From bc474f7d4eff999a3758b575979a1e9c53e2900f Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Thu, 20 Jul 2023 14:54:20 +0100 Subject: [PATCH 01/33] draft script --- .../SRE_delete_unassigned_users.ps1 | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 deployment/administration/SRE_delete_unassigned_users.ps1 diff --git a/deployment/administration/SRE_delete_unassigned_users.ps1 b/deployment/administration/SRE_delete_unassigned_users.ps1 new file mode 100644 index 0000000000..4ed9c69056 --- /dev/null +++ b/deployment/administration/SRE_delete_unassigned_users.ps1 @@ -0,0 +1,47 @@ +param( + [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")] + [string]$shmId +) + +Import-Module Az.Accounts -ErrorAction Stop +Import-Module $PSScriptRoot/common/AzureCompute -Force -ErrorAction Stop +Import-Module $PSScriptRoot/common/Configuration -Force -ErrorAction Stop +Import-Module $PSScriptRoot/common/Logging -Force -ErrorAction Stop + +# Get config and original context +# ------------------------------- +$config = Get-ShmConfig -shmId $oldShmId +$originalContext = Get-AzContext + +# Extract list of users +# --------------------- +$null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop +Add-LogMessage -Level Info "Exporting user list for $($config.shm.id) from $($config.dc.vmName)..." +# Run remote script +$script = @" +`$userOuPath = (Get-ADObject -Filter * | Where-Object { `$_.Name -eq "Safe Haven Research Users" }).DistinguishedName +`$users = Get-ADUser -Filter * -SearchBase "`$userOuPath" -Properties * +foreach (`$user in `$users) { + `$groupName = (`$user | Select-Object -ExpandProperty MemberOf | ForEach-Object { ((`$_ -Split ",")[0] -Split "=")[1] }) -join "|" + `$user | Add-Member -NotePropertyName GroupName -NotePropertyValue `$groupName -Force +} +`$users | Select-Object SamAccountName,GivenName,Surname,Mobile,GroupName | ` + ConvertTo-Csv | Where-Object { `$_ -notmatch '^#' } | ` + ForEach-Object { `$_.replace('"','') } +"@ +$result = Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg +$null = Set-AzContext -Context $originalContext -ErrorAction Stop + +Write-Output $result + +# Construct list of groups +# ------------------------ +Add-LogMessage -Level Info "Constructing list of user groups from $($config.shm.id)..." +$users = $result.Value[0].Message | ConvertFrom-Csv +$securityGroups = @() +foreach ($user in $users) { + $securityGroups += @($user.GroupName.Split("|")) +} +$securityGroups = $securityGroups | Sort-Object | Get-Unique + +Write-Output $securityGroups \ No newline at end of file From 3ed34b35f541adfc3c2bd81297dc5e49834aabb5 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Thu, 20 Jul 2023 16:38:23 +0100 Subject: [PATCH 02/33] use correct var --- deployment/administration/SRE_delete_unassigned_users.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/administration/SRE_delete_unassigned_users.ps1 b/deployment/administration/SRE_delete_unassigned_users.ps1 index 4ed9c69056..a8477f4987 100644 --- a/deployment/administration/SRE_delete_unassigned_users.ps1 +++ b/deployment/administration/SRE_delete_unassigned_users.ps1 @@ -10,7 +10,7 @@ Import-Module $PSScriptRoot/common/Logging -Force -ErrorAction Stop # Get config and original context # ------------------------------- -$config = Get-ShmConfig -shmId $oldShmId +$config = Get-ShmConfig -shmId $shmId $originalContext = Get-AzContext # Extract list of users From f2bdc385072e7fe8baf3dbaf427d8824890ba890 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Thu, 20 Jul 2023 16:54:04 +0100 Subject: [PATCH 03/33] correct path --- deployment/administration/SRE_delete_unassigned_users.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/administration/SRE_delete_unassigned_users.ps1 b/deployment/administration/SRE_delete_unassigned_users.ps1 index a8477f4987..7e5e167aee 100644 --- a/deployment/administration/SRE_delete_unassigned_users.ps1 +++ b/deployment/administration/SRE_delete_unassigned_users.ps1 @@ -4,9 +4,9 @@ param( ) Import-Module Az.Accounts -ErrorAction Stop -Import-Module $PSScriptRoot/common/AzureCompute -Force -ErrorAction Stop -Import-Module $PSScriptRoot/common/Configuration -Force -ErrorAction Stop -Import-Module $PSScriptRoot/common/Logging -Force -ErrorAction Stop +Import-Module $PSScriptRoot/../common/AzureCompute -Force -ErrorAction Stop +Import-Module $PSScriptRoot/../common/Configuration -Force -ErrorAction Stop +Import-Module $PSScriptRoot/../common/Logging -Force -ErrorAction Stop # Get config and original context # ------------------------------- From c4b7688403a9a501ded4700383714c2c3f8aa66f Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 09:45:54 +0100 Subject: [PATCH 04/33] rename file --- ...elete_unassigned_users.ps1 => SRE_Delete_Unassigned_Users.ps1} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployment/administration/{SRE_delete_unassigned_users.ps1 => SRE_Delete_Unassigned_Users.ps1} (100%) diff --git a/deployment/administration/SRE_delete_unassigned_users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 similarity index 100% rename from deployment/administration/SRE_delete_unassigned_users.ps1 rename to deployment/administration/SRE_Delete_Unassigned_Users.ps1 From 9a6c2a45992f1891c21946d251f69a619efadb41 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 10:41:55 +0100 