I just though I’d share

Edit: I’m not sure if this actually works. All else fails fall back to Ansible

  • cheet@infosec.pub
    link
    fedilink
    arrow-up
    1
    ·
    6 months ago

    sorry I don’t have any real documentation but I have a snippet of powershell that explains it pretty well here this comes from a user creation script I wrote back when they removed the unix UI.

    I was using Get-AdUser and discovered that the properties still existed but you have to manually shove those in, when an sssd “domain bound” linux machine has a user with these props login, they get the defined UID and GID and homefolder etc.

    $otherAttributes = @{}
    Write-Host -ForegroundColor Yellow "Adding Linux Attributes"
    
    # get the next numeric uid number from AD
    $uidNumber=((get-aduser -Filter * -Properties * | where-object {$_.uidNumber} | select uidNumber | sort uidNumber | select -Last 1).uidNumber)+1
    
    $otherAttributes.Add("unixHomeDirectory","/homefolder/path/$($samAccountName)")
    $otherAttributes.Add("uid","$($samAccountName)")
    $otherAttributes.Add("gidNumber","$($gidNumber)")
    $otherAttributes.Add("uidNumber","$($uidNumber)")
    $otherAttributes.Add("loginShell","$($loginShell)")
    
    $UserArgs = @{
        Credential = $creds
        Enabled = $true
        ChangePasswordAtLogon = $true
        Path = $usersOU
        HomeDirectory = "$homeDirPath\$samAccountName"
        HomeDrive = $homeDriveLetter
        GivenName = $firstName
        Surname = $lastName
        DisplayName = $displayName
        SamAccountName = $samAccountName
        Name = $displayName
        AccountPassword = $securePW
        UserPrincipalName = "$($aliasName)@DOMAIN.COM"
        OtherAttributes = $otherAttributes
    }
    
    $newUser = New-ADUser @UserArgs
    

    basically the “OtherAttributes” on the ADUser object is a hashtable that holds all the special additional LDAP attributes, so in this example we use $otherAttributes to add all the fields we need, you can do the same with “Set-Aduser” if you just wanna edit an existing user and add these props

    the @thing on New-ADuser is called a splat, very useful if you’re not familiar, it turns a hashtable into arguments

    lemme know if you have any questions

    • cheet@infosec.pub
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      6 months ago

      I think you could boil it down to something like Set-ADUser bob -otherattributes {uidNumber=1005, gidNumber=1005}