private static string GetExistingGPOPath(Guid gpoGuid, bool computer) { Domain domain = Domain.GetCurrentDomain(); using (GroupPolicyObject existGPO = new GroupPolicyObject()) { try { existGPO.OpenDSGpo(domain, gpoGuid, false, false); } catch (ActiveDirectoryObjectNotFoundException ex) { //Tracer.WriteInformation(ex.ToString()); return(String.Empty); } if (computer) { return(existGPO.GetFileSystemPath(GpoSection.Computer)); } else { return(existGPO.GetFileSystemPath(GpoSection.User)); } } }
/// <summary> /// Constructor. /// </summary> /// <param name="remoteMachineName">Target machine name to operate group policy</param> /// <exception cref="System.Runtime.InteropServices.COMException">Throw when com execution throws exceptions</exception> public GroupPolicyObjectHandler(String remoteMachineName) { groupPolicyObject = new GroupPolicyObject(); iGroupPolicyObject = (IGroupPolicyObject)groupPolicyObject; try { if (String.IsNullOrEmpty(remoteMachineName)) { iGroupPolicyObject.OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY); } else { iGroupPolicyObject.OpenRemoteMachineGPO(remoteMachineName, GPO_OPEN_LOAD_REGISTRY); } } catch (COMException e) { throw e; } }
/// <summary> /// Performs the execution of the command. /// </summary> public override void ExecuteCmdlet() { if (!ShouldProcess("Creates the group policy and service connection point required to have domain joined devices automatically enroll into MDM.")) { return; } if (string.IsNullOrEmpty(Domain) || string.IsNullOrEmpty(TenantId)) { if (MgmtSession.Instance.Context == null) { throw new PSInvalidOperationException(Resources.RunConnectSecMgmtAccount); } } string tenantId = string.IsNullOrEmpty(TenantId) ? MgmtSession.Instance.Context.Account.Tenant : TenantId; string aadDomain = string.IsNullOrEmpty(Domain) ? GetDomainValue(tenantId).ConfigureAwait(false).GetAwaiter().GetResult() : Domain; WriteDebug($"Using {aadDomain} for the domain value and {tenantId} for the tenant identifier value"); using (DirectoryEntry rootDSE = new DirectoryEntry("LDAP://RootDSE")) { DirectoryEntry deDRC; DirectoryEntry deSCP; int size = Marshal.SizeOf(typeof(int)); string azureADId = $"azureADId:{tenantId}"; string azureADName = $"azureADName:{aadDomain}"; string configCN = rootDSE.Properties["configurationNamingContext"][0].ToString(); string servicesCN = $"CN=Services,{configCN}"; string drcCN = $"CN=Device Registration Configuration,{servicesCN}"; string scpCN = $"CN=62a0ff2e-97b9-4513-943f-0d221bd30080,{drcCN}"; if (DirectoryEntry.Exists($"LDAP://{drcCN}")) { WriteDebug($"Device registration configuration container already exists at LDAP://{drcCN}"); deDRC = new DirectoryEntry($"LDAP://{drcCN}"); } else { WriteDebug($"Creating the device registration configuration container in LDAP://{servicesCN}"); DirectoryEntry entry = new DirectoryEntry($"LDAP://{servicesCN}"); deDRC = entry.Children.Add("CN=Device Registration Configuration", "container"); deDRC.CommitChanges(); } if (DirectoryEntry.Exists($"LDAP://{scpCN}")) { deSCP = new DirectoryEntry($"LDAP://{scpCN}"); WriteDebug($"Service connection point LDAP://{scpCN} already exists, so clearing the keywords property"); deSCP.Properties["keywords"].Clear(); WriteDebug($"Updating the keywords propoerty on the service connection point LDAP://{scpCN}"); deSCP.Properties["keywords"].Add(azureADName); deSCP.Properties["keywords"].Add(azureADId); deSCP.CommitChanges(); } else { WriteDebug($"The service connection point LDAP://{scpCN} does not exists, so it will be created"); deSCP = deDRC.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint"); deSCP.Properties["keywords"].Add(azureADName); deSCP.Properties["keywords"].Add(azureADId); deSCP.CommitChanges(); } IGroupPolicyObject2 groupPolicyObject = new GroupPolicyObject() as IGroupPolicyObject2; IntPtr sectionKeyHandle; string domainName = $"LDAP://{rootDSE.Properties["defaultNamingContext"].Value}"; WriteDebug($"Creating {GroupPolicyDisplayName} group policy"); groupPolicyObject.New(domainName, GroupPolicyDisplayName, 0x1); sectionKeyHandle = groupPolicyObject.GetRegistryKey(0x2); RegistryOperations.RegistryCreateKey( sectionKeyHandle, @"Software\Policies\Microsoft\Windows\CurrentVersion\MDM", 0, null, 0, RegSAM.Write, null, out IntPtr key, out RegResult desposition); SetRegistryDWordValue(key, "AutoEnrollMDM", 1); SetRegistryDWordValue(key, "UseAADCredentialType", 1); groupPolicyObject.Save(true, true, new Guid("7909AD9E-09EE-4247-BAB9-7029D5F0A278"), new Guid("D02B1F72-3407-48AE-BA88-E8213C6761F1")); groupPolicyObject.Save(true, true, new Guid("35378EAC-683F-11D2-A89A-00C04FBBCFA2"), new Guid("D02B1F72-3407-48AE-BA88-E8213C6761F1")); RegistryOperations.RegistryCloseKey(ref key); RegistryOperations.RegistryCloseKey(ref sectionKeyHandle); WriteObject($"Domain has been prepared and the {GroupPolicyDisplayName} group policy has been created. You will need to link the group policy for the settings to apply."); } }
private static string GetExistingGPOPath(Guid gpoGuid, bool computer) { Domain domain = Domain.GetCurrentDomain(); using (GroupPolicyObject existGPO = new GroupPolicyObject()) { try { existGPO.OpenDSGpo(domain, gpoGuid, false, false); } catch (ActiveDirectoryObjectNotFoundException ex) { //Tracer.WriteInformation(ex.ToString()); return String.Empty; } if (computer) { return existGPO.GetFileSystemPath(GpoSection.Computer); } else { return existGPO.GetFileSystemPath(GpoSection.User); } } }