Subject: [PATCH 05/33] loop users --- .../SRE_Delete_Unassigned_Users.ps1 | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 index 7e5e167aee..1449a8c7fc 100644 --- a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 @@ -32,16 +32,12 @@ foreach (`$user in `$users) { $result = Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg $null = Set-AzContext -Context $originalContext -ErrorAction Stop -Write-Output $result -# Construct list of groups -# ------------------------ -Add-LogMessage -Level Info "Constructing list of user groups from $($config.shm.id)..." +# Delete users not found in any group (with exception for named SG e.g. "Sandbox") +# -------------------------------------------------------------------------------- +Add-LogMessage -Level Info "Deleting users from $($config.shm.id) not in any security group..." $users = $result.Value[0].Message | ConvertFrom-Csv -$securityGroups = @() foreach ($user in $users) { - $securityGroups += @($user.GroupName.Split("|")) -} -$securityGroups = $securityGroups | Sort-Object | Get-Unique - -Write-Output $securityGroups \ No newline at end of file + Write-Output $user.GroupName + Write-Output $user.SamAccountName +} \ No newline at end of file From ae00262f4187a81ab65e0d687de334163d15897f Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 10:50:13 +0100 Subject: [PATCH 06/33] unassignedUsers SamAccountName list --- .../administration/SRE_Delete_Unassigned_Users.ps1 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 index 1449a8c7fc..9574ecb927 100644 --- a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 @@ -37,7 +37,10 @@ $null = Set-AzContext -Context $originalContext -ErrorAction Stop # -------------------------------------------------------------------------------- Add-LogMessage -Level Info "Deleting users from $($config.shm.id) not in any security group..." $users = $result.Value[0].Message | ConvertFrom-Csv +$unassignedUsers = @() foreach ($user in $users) { - Write-Output $user.GroupName - Write-Output $user.SamAccountName -} \ No newline at end of file + if ( $user.GroupName ) { + $unassignedUsers += @($user.SamAccountName) + } +} +Write-Output $unassignedUsers \ No newline at end of file From 84eb88f073e2971ac2a1b8b72db56e642515e737 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 10:52:38 +0100 Subject: [PATCH 07/33] negate --- deployment/administration/SRE_Delete_Unassigned_Users.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 index 9574ecb927..d22dc53b68 100644 --- a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 @@ -39,7 +39,7 @@ Add-LogMessage -Level Info "Deleting users from $($config.shm.id) not in any sec $users = $result.Value[0].Message | ConvertFrom-Csv $unassignedUsers = @() foreach ($user in $users) { - if ( $user.GroupName ) { + if (!($user.GroupName)) { $unassignedUsers += @($user.SamAccountName) } } From 3e3904ba866fc4a53396b94e38ea0558e3fd09b6 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 11:03:56 +0100 Subject: [PATCH 08/33] delete user --- deployment/administration/SRE_Delete_Unassigned_Users.ps1 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 index d22dc53b68..d62a1e0654 100644 --- a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 @@ -40,7 +40,6 @@ $users = $result.Value[0].Message | ConvertFrom-Csv $unassignedUsers = @() foreach ($user in $users) { if (!($user.GroupName)) { - $unassignedUsers += @($user.SamAccountName) + Remove-ADUser -Identity $user.SamAccountName } -} -Write-Output $unassignedUsers \ No newline at end of file +} \ No newline at end of file From 34254bcb0f4752fa9fbdcb37430ade0ab5af5769 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 11:32:31 +0100 Subject: [PATCH 09/33] delete the user --- .../administration/SRE_Delete_Unassigned_Users.ps1 | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 index d62a1e0654..b6181c965d 100644 --- a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 @@ -30,16 +30,17 @@ foreach (`$user in `$users) { ForEach-Object { `$_.replace('"','') } "@ $result = Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -$null = Set-AzContext -Context $originalContext -ErrorAction Stop - # Delete users not found in any group (with exception for named SG e.g. "Sandbox") # -------------------------------------------------------------------------------- Add-LogMessage -Level Info "Deleting users from $($config.shm.id) not in any security group..." $users = $result.Value[0].Message | ConvertFrom-Csv -$unassignedUsers = @() foreach ($user in $users) { if (!($user.GroupName)) { - Remove-ADUser -Identity $user.SamAccountName + $name = $user.SamAccountName + $script = "Remove-ADUser -Identity $name" + Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg } -} \ No newline at end of file +} + +$null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file From 2aa274a44c4148f3f607a8478b6dc8efd7c935cc Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 14:14:48 +0100 Subject: [PATCH 10/33] DC1 script --- .../dc1Artifacts/Delete_Unassigned_Users.ps1 | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 new file mode 100644 index 0000000000..958dabe689 --- /dev/null +++ b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 @@ -0,0 +1,20 @@ +# Extract list of users +# --------------------- +Write-Output "Exporting user list..." +$userOuPath = (Get-ADObject -Filter * | Where-Object { $_.Name -eq "Safe Haven Research Users" }).DistinguishedName +$users = Get-ADUser -Filter * -SearchBase "$userOuPath" -Properties * +foreach ($user in $users) { + $groupName = ($user | Select-Object -ExpandProperty MemberOf | ForEach-Object { (($_ -Split ",")[0] -Split "=")[1] }) -join "|" + $user | Add-Member -NotePropertyName GroupName -NotePropertyValue $groupName -Force +} + +# Delete users not found in any group (with exception for named SG e.g. "Sandbox") +# -------------------------------------------------------------------------------- +Write-Output "Deleting users not in any security group..." +foreach ($user in $users) { + if (!