1 | | - | --- |
2 | | - | - name: Move SRV02 to Workstations OU |
3 | | - | win_shell: | |
4 | | - | try { |
5 | | - | Get-ADOrganizationalUnit -Identity "OU=Workstations,DC=north,DC=sevenkingdoms,DC=local" > $null |
6 | | - | Move-ADObject -Identity "CN=CASTELBLACK,CN=Computers,DC=north,DC=sevenkingdoms,DC=local" -TargetPath "OU=Workstations,DC=north,DC=sevenkingdoms,DC=local" |
7 | | - | $true |
8 | | - | } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { |
9 | | - | $false |
10 | | - | } |
11 | | - | when: move_computer == 'dc02' |
12 | | - | |
13 | | - | - name: Move SRV03 to Workstations OU |
14 | | - | win_shell: | |
15 | | - | try { |
16 | | - | Get-ADOrganizationalUnit -Identity "OU=Workstations,DC=essos,DC=local" > $null |
17 | | - | Move-ADObject -Identity "CN=BRAAVOS,CN=Computers,DC=essos,DC=local" -TargetPath "OU=Workstations,DC=essos,DC=local" |
18 | | - | $true |
19 | | - | } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { |
20 | | - | $false |
21 | | - | } |
22 | | - | when: move_computer == 'dc03' |
23 | | - | |
24 | | - | - name: Install LAPS Package on Servers |
25 | | - | ansible.windows.win_package: |
26 | | - | arguments: "ADDLOCAL=Management.ADMX" |
27 | | - | path: https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi |
28 | | - | state: present |
29 | | - | creates_path: "%ProgramFiles%\\LAPS" |
30 | | - | register: pri_laps_install |
31 | | - | until: pri_laps_install is success |
32 | | - | retries: 3 # Try 3 times just in case it failed to download the URL |
33 | | - | delay: 1 |
34 | | - | when: prep_servers | bool |
35 | | - | |
36 | | - | - name: Reboot After Installing LAPS on Servers |
37 | | - | ansible.windows.win_reboot: |
38 | | - | when: prep_servers | bool and pri_laps_install.reboot_required |
39 | | - | |
40 | | - | - name: Configure Password Properties |
41 | | - | win_ad_object: |
42 | | - | name: ms-Mcs-AdmPwd |
43 | | - | attributes: |
44 | | - | adminDescription: LAPS Password Attribute |
45 | | - | lDAPDisplayName: ms-Mcs-AdmPwd |
46 | | - | adminDisplayName: ms-Mcs-AdmPwd |
47 | | - | attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1 |
48 | | - | attributeSyntax: '2.5.5.5' # String(IAS) |
49 | | - | omSyntax: 19 # String(Printable) |
50 | | - | isSingleValued: True |
51 | | - | systemOnly: False |
52 | | - | isMemberOfPartialAttributeSet: False |
53 | | - | searchFlags: 904 # RO,NV,CF,PR - http://www.frickelsoft.net/blog/?p=151 |
54 | | - | showInAdvancedViewOnly: False |
55 | | - | context: schema |
56 | | - | type: attribute |
57 | | - | update_schema: True |
58 | | - | # privileges required to update the schema attributes |
59 | | - | become: yes |
60 | | - | become_method: runas |
61 | | - | become_user: SYSTEM |
62 | | - | when: prep_servers | bool |
63 | | - | |
64 | | - | - name: Configure Password Expiry Time |
65 | | - | win_ad_object: |
66 | | - | name: ms-Mcs-AdmPwdExpirationTime |
67 | | - | attributes: |
68 | | - | adminDescription: LAPS Password Expiration Time Attribute |
69 | | - | lDAPDisplayName: ms-Mcs-AdmPwdExpirationTime |
70 | | - | adminDisplayName: ms-Mcs-AdmPwdExpirationTime |
71 | | - | attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2 |
72 | | - | attributeSyntax: '2.5.5.16' # LargeInteger |
73 | | - | omSyntax: 65 # LargeInteger |
74 | | - | isSingleValued: True |
75 | | - | systemOnly: False |
76 | | - | isMemberOfPartialAttributeSet: False |
77 | | - | searchFlags: 0 |
78 | | - | showInAdvancedViewOnly: False |
79 | | - | context: schema |
80 | | - | type: attribute |
81 | | - | update_schema: True |
82 | | - | become: yes |
83 | | - | become_method: runas |
84 | | - | become_user: SYSTEM |
85 | | - | when: prep_servers | bool |
86 | | - | |
