Skip to content

Commit 16e2f95

Browse files
wojcik91wojcik91
authored
add helper script to generate enrollment tokens (#653)
1 parent de8efb0 commit 16e2f95

1 file changed

Lines changed: 231 additions & 0 deletions

File tree

src-tauri/resources-windows/admin-scripts/GenerateEnrollmentTokensAD.ps1

Lines changed: 231 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,231 @@
1+
param(
2+
[Parameter(Mandatory=$true)]
3+
[string]$Url,
4+
5+
[Parameter(Mandatory=$true)]
6+
[string]$ApiToken,
7+
8+
[Parameter(Mandatory=$true)]
9+
[string]$GroupName,
10+
11+
[Parameter(Mandatory=$true)]
12+
[string]$ADAttribute,
13+
14+
[Parameter(Mandatory=$false)]
15+
[string]$ADUsername,
16+
17+
[Parameter(Mandatory=$false)]
18+
[string]$DomainController
19+
)
20+
21+
# Function to make authenticated API calls
22+
function Invoke-AuthenticatedRestMethod {
23+
param(
24+
[string]$Method,
25+
[string]$Endpoint,
26+
[object]$Body = $null
27+
)
28+
29+
$headers = @{
30+
"Authorization" = "Bearer $ApiToken"
31+
"Content-Type" = "application/json"
32+
"Accept" = "application/json"
33+
}
34+
35+
$uri = "$Url/$Endpoint"
36+
37+
try {
38+
if ($Body) {
39+
$jsonBody = $Body | ConvertTo-Json
40+
$response = Invoke-RestMethod -Uri $uri -Method $Method -Headers $headers -Body $jsonBody
41+
} else {
42+
$response = Invoke-RestMethod -Uri $uri -Method $Method -Headers $headers
43+
}
44+
return $response
45+
}
46+
catch {
47+
Write-Error "API call failed: $($_.Exception.Message)"
48+
return $null
49+
}
50+
}
51+
52+
# Function to update Active Directory user attribute
53+
function Set-ADUserEnrollmentToken {
54+
param(
55+
[string]$Username,
56+
[string]$EnrollmentToken,
57+
[string]$EnrollmentUrl,
58+
[string]$AttributeName,
59+
[System.Management.Automation.PSCredential]$Credential
60+
)
61+
62+
try {
63+
# Build parameters for AD cmdlets
64+
$adParams = @{
65+
Identity = $Username
66+
Properties = $AttributeName
67+
ErrorAction = "Stop"
68+
}
69+
70+
# Add credential if provided
71+
if ($Credential) {
72+
$adParams["Credential"] = $Credential
73+
}
74+
75+
# Add domain controller if provided
76+
if ($DomainController) {
77+
$adParams["Server"] = $DomainController
78+
}
79+
80+
# Verify user exists in Active Directory (result not stored, just checking for errors)
81+
Get-ADUser @adParams | Out-Null
82+
83+
# Create JSON object to store in AD attribute
84+
$enrollmentData = @{
85+
enrollmentToken = $EnrollmentToken
86+
enrollmentUrl = $EnrollmentUrl
87+
}
88+
89+
$jsonData = $enrollmentData | ConvertTo-Json -Compress
90+
91+
# Update AD user attribute
92+
$setParams = @{
93+
Identity = $Username
94+
Replace = @{$AttributeName = $jsonData}
95+
ErrorAction = "Stop"
96+
}
97+
98+
# Add credential if provided
99+
if ($Credential) {
100+
$setParams["Credential"] = $Credential
101+
}
102+
103+
# Add domain controller if provided
104+
if ($DomainController) {
105+
$setParams["Server"] = $DomainController
106+
}
107+
108+
Set-ADUser @setParams
109+
110+
Write-Host " Successfully updated AD attribute for $Username" -ForegroundColor Green
111+
return $true
112+
}
113+
catch {
114+
Write-Host " Failed to update AD attribute for $Username : $($_.Exception.Message)" -ForegroundColor Red
115+
return $false
116+
}
117+
}
118+
119+
# Main script execution
120+
Write-Host "Fetching group members for group: $GroupName" -ForegroundColor Green
121+
122+
# Handle AD authentication
123+
$ADCredential = $null
124+
if ($ADUsername) {
125+
Write-Host "Using provided AD credentials for authentication" -ForegroundColor Yellow
126+
$ADPassword = Read-Host -Prompt "Enter AD password for $ADUsername" -AsSecureString
127+
$ADCredential = New-Object System.Management.Automation.PSCredential($ADUsername, $ADPassword)
128+
} else {
129+
Write-Host "Using current user context for AD authentication" -ForegroundColor Yellow