($user.GroupName)) { + $name = $user.SamAccountName + Remove-ADUser -Identity $name + Write-Out "Deleted $name" + } +} \ No newline at end of file From d051ac624df73862af3ed8f42d1cc0ef2d484565 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 14:20:36 +0100 Subject: [PATCH 11/33] remove write-out --- .../dc1Artifacts/Delete_Unassigned_Users.ps1 | 2 -- 1 file changed, 2 deletions(-) diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 index 958dabe689..a49956d513 100644 --- a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 +++ b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 @@ -1,6 +1,5 @@ # Extract list of users # --------------------- -Write-Output "Exporting user list..." $userOuPath = (Get-ADObject -Filter * | Where-Object { $_.Name -eq "Safe Haven Research Users" }).DistinguishedName $users = Get-ADUser -Filter * -SearchBase "$userOuPath" -Properties * foreach ($user in $users) { @@ -10,7 +9,6 @@ foreach ($user in $users) { # Delete users not found in any group (with exception for named SG e.g. "Sandbox") # -------------------------------------------------------------------------------- -Write-Output "Deleting users not in any security group..." foreach ($user in $users) { if (!($user.GroupName)) { $name = $user.SamAccountName From a7e201ba688a9ab65d3dd655168a2a1c2ecd29b3 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 14:20:58 +0100 Subject: [PATCH 12/33] fin prev commit --- .../dc1Artifacts/Delete_Unassigned_Users.ps1 | 1 - 1 file changed, 1 deletion(-) diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 index a49956d513..46da90efac 100644 --- a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 +++ b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 @@ -13,6 +13,5 @@ foreach ($user in $users) { if (!($user.GroupName)) { $name = $user.SamAccountName Remove-ADUser -Identity $name - Write-Out "Deleted $name" } } \ No newline at end of file From e8f9cef209666968d20c03f6cf7e5031565972a3 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 21 Jul 2023 14:22:39 +0100 Subject: [PATCH 13/33] perform adsync after --- .../dc1Artifacts/Delete_Unassigned_Users.ps1 | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 index 46da90efac..46dfe1a920 100644 --- a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 +++ b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 @@ -1,5 +1,4 @@ # Extract list of users -# --------------------- $userOuPath = (Get-ADObject -Filter * | Where-Object { $_.Name -eq "Safe Haven Research Users" }).DistinguishedName $users = Get-ADUser -Filter * -SearchBase "$userOuPath" -Properties * foreach ($user in $users) { @@ -8,10 +7,22 @@ foreach ($user in $users) { } # Delete users not found in any group (with exception for named SG e.g. "Sandbox") -# -------------------------------------------------------------------------------- foreach ($user in $users) { if (!($user.GroupName)) { $name = $user.SamAccountName Remove-ADUser -Identity $name } +} + +# Force sync with AzureAD. It will still take around 5 minutes for changes to propagate +Write-Output "Synchronising locally Active Directory with Azure" +try { + Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop + Start-ADSyncSyncCycle -PolicyType Delta +} +catch [System.IO.FileNotFoundException] { + Write-Output "Skipping as Azure AD Sync is not installed" +} +catch { + Write-Output "Unable to run Azure Active Directory synchronisation!" } \ No newline at end of file From ed1c2811ae80fdba7ec3870b22fcc7c5640ec2eb Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 22 Aug 2023 10:53:33 +0100 Subject: [PATCH 14/33] copy DC1 script into remote script --- .../SRE_Delete_Unassigned_Users.ps1 | 70 ++++++++++++++----- 1 file changed, 51 insertions(+), 19 deletions(-) diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 index b6181c965d..90a909d40b 100644 --- a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 @@ -8,16 +8,29 @@ Import-Module $PSScriptRoot/../common/AzureCompute -Force -ErrorAction Stop Import-Module $PSScriptRoot/../common/Configuration -Force -ErrorAction Stop Import-Module $PSScriptRoot/../common/Logging -Force -ErrorAction Stop -# Get config and original context +# Get config # ------------------------------- $config = Get-ShmConfig -shmId $shmId -$originalContext = Get-AzContext +# $originalContext = Get-AzContext # Extract list of users # --------------------- -$null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop -Add-LogMessage -Level Info "Exporting user list for $($config.shm.id) from $($config.dc.vmName)..." +# $null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop +# Add-LogMessage -Level Info "Exporting user list for $($config.shm.id) from $($config.dc.vmName)..." # Run remote script +# $script = @" +# `$userOuPath = (Get-ADObject -Filter * | Where-Object { `$_.Name -eq "Safe Haven Research Users" }).DistinguishedName +# `$users = Get-ADUser -Filter * -SearchBase "`$userOuPath" -Properties * +# foreach (`$user in `$users) { +# `$groupName = (`$user | Select-Object -ExpandProperty MemberOf | ForEach-Object { ((`$_ -Split ",")[0] -Split "=")[1] }) -join "|" +# `$user | Add-Member -NotePropertyName GroupName -NotePropertyValue `$groupName -Force +# } +# `$users | Select-Object SamAccountName,GivenName,Surname,Mobile,GroupName | ` +# ConvertTo-Csv | Where-Object { `$_ -notmatch '^#' } | ` +# ForEach-Object { `$_.replace('"','') } +# "@ + + $script = @" `$userOuPath = (Get-ADObject -Filter * | Where-Object { `$_.Name -eq "Safe Haven Research Users" }).DistinguishedName `$users = Get-ADUser -Filter * -SearchBase "`$userOuPath" -Properties * @@ -25,22 +38,41 @@ foreach (`$user in `$users) { `$groupName = (`$user | Select-Object -ExpandProperty MemberOf | ForEach-Object { ((`$_ -Split ",")[0] -Split "=")[1] }) -join "|" `$user | Add-Member -NotePropertyName GroupName -NotePropertyValue `$groupName -Force } -`$users | Select-Object SamAccountName,GivenName,Surname,Mobile,GroupName | ` - ConvertTo-Csv | Where-Object { `$_ -notmatch '^#' } | ` - ForEach-Object { `$_.replace('"','') } -"@ -$result = Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -# Delete users not found in any group (with exception for named SG e.g. "Sandbox") -# -------------------------------------------------------------------------------- -Add-LogMessage -Level Info "Deleting users from $($config.shm.id) not in any security group..." -$users = $result.Value[0].Message | ConvertFrom-Csv -foreach ($user in $users) { - if (!($user.GroupName)) { - $name = $user.SamAccountName - $script = "Remove-ADUser -Identity $name" - Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg +# Delete users not found in any group +foreach (`$user in `$users) { + if (!(`$user.GroupName)) { + `$name = `$user.SamAccountName + Remove-ADUser -Identity `$name } } -$null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file +# Force sync with AzureAD. It will still take around 5 minutes for changes to propagate +Write-Output "Synchronising locally Active Directory with Azure" +try { + Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop + Start-ADSyncSyncCycle -PolicyType Delta +} +catch [System.IO.FileNotFoundException] { + Write-Output "Skipping as Azure AD Sync is not installed" +} +catch { + Write-Output "Unable to run Azure Active Directory synchronisation!" +} +"@ + +$result = Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg + +# # Delete users not found in any group (with exception for named SG e.g. "Sandbox") +# # -------------------------------------------------------------------------------- +# Add-LogMessage -Level Info "Deleting users from $($config.shm.id) not in any security group..." +# $users = $result.Value[0].Message | ConvertFrom-Csv +# foreach ($user in $users) { +# if (!($user.GroupName)) { +# $name = $user.SamAccountName +# $script = "Remove-ADUser -Identity $name" +# Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg +# } +# } + +# $null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file From df8435b4f3c1f696db828aba60aa71455e932c62 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 22 Aug 2023 11:15:29 +0100 Subject: [PATCH 15/33] remove commented --- .../SRE_Delete_Unassigned_Users.ps1 | 31 ++----------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 index 90a909d40b..0b8d048cbc 100644 --- a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 @@ -15,21 +15,8 @@ $config = Get-ShmConfig -shmId $shmId # Extract list of users # --------------------- -# $null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop -# Add-LogMessage -Level Info "Exporting user list for $($config.shm.id) from $($config.dc.vmName)..." -# Run remote script -# $script = @" -# `$userOuPath = (Get-ADObject -Filter * | Where-Object { `$_.Name -eq "Safe Haven Research Users" }).DistinguishedName -# `$users = Get-ADUser -Filter * -SearchBase "`$userOuPath" -Properties * -# foreach (`$user in `$users) { -# `$groupName = (`$user | Select-Object -ExpandProperty MemberOf | ForEach-Object { ((`$_ -Split ",")[0] -Split "=")[1] }) -join "|" -# `$user | Add-Member -NotePropertyName GroupName -NotePropertyValue `$groupName -Force -# } -# `$users | Select-Object SamAccountName,GivenName,Surname,Mobile,GroupName | ` -# ConvertTo-Csv | Where-Object { `$_ -notmatch '^#' } | ` -# ForEach-Object { `$_.replace('"','') } -# "@ - +$null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop +Add-LogMessage -Level Info "Deleting users not assigned to any security group: $($config.shm.id) from $($config.dc.vmName)..." $script = @" `$userOuPath = (Get-ADObject -Filter * | Where-Object { `$_.Name -eq "Safe Haven Research Users" }).DistinguishedName @@ -63,16 +50,4 @@ catch { $result = Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -# # Delete users not found in any group (with exception for named SG e.g. "Sandbox") -# # -------------------------------------------------------------------------------- -# Add-LogMessage -Level Info "Deleting users from $($config.shm.id) not in any security group..." -# $users = $result.Value[0].Message | ConvertFrom-Csv -# foreach ($user in $users) { -# if (!