87 | | - | - name: Add LAPS attributes to the Computer Attribute |
88 | | - | win_ad_object: |
89 | | - | name: Computer |
90 | | - | may_contain: |
91 | | - | - ms-Mcs-AdmPwd |
92 | | - | - ms-Mcs-AdmPwdExpirationTime |
93 | | - | context: schema |
94 | | - | update_schema: True |
95 | | - | become: yes |
96 | | - | become_method: runas |
97 | | - | become_user: SYSTEM |
98 | | - | when: prep_servers | bool |
99 | | - | |
100 | | - | - name: Apply DACL to OU Containers (north.sevenkingdoms.local) |
101 | | - | win_ad_dacl: |
102 | | - | path: 'OU=Workstations,DC=north,DC=sevenkingdoms,DC=local' |
103 | | - | state: present |
104 | | - | aces: |
105 | | - | - rights: |
106 | | - | - ReadProperty |
107 | | - | - WriteProperty |
108 | | - | inheritance_type: Descendents |
109 | | - | inherited_object_type: Computer |
110 | | - | object_type: ms-Mcs-AdmPwdExpirationTime |
111 | | - | access: allow |
112 | | - | account: S-1-5-10 # NT AUTHORITY\SELF |
113 | | - | - rights: WriteProperty |
114 | | - | inheritance_type: Descendents |
115 | | - | inherited_object_type: Computer |
116 | | - | object_type: ms-Mcs-AdmPwd |
117 | | - | access: allow |
118 | | - | account: S-1-5-10 |
119 | | - | when: apply_dacl == 'dc02' |
120 | | - | |
121 | | - | - name: Apply DACL to OU Containers (essos.local) |
122 | | - | win_ad_dacl: |
123 | | - | path: 'OU=Workstations,DC=essos,DC=local' |
124 | | - | state: present |
125 | | - | aces: |
126 | | - | - rights: |
127 | | - | - ReadProperty |
128 | | - | - WriteProperty |
129 | | - | inheritance_type: Descendents |
130 | | - | inherited_object_type: Computer |
131 | | - | object_type: ms-Mcs-AdmPwdExpirationTime |
132 | | - | access: allow |
133 | | - | account: S-1-5-10 # NT AUTHORITY\SELF |
134 | | - | - rights: WriteProperty |
135 | | - | inheritance_type: Descendents |
136 | | - | inherited_object_type: Computer |
137 | | - | object_type: ms-Mcs-AdmPwd |
138 | | - | access: allow |
139 | | - | account: S-1-5-10 |
140 | | - | when: apply_dacl == 'dc03' |
141 | | - | |
142 | | - | - name: Create LAPS GPO |
143 | | - | win_gpo: |
144 | | - | name: '{{ opt_laps_gpo_name }}' |
145 | | - | description: Setup by Ansible for LAPS |
146 | | - | state: present |
147 | | - | register: pri_laps_gpo |
148 | | - | when: create_gpo | bool |
149 | | - | |
150 | | - | - name: Add LAPS extension to GPO |
151 | | - | win_ad_object: |
152 | | - | name: '{{ pri_laps_gpo.path }}' |
153 | | - | attributes: |
154 | | - | # [Registry:Admin Tool][AdmPwd:Admin Tool] |
155 | | - | gPCMachineExtensionNames: "[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]\ |
156 | | - | [{D76B9641-3288-4F75-942D-087DE603E3EA}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]" |
157 | | - | when: create_gpo | bool |
158 | | - | |
159 | | - | - name: Configure Password Policy Settings on GPO |
160 | | - | win_gpo_reg: |
161 | | - | gpo: '{{ opt_laps_gpo_name }}' |
162 | | - | name: '{{ item.name }}' |
163 | | - | path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' |
164 | | - | state: present |
165 | | - | type: dword |
166 | | - | value: '{{ item.value }}' |
167 | | - | with_items: |
168 | | - | - name: PasswordComplexity |
169 | | - | value: 4 |
170 | | - | - name: PasswordLength |
171 | | - | value: 14 |
172 | | - | - name: PasswordAgeDays |
173 | | - | value: 30 |
174 | | - | when: create_gpo | bool |
175 | | - | |
176 | | - | - name: Configure Expiration Protection on GPO |
177 | | - | win_gpo_reg: |
178 | | - | gpo: '{{ opt_laps_gpo_name }}' |
179 | | - | name: PwdExpirationProtectionEnabled |
180 | | - | path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' |
181 | | - | state: present |
182 | | - | type: dword |
183 | | - | value: 1 |
184 | | - | when: create_gpo | bool |
