Scenarios - AGPM Lab 1
INSERT TEXT HERE
#Lab for working with the Advanced Group Policy Manaement Console (AGMP)
#The following files are required:
# - agpm_403_server_amd64.exe
# - agpm_403_client_amd64.exe
# - agpm4.0-Server-KB3127165-x64.exe
New-LabDefinition -Name AgpmLab10 -DefaultVirtualizationEngine HyperV #Azure
#Add-LabAzureSubscription -SubscriptionName AL1 -DefaultLocationName 'West Europe'
Add-LabMachineDefinition -Name a1DC -Memory 1GB -OperatingSystem 'Windows Server 2016 Datacenter (Desktop Experience)' -Roles RootDC -DomainName contoso.com
Add-LabMachineDefinition -Name a1Server -Memory 1GB -OperatingSystem 'Windows Server 2016 Datacenter (Desktop Experience)' -DomainName contoso.com
Add-LabMachineDefinition -Name a1AgpmServer -Memory 1GB -OperatingSystem 'Windows Server 2016 Datacenter (Desktop Experience)' -DomainName contoso.com
Install-Lab
$agpmServer = Get-LabVM -ComputerName a1AgpmServer
$agpmClient = Get-LabVM -ComputerName a1Server
Install-LabWindowsFeature -ComputerName $agpmServer -FeatureName NET-Framework-Core, NET-Non-HTTP-Activ, GPMC, RSAT-AD-Tools
Install-LabWindowsFeature -ComputerName $agpmClient -FeatureName NET-Non-HTTP-Activ, GPMC, RSAT-AD-Tools
$machines = Get-LabVM
Install-LabSoftwarePackage -ComputerName $machines -Path $labSources\SoftwarePackages\Notepad++.exe -CommandLine /S -AsJob
Install-LabSoftwarePackage -ComputerName $machines -Path $labSources\SoftwarePackages\winrar.exe -CommandLine /S -AsJob
Get-Job -Name 'Installation of*' | Wait-Job | Out-Null
Checkpoint-LabVM -All -SnapshotName 1
if ((Get-Lab).DefaultVirtualizationEngine -eq 'Azure')
{
Write-ScreenInfo 'Waiting 15 minutes to make sure the VMs are ready after having created a snapshot...' -NoNewLine
Start-Sleep -Seconds 1000
Write-ScreenInfo 'done.'
}
$agpmSettings = @{
InstallationLog = 'C:\AGPM-Install.log'
OwnerGroupName = 'AgpmOwners'
ServiceAccountName = 'AgpmService'
UsersGroupName = 'AgpmUsers'
DomainName = $agpmServer.DomainName.Split('.')[0] #NetBIOS name is required
PasswordPlain = 'Password1'
Password = 'Password1' | ConvertTo-SecureString -AsPlainText -Force
}
Invoke-LabCommand -ComputerName (Get-LabVM -Role RootDC) -ScriptBlock {
$ou = New-ADOrganizationalUnit -Name AGPM -ProtectedFromAccidentalDeletion $false -PassThru
$service = New-ADUser -Name AgpmService -Path $ou -AccountPassword $agpmSettings.Password -Enabled $true -PassThru
Add-ADGroupMember -Identity 'Group Policy Creator Owners' -Members $service
New-ADGroup -Name $agpmSettings.OwnerGroupName -GroupScope Global -Path $ou -PassThru | Add-ADGroupMember -Members (Get-ADUser -Identity $env:USERNAME)
$users = @()
$users += New-ADUser -Name AgpmUser1 -Path $ou -AccountPassword $agpmSettings.Password -Enabled $true -PassThru
$users += New-ADUser -Name AgpmUser2 -Path $ou -AccountPassword $agpmSettings.Password -Enabled $true -PassThru
$group = New-ADGroup -Name $agpmSettings.UsersGroupName -Path $ou -GroupScope Global -PassThru | Add-ADGroupMember -Members $users
} -Variable (Get-Variable -Name agpmSettings)
#Installation of AGPM Server
$agpmCommandLineArgs = '/quiet /log {0} /msicl "VAULT_OWNER={1} SVC_USERNAME={2} SVC_PASSWORD={3} USERRUNASSERVICE={2} DSN={1} ADD_PORT_EXCEPTION=0 BRAZILIAN_PT=0 CHINESE_S=0 CHINESE_T=0 ENGLISH=1 FRENCH=0 GERMAN=0 ITALIAN=0 JAPANESE=0 KOREAN=0 RUSSIAN=0 SPANISH=0"' -f
$agpmSettings.InstallationLog,
('{0}\{1}' -f $agpmSettings.DomainName, $agpmSettings.OwnerGroupName),
('{0}\{1}' -f $agpmSettings.DomainName, $agpmSettings.ServiceAccountName),
$agpmSettings.PasswordPlain
Install-LabSoftwarePackage -Path $labSources\SoftwarePackages\agpm_403_server_amd64.exe -CommandLine $agpmCommandLineArgs -ComputerName $agpmServer -AsScheduledJob -UseExplicitCredentialsForScheduledJob
#Installation of AGPM Client
$agpmCommandLineArgs = '/quiet /msicl "PORT=4600 ARCHIVELOCATION={0} ADD_PORT_EXCEPTION=1 BRAZILIAN_PT=0 CHINESE_S=0 CHINESE_T=0 ENGLISH=1 FRENCH=0 GERMAN=0 ITALIAN=0 JAPANESE=0 KOREAN=0 RUSSIAN=0 SPANISH=0"' -f $agpmServer.FQDN
Install-LabSoftwarePackage -Path $labSources\SoftwarePackages\agpm_403_client_amd64.exe -CommandLine $agpmCommandLineArgs -ComputerName $agpmServer, $agpmClient
Install-LabSoftwarePackage -Path $labSources\SoftwarePackages\agpm4.0-Server-KB3127165-x64.exe -CommandLine /quiet -ComputerName $agpmServer
Invoke-LabCommand -ActivityName 'Correcting ACL' -ComputerName $agpmServer -ScriptBlock {
Get-Acl -Path (Join-Path -Path $env:ProgramData -ChildPath 'Microsoft\AGPM') | ForEach-Object {
$sid = (Get-ADUser -Identity $agpmSettings.ServiceAccountName -Properties SID).SID
$_.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(($sid, 'Modify', 'ContainerInherit, ObjectInherit', 'None', 'Allow'))))
Set-Acl -Path (Join-Path -Path $env:ProgramData -ChildPath 'Microsoft\AGPM') -AclObject $_
}
} -Variable (Get-Variable -Name agpmSettings)
Invoke-LabCommand -ActivityName 'Give the AgpmUsers local admin rights on the AgpmClient' -ScriptBlock {
Add-LocalGroupMember -Group Administrators -Member "contoso\$($agpmSettings.UsersGroupName)"
} -ComputerName $agpmClient -Variable (Get-Variable -Name agpmSettings)
Checkpoint-LabVM -All -SnapshotName 2
Show-LabDeploymentSummary -Detailed