($user.GroupName)) { -# $name = $user.SamAccountName -# $script = "Remove-ADUser -Identity $name" -# Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -# } -# } - -# $null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file +$null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file From 3b9c1c10aa59076d08c44d3e413f1cdf9fb3988b Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 22 Aug 2023 11:16:50 +0100 Subject: [PATCH 16/33] move script --- .../dc1Artifacts => administration}/Delete_Unassigned_Users.ps1 | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployment/{safe_haven_management_environment/desired_state_configuration/dc1Artifacts => administration}/Delete_Unassigned_Users.ps1 (100%) diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 b/deployment/administration/Delete_Unassigned_Users.ps1 similarity index 100% rename from deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/Delete_Unassigned_Users.ps1 rename to deployment/administration/Delete_Unassigned_Users.ps1 From e24c15d1a553fd0c5792de4ac1d7ef9b76d0df41 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 22 Aug 2023 11:37:21 +0100 Subject: [PATCH 17/33] invoke remote script from file --- .../Delete_Unassigned_Users.ps1 | 2 +- .../SRE_Delete_Unassigned_Users.ps1 | 38 +++---------------- 2 files changed, 6 insertions(+), 34 deletions(-) diff --git a/deployment/administration/Delete_Unassigned_Users.ps1 b/deployment/administration/Delete_Unassigned_Users.ps1 index 46dfe1a920..8bc3b35115 100644 --- a/deployment/administration/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/Delete_Unassigned_Users.ps1 @@ -6,7 +6,7 @@ foreach ($user in $users) { $user | Add-Member -NotePropertyName GroupName -NotePropertyValue $groupName -Force } -# Delete users not found in any group (with exception for named SG e.g. "Sandbox") +# Delete users not found in any group foreach ($user in $users) { if (!($user.GroupName)) { $name = $user.SamAccountName diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 index 0b8d048cbc..d59d9ed9b5 100644 --- a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SRE_Delete_Unassigned_Users.ps1 @@ -11,43 +11,15 @@ Import-Module $PSScriptRoot/../common/Logging -Force -ErrorAction Stop # Get config # ------------------------------- $config = Get-ShmConfig -shmId $shmId -# $originalContext = Get-AzContext +$originalContext = Get-AzContext -# Extract list of users -# --------------------- +# Delete users not currently in a security group +# ---------------------------------------------- $null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop Add-LogMessage -Level Info "Deleting users not assigned to any security group: $($config.shm.id) from $($config.dc.vmName)..." -$script = @" -`$userOuPath = (Get-ADObject -Filter * | Where-Object { `$_.Name -eq "Safe Haven Research Users" }).DistinguishedName -`$users = Get-ADUser -Filter * -SearchBase "`$userOuPath" -Properties * -foreach (`$user in `$users) { - `$groupName = (`$user | Select-Object -ExpandProperty MemberOf | ForEach-Object { ((`$_ -Split ",")[0] -Split "=")[1] }) -join "|" - `$user | Add-Member -NotePropertyName GroupName -NotePropertyValue `$groupName -Force -} +$script = "Delete_Unassigned_Users.ps1" -# Delete users not found in any group -foreach (`$user in `$users) { - if (!(`$user.GroupName)) { - `$name = `$user.SamAccountName - Remove-ADUser -Identity `$name - } -} - -# Force sync with AzureAD. It will still take around 5 minutes for changes to propagate -Write-Output "Synchronising locally Active Directory with Azure" -try { - Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop - Start-ADSyncSyncCycle -PolicyType Delta -} -catch [System.IO.FileNotFoundException] { - Write-Output "Skipping as Azure AD Sync is not installed" -} -catch { - Write-Output "Unable to run Azure Active Directory synchronisation!" -} -"@ - -$result = Invoke-RemoteScript -Shell "PowerShell" -Script $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg +$result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg $null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file From 65b2da95411816dd4c76e07c6439720b3d7e9912 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 25 Aug 2023 10:41:55 +0100 Subject: [PATCH 18/33] rename --- ...elete_Unassigned_Users.ps1 => SHM_Delete_Unassigned_Users.ps1} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename deployment/administration/{SRE_Delete_Unassigned_Users.ps1 => SHM_Delete_Unassigned_Users.ps1} (100%) diff --git a/deployment/administration/SRE_Delete_Unassigned_Users.ps1 b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 similarity index 100% rename from deployment/administration/SRE_Delete_Unassigned_Users.ps1 rename to deployment/administration/SHM_Delete_Unassigned_Users.ps1 From 502678d7c8d9cdb5d51abed70b920ee493e76de5 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 25 Aug 2023 10:44:02 +0100 Subject: [PATCH 19/33] move to remote subdir --- deployment/administration/SHM_Delete_Unassigned_Users.ps1 | 2 +- .../administration/{ => remote}/Delete_Unassigned_Users.ps1 | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename deployment/administration/{ => remote}/Delete_Unassigned_Users.ps1 (100%) diff --git a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 index d59d9ed9b5..cfaddec63a 100644 --- a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 @@ -18,7 +18,7 @@ $originalContext = Get-AzContext $null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop Add-LogMessage -Level Info "Deleting users not assigned to any security group: $($config.shm.id) from $($config.dc.vmName)..." -$script = "Delete_Unassigned_Users.ps1" +$script = "remote/Delete_Unassigned_Users.ps1" $result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg diff --git a/deployment/administration/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 similarity index 100% rename from deployment/administration/Delete_Unassigned_Users.ps1 rename to deployment/administration/remote/Delete_Unassigned_Users.ps1 From 04a19125eeb6cc847943fed05b654420ea5a8085 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 25 Aug 2023 10:58:00 +0100 Subject: [PATCH 20/33] force deletion --- deployment/administration/remote/Delete_Unassigned_Users.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/administration/remote/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 index 8bc3b35115..948c614c56 100644 --- a/deployment/administration/remote/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/remote/Delete_Unassigned_Users.ps1 @@ -10,7 +10,7 @@ foreach ($user in $users) { foreach ($user in $users) { if (!($user.GroupName)) { $name = $user.SamAccountName - Remove-ADUser -Identity $name + Remove-ADUser -Identity $name -Confirm:$false } } From 4e347e2708636349177ef6efcdf547439bf08275 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Fri, 25 Aug 2023 11:03:26 +0100 Subject: [PATCH 21/33] single foreach loop --- .../administration/remote/Delete_Unassigned_Users.ps1 | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/deployment/administration/remote/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 index 948c614c56..be71b3bd52 100644 --- a/deployment/administration/remote/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/remote/Delete_Unassigned_Users.ps1 @@ -3,12 +3,7 @@ $userOuPath = (Get-ADObject -Filter * | Where-Object { $_.Name -eq "Safe Haven R $users = Get-ADUser -Filter * -SearchBase "$userOuPath" -Properties * foreach ($user in $users) { $groupName = ($user | Select-Object -ExpandProperty MemberOf | ForEach-Object { (($_ -Split ",")[0] -Split "=")[1] }) -join "|" - $user | Add-Member -NotePropertyName GroupName -NotePropertyValue $groupName -Force -} - -# Delete users not found in any group -foreach ($user in $users) { - if (!($user.GroupName)) { + if (!($groupName)) { $name = $user.SamAccountName Remove-ADUser -Identity $name -Confirm:$false } From 8d548fdf8a1391558b442293868f4d1aa4f151e1 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 11:37:47 +0100 Subject: [PATCH 22/33] add dryRun option --- .../remote/Delete_Unassigned_Users.ps1 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/deployment/administration/remote/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 index be71b3bd52..cc492eef49 100644 --- a/deployment/administration/remote/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/remote/Delete_Unassigned_Users.ps1 @@ -1,3 +1,8 @@ +param( + [Parameter(Mandatory = $false, HelpMessage = "Shows the users to be deleted without performing deletion")] + [bool]$dryRun +) + # Extract list of users $userOuPath = (Get-ADObject -Filter * | Where-Object { $_.Name -eq "Safe Haven Research Users" }).DistinguishedName $users = Get-ADUser -Filter * -SearchBase "$userOuPath" -Properties * @@ -5,7 +10,12 @@ foreach ($user in $users) { $groupName = ($user | Select-Object -ExpandProperty MemberOf | ForEach-Object { (($_ -Split ",")[0] -Split "=")[1] }) -join "|" if (!($groupName)) { $name = $user.SamAccountName - Remove-ADUser -Identity $name -Confirm:$false + if ($dryRun) { + Write-Output "User $name would be deleted by this action" + } else { + Write-Output "Deleting $name" + Remove-ADUser -Identity $name -Confirm:$false + } } } From 49ad7a00c266e86d9cc78118aca8b63c7c7e7cfa Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 11:40:48 +0100 Subject: [PATCH 23/33] dont sync aad dryrun --- .../remote/Delete_Unassigned_Users.ps1 | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/deployment/administration/remote/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 index cc492eef49..6c1d6599c3 100644 --- a/deployment/administration/remote/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/remote/Delete_Unassigned_Users.ps1 @@ -20,14 +20,16 @@ foreach ($user in $users) { } # Force sync with AzureAD. It will still take around 5 minutes for changes to propagate -Write-Output "Synchronising locally Active Directory with Azure" -try { - Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop - Start-ADSyncSyncCycle -PolicyType Delta -} -catch [System.IO.FileNotFoundException] { - Write-Output "Skipping as Azure AD Sync is not installed" -} -catch { - Write-Output "Unable to run Azure Active Directory synchronisation!" +if (!