130+
}
131+
132+
# Get group members
133+
$groupEndpoint = "api/v1/group/$GroupName"
134+
$groupResponse = Invoke-AuthenticatedRestMethod -Method "GET" -Endpoint $groupEndpoint
135+
136+
if (-not $groupResponse) {
137+
Write-Error "Failed to fetch group members"
138+
exit 1
139+
}
140+
141+
# Extract usernames from the response
142+
$usernames = $groupResponse.members
143+
144+
if (-not $usernames -or $usernames.Count -eq 0) {
145+
Write-Host "No members found in group: $GroupName" -ForegroundColor Yellow
146+
exit 0
147+
}
148+
149+
Write-Host "Found $($usernames.Count) members in the group" -ForegroundColor Green
150+
151+
# Import Active Directory module
152+
try {
153+
Import-Module ActiveDirectory -ErrorAction Stop
154+
Write-Host "Active Directory module loaded successfully" -ForegroundColor Green
155+
}
156+
catch {
157+
Write-Error "Failed to load Active Directory module: $($_.Exception.Message)"
158+
exit 1
159+
}
160+
161+
# Test AD connectivity
162+
try {
163+
$testParams = @{ Filter = "Name -like '*'" }
164+
if ($ADCredential) {
165+
$testParams["Credential"] = $ADCredential
166+
Write-Host "Testing AD connectivity with provided credentials..." -ForegroundColor Yellow
167+
} else {
168+
Write-Host "Testing AD connectivity with current user context..." -ForegroundColor Yellow
169+
}
170+
if ($DomainController) { $testParams["Server"] = $DomainController }
171+
172+
Get-ADUser @testParams -ResultSetSize 1 | Out-Null
173+
Write-Host "Active Directory connectivity test successful" -ForegroundColor Green
174+
}
175+
catch {
176+
Write-Error "Active Directory connectivity test failed: $($_.Exception.Message)"
177+
Write-Host "Please check your credentials, domain controller, and network connectivity" -ForegroundColor Red
178+
exit 1
179+
}
180+
181+
# Array to store enrollment tokens
182+
$enrollmentTokens = @()
183+
$adUpdateResults = @()
184+
185+
# Loop through each user and generate enrollment token
186+
foreach ($username in $usernames) {
187+
Write-Host "Processing user: $username" -ForegroundColor Cyan
188+
189+
$enrollmentEndpoint = "api/v1/user/$username/start_enrollment"
190+
$requestBody = @{
191+
email = $null
192+
send_enrollment_notification = $false
193+
}
194+
195+
$enrollmentResponse = Invoke-AuthenticatedRestMethod -Method "POST" -Endpoint $enrollmentEndpoint -Body $requestBody
196+
197+
if ($enrollmentResponse) {
198+
$tokenInfo = @{
199+
username = $username
200+
enrollment_token = $enrollmentResponse.enrollment_token
201+
enrollment_url = $enrollmentResponse.enrollment_url
202+
}
203+
$enrollmentTokens += $tokenInfo
204+
205+
Write-Host " Enrollment token generated for $username" -ForegroundColor Green
206+
207+
# Update Active Directory
208+
$adResult = Set-ADUserEnrollmentToken -Username $username -EnrollmentToken $enrollmentResponse.enrollment_token -EnrollmentUrl $enrollmentResponse.enrollment_url -AttributeName $ADAttribute -Credential $ADCredential
209+
210+
$adUpdateResults += @{
211+
username = $username
212+
success = $adResult
213+
enrollment_token = $enrollmentResponse.enrollment_token
214+
enrollment_url = $enrollmentResponse.enrollment_url
215+
}
216+
}
217+
else {
218+
Write-Host " Failed to generate enrollment token for $username" -ForegroundColor Red
219+
$adUpdateResults += @{
220+
username = $username
221+
success = $false
222+
enrollment_token = $null
223+
enrollment_url = $null
224+
}
225+
}
226+
}
227+
228+
# Output summary
229+
Write-Host "Enrollment token generation and AD update completed!" -ForegroundColor Green
230+
$successfulADUpdates = ($adUpdateResults | Where-Object { $_.success }).Count
231+
Write-Host "Successfully updated AD attributes: $successfulADUpdates/$($usernames.Count)" -ForegroundColor $(if ($successfulADUpdates -eq $usernames.Count) { "Green" } else { "Yellow" })

0 commit comments

Comments
 (0)