185 | | - | |
186 | | - | - name: Remove Configuration for Expiration Protection on GPO |
187 | | - | win_gpo_reg: |
188 | | - | gpo: '{{ opt_laps_gpo_name }}' |
189 | | - | name: PwdExpirationProtectionEnabled |
190 | | - | path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' |
191 | | - | state: absent |
192 | | - | when: create_gpo | bool |
193 | | - | |
194 | | - | - name: Configure Custom Admin Username Policy on GPO |
195 | | - | win_gpo_reg: |
196 | | - | gpo: '{{ opt_laps_gpo_name }}' |
197 | | - | name: AdminAccountName |
198 | | - | path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' |
199 | | - | state: present |
200 | | - | type: string |
201 | | - | when: create_gpo | bool |
202 | | - | |
203 | | - | - name: Enable the GPO |
204 | | - | win_gpo_reg: |
205 | | - | gpo: '{{ opt_laps_gpo_name }}' |
206 | | - | name: AdmPwdEnabled |
207 | | - | path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' |
208 | | - | state: present |
209 | | - | type: dword |
210 | | - | value: 1 |
211 | | - | when: create_gpo | bool |
212 | | - | |
213 | | - | - name: Create Comment File for GPO |
214 | | - | ansible.windows.win_copy: |
215 | | - | src: ../files/comment.cmtx |
216 | | - | dest: C:\Windows\SYSVOL\domain\Policies\{{ '{' }}{{ pri_laps_gpo.id }}{{ '}' }}\Machine\comment.cmtx |
217 | | - | when: create_gpo | bool |
218 | | - | |
219 | | - | - name: Ensure GPO is Linked |
220 | | - | win_gpo_link: |
221 | | - | name: '{{ opt_laps_gpo_name }}' |
222 | | - | target: 'OU=Workstations,DC=north,DC=sevenkingdoms,DC=local' |
223 | | - | state: present |
224 | | - | enforced: True |
225 | | - | enabled: True |
226 | | - | when: gpo_linked == 'dc02' |
227 | | - | |
228 | | - | - name: Ensure GPO is Linked |
229 | | - | win_gpo_link: |
230 | | - | name: '{{ opt_laps_gpo_name }}' |
231 | | - | target: 'OU=Workstations,DC=essos,DC=local' |
232 | | - | state: present |
233 | | - | enforced: True |
234 | | - | enabled: True |
235 | | - | when: gpo_linked == 'dc03' |
236 | | - | |
237 | | - | - name: Install to Servers |
238 | | - | ansible.windows.win_package: |
239 | | - | arguments: "ADDLOCAL=CSE" |
240 | | - | path: https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi |
241 | | - | state: present |
242 | | - | creates_path: "%ProgramFiles%\\LAPS" |
243 | | - | register: pri_laps_install |
244 | | - | until: pri_laps_install is success |
245 | | - | retries: 3 # Try 3 times just in case it failed to download the URL |
246 | | - | delay: 1 |
247 | | - | when: install_servers | bool |
248 | | - | |
249 | | - | - name: reboot after installing LAPS if required |
250 | | - | ansible.windows.win_reboot: |
251 | | - | when: install_servers | bool and pri_laps_install.reboot_required |
252 | | - | |
253 | | - | - name: Refresh GPO on the Clients |
254 | | - | ansible.windows.win_command: gpupdate /force |
255 | | - | when: install_servers | bool |
256 | | - | |
257 | | - | - name: Retrieve LAPS Password on DC02 |
258 | | - | win_shell: | |
259 | | - | $obj = Get-ADObject -Identity "CN=CASTELBLACK,OU=Workstations,DC=north,DC=sevenkingdoms,DC=local" -Properties ms-Mcs-AdmPwd |
260 | | - | Write-Output -InputObject $obj."ms-Mcs-AdmPwd" |
261 | | - | register: powershell_password |
262 | | - | changed_when: False |
263 | | - | when: test_deployment == 'dc02' |
264 | | - | |
265 | | - | - name: Retrieve LAPS Password on DC03 |
266 | | - | win_shell: | |
267 | | - | $obj = Get-ADObject -Identity "CN=BRAAVOS,OU=Workstations,DC=essos,DC=local" -Properties ms-Mcs-AdmPwd |
268 | | - | Write-Output -InputObject $obj."ms-Mcs-AdmPwd" |
269 | | - | register: powershell_password |
270 | | - | changed_when: False |
271 | | - | when: test_deployment == 'dc03' |