
    $inParams["Access"] = $SD.psobject.baseObject
    $inParams["Description"] = "Created by OIM on $Date"
    $share.invokemethod("setshareInfo",$inparams,$null)
}
# This is where we call the two functions above

More Here


Courtesy:http://www.robertwmartin.com/?p=158

0 comments:

Post a Comment