Embed Size (px)
Citation preview
VPN Access RunbookTitle Grant User VPN AccessDescription User requests for VPN access from service
manager portal, after concerned parties approve this request this runbbok is run to give user access to VPN.
Status Not yet tested. (Should work just fine). Needed rights to make changes in Active Directory.
Runbook
1. Initialize DataPart of Runbook control IP, gets data from service portal form. In this case the User ID.
2. Run .Net Script (Extracting SAM account name)This scripting activity is used incase user enters the UPN suffix along with his ID. This script ensures that only a valid user ID is used.
Assembly Link: C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.dll
Both namespace and assembly are added via the “ADD” button.
3. Run .Net Script (Grant VPN Access)This is the actual work, the script which grants user VPN access by making the msnpallowdialin property true.Script is written in Poweshell.
Code Snippet
# Set script parameters from runbook data bus and Orchestrator global variables
$DataBusInput1 = "\`d.T.~Ed/{160D8A4D-B838-45E3-81B5-D30C79069E7C}.SamAccountName\`d.T.~Ed/"$DataBusInput2 = "Test value 2"
#-----------------------------------------------------------------------
## Initialize result and trace variables# $ResultStatus provides basic success/failed indicator# $ErrorMessage captures any error text generated by script# $Trace is used to record a running log of actions$ResultStatus = ""$ErrorMessage = ""$Trace = (Get-Date).ToString() + "`t" + "Runbook activity script started" + " `r`n" # Create argument array for passing data bus inputs to the external script session$argsArray = @()$argsArray += $DataBusInput1$argsArray += $DataBusInput2
# Establish an external session (to localhost) to ensure 64bit PowerShell runtime using the latest version of PowerShell installed on the runbook server# Use this session to perform all work to ensure latest PowerShell features and behavior available$Session = New-PSSession -ComputerName localhost
# Invoke-Command used to start the script in the external session. Variables returned by script are then stored in the $ReturnArray variable
$ReturnArray = Invoke-Command -Session $Session -Argumentlist $argsArray -ScriptBlock { # Define a parameter to accept each data bus input value. Recommend matching names of parameters and data bus input variables above Param( [ValidateNotNullOrEmpty()] [string]$DataBusInput1,
[ValidateNotNullOrEmpty()] [string]$DataBusInput2 )
# Define function to add entry to trace log variable function AppendLog ([string]$Message) { $script:CurrentAction = $Message $script:TraceLog += ((Get-Date).ToString() + "`t" + $Message + " `r`n") }
# Set external session trace and status variables to defaults $ResultStatus = "" $ErrorMessage = "" $script:CurrentAction = "" $script:TraceLog = ""
try { # Add startup details to trace log AppendLog "Script now executing in external PowerShell version [$($PSVersionTable.PSVersion.ToString())] session in a [$([IntPtr]::Size * 8)] bit process" AppendLog "Running as user [$([Environment]::UserDomainName)\$([Environment]::UserName)] on host [$($env:COMPUTERNAME)]" AppendLog "Parameter values received: DataBusInput1=[$DataBusInput1]; DataBusInput2=[$DataBusInput2]"
# The actual work the script does goes here AppendLog "Doing first action"
#the actual code which does the work Import-Module ActiveDirectory $myCustomVariable=GET-ADUser $DataBusInput1 -Properties msnpallowdialin | select -expand msnpallowdialin Set-ADUser $DataBusInput1 -replace @{msnpallowdialin=$true}$myCustomVariable2=GET-ADUser $DataBusInput1 -Properties msnpallowdialin | select -expand msnpallowdialin
# Validate results and set return status AppendLog "Finished work, determining result" $EverythingWorked = $true if($EverythingWorked -eq $true) { $ResultStatus = "Success" } else { $ResultStatus = "Failed" } } catch { # Catch any errors thrown above here, setting the result status and recording the error message to return to the activity for data bus publishing $ResultStatus = "Failed" $ErrorMessage = $error[0].Exception.Message AppendLog "Exception caught during action [$script:CurrentAction]: $ErrorMessage" } finally { # Always do whatever is in the finally block. In this case, adding some additional detail about the outcome to the trace log for return if($ErrorMessage.Length -gt 0) {
AppendLog "Exiting external session with result [$ResultStatus] and error message [$ErrorMessage]" } else { AppendLog "Exiting external session with result [$ResultStatus]" } }
# Return an array of the results. Additional variables like "myCustomVariable" can be returned by adding them onto the array $resultArray = @() $resultArray += $ResultStatus $resultArray += $ErrorMessage $resultArray += $script:TraceLog $resultArray += $myCustomVariable $resultArray += $myCustomVariable2 return $resultArray }#End Invoke-Command
# Get the values returned from script session for publishing to data bus$ResultStatus = $ReturnArray[0]$ErrorMessage = $ReturnArray[1]$Trace += $ReturnArray[2]$MyCustomVariable = $ReturnArray[3]$MyCustomVariable2 = $ReturnArray[4]
# Record end of activity script process$Trace += (Get-Date).ToString() + "`t" + "Script finished" + " `r`n"
# Close the external sessionRemove-PSSession $Session
4. Get UserPart of the active directory IP. We are basically using this to get the affected users email address and his manger so that they may be notified of the decision that VPN access has been granted to the user.
Select Name as “Active Directory” by pressing the Ellipse(…) button.In the Properties field “Search root” is acquired by the Optional Properties button.
The Search Root field is filled, by using subscribe variable.
Now from the left tab select Filter:
Press “ADD”.
Value field is populated by using published data.
5. Get User (Get Manager)This activity of get user is used to fetch information about the user’s direct manager.
Now selecting Filter Tab:Use “ADD” button and populate as follows:
How value field is populated:
Now we use published data and place data between the first two “inverted commas”
6. Append lineWrite the results in a file:
The Text Area Include:
Before:
UserEmal:
ManagerEmail:
After:
7. Create And Send Email (Notify user and Manager of VPN Access Allowed)Part of Exchange user IP.
To:
Done using Published Data technique.
Body:
UserName:
Email:
Ok, and Finish. Done.
