#Quickpass MSA Creation #Updated 7.26.2022 #Prompt for Paramater if want to have specific name. Must be between 8 and 15 Characters long. If no value supplied a default name will be Generated with QPass and Date Values param ( [Parameter(HelpMessage="Enter a name between 8 and 15 characters")][ValidateLength(8,15)] ${msamanual} ) $qpmsa = if (${msamanual}) {${msamanual}} Else { $DCalc = $(get-date -f yyMMddhmss) $qpass = "QPass" $qpmsacalc = $qpass + $DCalc + $dcshort $qpmsacalc.subString(0, [System.Math]::Min(15, $qpmsacalc.Length)) $qpmsa = $qpmsaCalc } write-host "The MSA Account will be created with the value $qpmsa" #Get the FQDN of the Server $dcn = [System.Net.Dns]::GetHostEntry([string]$env:computername).HostName #Get the Short Server Name $dcshort = hostname #MSA Account Description $MSADes = "Manually Created Quickpass MSA Account for $dcshort" #Extract the DomainRoot $Root = [ADSI]"LDAP://RootDSE" $Domain = $Root.Get("rootDomainNamingContext") #Testing to see if Managed Service Accounts Container Exists $newou="Managed Service Accounts" # Type OU name and pass as variable Write-Host -ForegroundColor Green "Checking if OU exist in $Domain" $oucheck = [adsi]::Exists("LDAP://CN=$newou,$Domain") if($oucheck -eq "True") { $text = "The Managed Service Accounts Container Exists in Active Directory" Write-Host -ForegroundColor red $text.ToUpper() $dmn = "CN=$newou,$Domain"}else {$dmn = "CN=Users,$Domain"} #Adding Quotes where required $dmnquote = """$dmn""" $dcshortcon = $dcshort+"$" $QPmsaAcct = $qpmsa+"$" #Updating Registry Set-Itemproperty -path 'HKLM:\SOFTWARE\Quickpass Software\Quickpass Server Agent' -Name 'MSAName' -Value $qpmsa Set-Itemproperty -path 'HKLM:\SOFTWARE\Quickpass Software\Quickpass Server Agent' -Name 'UseCustomMSA' -Value 1 Set-Itemproperty -path 'HKLM:\SOFTWARE\Quickpass Software\Quickpass Server Agent' -Name 'UsingMSA' -Value 1 #Create the MSA Account Import-Module ActiveDirectory Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10)) New-ADServiceAccount -Name $qpmsa -Path $dmn -DNSHostName $dcn -Description $MSADes Set-ADServiceAccount -Identity $qpmsa -PrincipalsAllowedToRetrieveManagedPassword $dcshortcon #Add to Domain Admins Add-ADGroupMember -Identity "Domain Admins" -Members $qpmsaAcct # Change service user name and password - Stop and Restart Service # $UserName = $env:userdomain+'\'+$QPmsaAcct $Service = 'QuickpassServerAgent' $svc_Obj= Get-WmiObject Win32_Service -filter "name='$Service'" $StopStatus = $svc_Obj.StopService() If ($StopStatus.ReturnValue -eq "0") { Write-host "The service '$Service' Stopped successfully" -f Green } Else { Write-host "Failed to Stop the service '$Service'. Error code: $($StopStatus.ReturnValue)" -f Red } Start-Sleep -Seconds 10 $ChangeStatus = $svc_Obj.change($null,$null,$null,$null,$null, $null, $UserName,$null,$null,$null,$null) If ($ChangeStatus.ReturnValue -eq "0") { Write-host "Log on account updated sucessfully for the service '$Service'" -f Green } Else { Write-host "Failed to update Log on account in the service '$Service'. Error code: $($ChangeStatus.ReturnValue)" -f Red } $StartStatus = $svc_Obj.StartService() If ($StartStatus.ReturnValue -eq "0") { Write-host "The service '$Service' Started successfully" -f Green } Else { Write-host "Failed to Start the service '$Service'. Error code: $($StartStatus.ReturnValue)" -f Red }