$dryRun){ + Write-Output "Synchronising locally Active Directory with Azure" + try { + Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop + Start-ADSyncSyncCycle -PolicyType Delta + } + catch [System.IO.FileNotFoundException] { + Write-Output "Skipping as Azure AD Sync is not installed" + } + catch { + Write-Output "Unable to run Azure Active Directory synchronisation!" + } } \ No newline at end of file From b76b52abc2e6d4c0296bb1151eb2259b19687752 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 11:41:52 +0100 Subject: [PATCH 24/33] finish prev commit --- deployment/administration/remote/Delete_Unassigned_Users.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/administration/remote/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 index 6c1d6599c3..bd57dc198c 100644 --- a/deployment/administration/remote/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/remote/Delete_Unassigned_Users.ps1 @@ -20,7 +20,7 @@ foreach ($user in $users) { } # Force sync with AzureAD. It will still take around 5 minutes for changes to propagate -if (!$dryRun){ +if (!($dryRun)){ Write-Output "Synchronising locally Active Directory with Azure" try { Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop From b9258dd31e60dd18da0da9baa0a099a1c5e7e5d8 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 11:52:46 +0100 Subject: [PATCH 25/33] add dryrun param to local script --- deployment/administration/SHM_Delete_Unassigned_Users.ps1 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 index cfaddec63a..5d4e2b049a 100644 --- a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 @@ -1,6 +1,8 @@ param( [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")] - [string]$shmId + [string]$shmId, + [Parameter(Mandatory = $false, HelpMessage = "Shows the users to be deleted without performing deletion")] + [bool]$dryRun ) Import-Module Az.Accounts -ErrorAction Stop @@ -16,10 +18,10 @@ $originalContext = Get-AzContext # Delete users not currently in a security group # ---------------------------------------------- $null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop -Add-LogMessage -Level Info "Deleting users not assigned to any security group: $($config.shm.id) from $($config.dc.vmName)..." +Add-LogMessage -Level Info "EDIT ME: Deleting users not assigned to any security group: $($config.shm.id) from $($config.dc.vmName)..." $script = "remote/Delete_Unassigned_Users.ps1" -$result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg +$result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -Parameter @{"dryRun" = "$dryRun"} $null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file From e4288fe2abe8355bd5cdfa63978d024b12cc4196 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 12:06:15 +0100 Subject: [PATCH 26/33] param isnt string --- deployment/administration/SHM_Delete_Unassigned_Users.ps1 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 index 5d4e2b049a..7045d20ab4 100644 --- a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 @@ -22,6 +22,10 @@ Add-LogMessage -Level Info "EDIT ME: Deleting users not assigned to any security $script = "remote/Delete_Unassigned_Users.ps1" -$result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -Parameter @{"dryRun" = "$dryRun"} +$params = @{ + dryRun = $dryRun +} + +$result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -Parameter $params $null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file From fdf93142ae6788c2ef957e372ecdbbf8d0f607c9 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 12:10:57 +0100 Subject: [PATCH 27/33] use dryRun switch --- .../administration/remote/Delete_Unassigned_Users.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deployment/administration/remote/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 index bd57dc198c..730935ef63 100644 --- a/deployment/administration/remote/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/remote/Delete_Unassigned_Users.ps1 @@ -1,6 +1,6 @@ param( - [Parameter(Mandatory = $false, HelpMessage = "Shows the users to be deleted without performing deletion")] - [bool]$dryRun + [Parameter(Mandatory = $false, HelpMessage = "No-op mode which will not remove anything")] + [Switch]$dryRun ) # Extract list of users @@ -10,7 +10,7 @@ foreach ($user in $users) { $groupName = ($user | Select-Object -ExpandProperty MemberOf | ForEach-Object { (($_ -Split ",")[0] -Split "=")[1] }) -join "|" if (!($groupName)) { $name = $user.SamAccountName - if ($dryRun) { + if ($dryRun.IsPresent) { Write-Output "User $name would be deleted by this action" } else { Write-Output "Deleting $name" @@ -20,7 +20,7 @@ foreach ($user in $users) { } # Force sync with AzureAD. It will still take around 5 minutes for changes to propagate -if (!($dryRun)){ +if (!($dryRun.IsPresent)) { Write-Output "Synchronising locally Active Directory with Azure" try { Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop From 69567531ea780718a87162437927dfce950c0d42 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 12:11:45 +0100 Subject: [PATCH 28/33] use switch for dryrun local --- deployment/administration/SHM_Delete_Unassigned_Users.