B. AD Powershell ScriptΒΆ
Below is a complete powershell script that can be used for the creation of a new Active Directory service account, Service Principal Names, and a keytab.
Only the variables at the top of the script should be changed. You can save this file with a .ps1 extension and run it with powershell.exe.
- PowerShell
# Replace these variables $recorderUser = "NLRecorder" $recorderPassword = "1qazXSW2!@" $recorderGivenName = "Eventide" $recorderSurname = "NexLogDX" $recorderOU = "CN=Users,DC=contoso,DC=net" $fullDomain = "contoso.net" $outputLocation = "C:\${recorderUser}\" ########## DO NOT EDIT BELOW THIS LINE ########## # DO NOT edit these variables $recorderFQDN = "${recorderUser.ToLower()}.${fullDomain.ToLower()}" $kerberosRealm = "${fullDomain.ToUpper()}" # Create AD User New-ADUser -Name "${recorderGivenName} ${recorderSurname}" ` -GivenName "${recorderGivenName}" ` -Surname "${recorderSurname}" ` -SamAccountName "${recorderUser}" ` -UserPrincipalName "${recorderUser}@${fullDomain}" ` -Path "${recorderOU}" ` -Enabled $true ` -KerberosEncryptionType "AES256-SHA1" ` -TrustedForDelegation $true ` -ChangePasswordAtLogon $false ` -PasswordNeverExpires $true ` -AccountPassword (ConvertTo-SecureString -String $recorderPassword -AsPlainText -Force) ` -PassThru # Create Service Principal Names (SPN) Set-ADUser -Identity $recorderUser -PassThru -ServicePrincipalNames @{Add=` "HTTP/$recorderFQDN@$kerberosRealm", "POSTGRES/$recorderFQDN@$kerberosRealm"} ` -TrustedForDelegation $true # Check if the output directory exists, if not, create it if (-not (Test-Path -Path $outputLocation)) { New-Item -ItemType Directory -Path $outputLocation } # Creates the initial keytab for the HTTP SPN Ktpass -out "${outputLocation}NexLog_initial.keytab" ` -princ "HTTP/$recorderFQDN@$kerberosRealm" ` -mapUser "${fullDomain.Split(".",2)[0]}\$recorderUser" ` -mapOp set ` -pass $recorderPassword ` -crypto AES256-SHA1 ` -pType KRB5_NT_PRINCIPAL # Adds the POSTGRES SPN to the HTTP keytab Ktpass -in "${outputLocation}NexLog_initial.keytab" ` -out "${outputLocation}NexLog_final.keytab" ` -princ "POSTGRES/$recorderFQDN@$kerberosRealm" ` -mapUser "${fullDomain.Split(".",2)[0]}\$recorderUser" ` -mapOp add ` -setUpn ` -setPass ` -pass $recorderPassword ` -crypto AES256-SHA1 ` -pType KRB5_NT_PRINCIPAL