private static string GetExistingGPOPath(Guid gpoGuid, bool computer)
{
Domain domain = Domain.GetCurrentDomain();
using (GroupPolicyObject existGPO = new GroupPolicyObject())
{
try
{
existGPO.OpenDSGpo(domain, gpoGuid, false, false);
}
catch (ActiveDirectoryObjectNotFoundException ex)
{
//Tracer.WriteInformation(ex.ToString());
return(String.Empty);
}
if (computer)
{
return(existGPO.GetFileSystemPath(GpoSection.Computer));
}
else
{
return(existGPO.GetFileSystemPath(GpoSection.User));
}
}
}
/// <summary>
/// Constructor.
/// </summary>
/// <param name="remoteMachineName">Target machine name to operate group policy</param>
/// <exception cref="System.Runtime.InteropServices.COMException">Throw when com execution throws exceptions</exception>
public GroupPolicyObjectHandler(String remoteMachineName)
{
groupPolicyObject = new GroupPolicyObject();
iGroupPolicyObject = (IGroupPolicyObject)groupPolicyObject;
try
{
if (String.IsNullOrEmpty(remoteMachineName))
{
iGroupPolicyObject.OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY);
}
else
{
iGroupPolicyObject.OpenRemoteMachineGPO(remoteMachineName, GPO_OPEN_LOAD_REGISTRY);
}
}
catch (COMException e)
{
throw e;
}
}
/// <summary>
/// Performs the execution of the command.
/// </summary>
public override void ExecuteCmdlet()
{
if (!ShouldProcess("Creates the group policy and service connection point required to have domain joined devices automatically enroll into MDM."))
{
return;
}
if (string.IsNullOrEmpty(Domain) || string.IsNullOrEmpty(TenantId))
{
if (MgmtSession.Instance.Context == null)
{
throw new PSInvalidOperationException(Resources.RunConnectSecMgmtAccount);
}
}
string tenantId = string.IsNullOrEmpty(TenantId) ? MgmtSession.Instance.Context.Account.Tenant : TenantId;
string aadDomain = string.IsNullOrEmpty(Domain) ? GetDomainValue(tenantId).ConfigureAwait(false).GetAwaiter().GetResult() : Domain;
WriteDebug($"Using {aadDomain} for the domain value and {tenantId} for the tenant identifier value");
using (DirectoryEntry rootDSE = new DirectoryEntry("LDAP://RootDSE"))
{
DirectoryEntry deDRC;
DirectoryEntry deSCP;
int size = Marshal.SizeOf(typeof(int));
string azureADId = $"azureADId:{tenantId}";
string azureADName = $"azureADName:{aadDomain}";
string configCN = rootDSE.Properties["configurationNamingContext"][0].ToString();
string servicesCN = $"CN=Services,{configCN}";
string drcCN = $"CN=Device Registration Configuration,{servicesCN}";
string scpCN = $"CN=62a0ff2e-97b9-4513-943f-0d221bd30080,{drcCN}";
if (DirectoryEntry.Exists($"LDAP://{drcCN}"))
{
WriteDebug($"Device registration configuration container already exists at LDAP://{drcCN}");
deDRC = new DirectoryEntry($"LDAP://{drcCN}");
}
else
{
WriteDebug($"Creating the device registration configuration container in LDAP://{servicesCN}");
DirectoryEntry entry = new DirectoryEntry($"LDAP://{servicesCN}");
deDRC = entry.Children.Add("CN=Device Registration Configuration", "container");
deDRC.CommitChanges();
}
if (DirectoryEntry.Exists($"LDAP://{scpCN}"))
{
deSCP = new DirectoryEntry($"LDAP://{scpCN}");
WriteDebug($"Service connection point LDAP://{scpCN} already exists, so clearing the keywords property");
deSCP.Properties["keywords"].Clear();
WriteDebug($"Updating the keywords propoerty on the service connection point LDAP://{scpCN}");
deSCP.Properties["keywords"].Add(azureADName);
deSCP.Properties["keywords"].Add(azureADId);
deSCP.CommitChanges();
}
else
{
WriteDebug($"The service connection point LDAP://{scpCN} does not exists, so it will be created");
deSCP = deDRC.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint");
deSCP.Properties["keywords"].Add(azureADName);
deSCP.Properties["keywords"].Add(azureADId);
deSCP.CommitChanges();
}
IGroupPolicyObject2 groupPolicyObject = new GroupPolicyObject() as IGroupPolicyObject2;
IntPtr sectionKeyHandle;
string domainName = $"LDAP://{rootDSE.Properties["defaultNamingContext"].Value}";
WriteDebug($"Creating {GroupPolicyDisplayName} group policy");
groupPolicyObject.New(domainName, GroupPolicyDisplayName, 0x1);
sectionKeyHandle = groupPolicyObject.GetRegistryKey(0x2);
RegistryOperations.RegistryCreateKey(
sectionKeyHandle,
@"Software\Policies\Microsoft\Windows\CurrentVersion\MDM",
0,
null,
0,
RegSAM.Write,
null,
out IntPtr key,
out RegResult desposition);
SetRegistryDWordValue(key, "AutoEnrollMDM", 1);
SetRegistryDWordValue(key, "UseAADCredentialType", 1);
groupPolicyObject.Save(true, true, new Guid("7909AD9E-09EE-4247-BAB9-7029D5F0A278"), new Guid("D02B1F72-3407-48AE-BA88-E8213C6761F1"));
groupPolicyObject.Save(true, true, new Guid("35378EAC-683F-11D2-A89A-00C04FBBCFA2"), new Guid("D02B1F72-3407-48AE-BA88-E8213C6761F1"));
RegistryOperations.RegistryCloseKey(ref key);
RegistryOperations.RegistryCloseKey(ref sectionKeyHandle);
WriteObject($"Domain has been prepared and the {GroupPolicyDisplayName} group policy has been created. You will need to link the group policy for the settings to apply.");
}
}
private static string GetExistingGPOPath(Guid gpoGuid, bool computer)
{
Domain domain = Domain.GetCurrentDomain();
using (GroupPolicyObject existGPO = new GroupPolicyObject())
{
try
{
existGPO.OpenDSGpo(domain, gpoGuid, false, false);
}
catch (ActiveDirectoryObjectNotFoundException ex)
{
//Tracer.WriteInformation(ex.ToString());
return String.Empty;
}
if (computer)
{
return existGPO.GetFileSystemPath(GpoSection.Computer);
}
else
{
return existGPO.GetFileSystemPath(GpoSection.User);
}
}
}