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 index 7045d20ab4..c3593313e9 100644 --- a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 @@ -1,8 +1,8 @@ param( [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")] [string]$shmId, - [Parameter(Mandatory = $false, HelpMessage = "Shows the users to be deleted without performing deletion")] - [bool]$dryRun + [Parameter(Mandatory = $false, HelpMessage = "No-op mode which will not remove anything")] + [Switch]$dryRun ) Import-Module Az.Accounts -ErrorAction Stop From 663e35765ffea056c4838783f15b4cac0e3b2d05 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 13:36:30 +0100 Subject: [PATCH 29/33] pass remote script string param --- deployment/administration/SHM_Delete_Unassigned_Users.ps1 | 8 +++++--- .../administration/remote/Delete_Unassigned_Users.ps1 | 8 ++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 index c3593313e9..532285d82e 100644 --- a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 @@ -22,10 +22,12 @@ Add-LogMessage -Level Info "EDIT ME: Deleting users not assigned to any security $script = "remote/Delete_Unassigned_Users.ps1" -$params = @{ - dryRun = $dryRun +# Passing a param to a remote script requires it to be a string +if ($dryRun.IsPresent){ + $params = @{dryRun = "yes"} +} else { + $params = @{dryRun = "no"} } - $result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -Parameter $params $null = Set-AzContext -Context $originalContext -ErrorAction Stop \ No newline at end of file diff --git a/deployment/administration/remote/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 index 730935ef63..563657a000 100644 --- a/deployment/administration/remote/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/remote/Delete_Unassigned_Users.ps1 @@ -1,6 +1,6 @@ param( - [Parameter(Mandatory = $false, HelpMessage = "No-op mode which will not remove anything")] - [Switch]$dryRun + [Parameter(Mandatory = $true, HelpMessage = "yes/no determines whether users should actually be deleted")] + [string]$dryRun ) # Extract list of users @@ -10,7 +10,7 @@ foreach ($user in $users) { $groupName = ($user | Select-Object -ExpandProperty MemberOf | ForEach-Object { (($_ -Split ",")[0] -Split "=")[1] }) -join "|" if (!($groupName)) { $name = $user.SamAccountName - if ($dryRun.IsPresent) { + if ($dryRun -eq "yes") { Write-Output "User $name would be deleted by this action" } else { Write-Output "Deleting $name" @@ -20,7 +20,7 @@ foreach ($user in $users) { } # Force sync with AzureAD. It will still take around 5 minutes for changes to propagate -if (!($dryRun.IsPresent)) { +if ($dryRun -eq "no") { Write-Output "Synchronising locally Active Directory with Azure" try { Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop From f9e8a3cb7469ff487513f93a10e4f72ba6d61b6a Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 13:45:11 +0100 Subject: [PATCH 30/33] change message for dry run --- deployment/administration/SHM_Delete_Unassigned_Users.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 index 532285d82e..34df4a08e3 100644 --- a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 @@ -18,14 +18,14 @@ $originalContext = Get-AzContext # Delete users not currently in a security group # ---------------------------------------------- $null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop -Add-LogMessage -Level Info "EDIT ME: Deleting users not assigned to any security group: $($config.shm.id) from $($config.dc.vmName)..." - $script = "remote/Delete_Unassigned_Users.ps1" # Passing a param to a remote script requires it to be a string if ($dryRun.IsPresent){ - $params = @{dryRun = "yes"} + Add-LogMessage -Level Info "Listing users not assigned to any security group from $($config.dc.vmName)..." + $params = @{dryRun = "yes" } } else { + Add-LogMessage -Level Info "Deleting users not assigned to any security group from $($config.dc.vmName)..." $params = @{dryRun = "no"} } $result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -Parameter $params From c5966141be3050a281536dca3cc4c7f505e0e629 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 13:58:56 +0100 Subject: [PATCH 31/33] add documentation --- docs/source/roles/system_manager/manage_users.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 7c832132ff..883db30e0f 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -137,6 +137,14 @@ The `DC1` is the source of truth for user details. If these details need to be c - Click on `Users` under `Manage` and search for the user - Confirm the user is no longer present +### {{x}} Automatically deleting all usassigned users + +In some situations, such as at the end of a project after an SRE has been torn down, you may want to remove all users from the SHM who are not assigned to the security group of any remaining attached SREs. + +- Ensure you have the same version of the Data Safe Haven repository as was used by your deployment team +- Open a `Powershell` terminal and navigate to the `deployment/administration` directory within the Data Safe Haven repository +- Run `./SHM_Delete_Unassigned_Users.ps1 -shmId ` (use the `-dryRun` flag to see who would get deleted with out performing the deletion) + ## {{calling}} Assign MFA licences ### {{hand}} Manually add licence to each user From d8e42fa14e09cd7787e8d380322f23d9b5c9217a Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Tue, 29 Aug 2023 16:11:27 +0100 Subject: [PATCH 32/33] pass pester tests --- deployment/administration/SHM_Delete_Unassigned_Users.ps1 | 4 ++-- .../administration/remote/Delete_Unassigned_Users.ps1 | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 index 34df4a08e3..c09cd6c7be 100644 --- a/deployment/administration/SHM_Delete_Unassigned_Users.ps1 +++ b/deployment/administration/SHM_Delete_Unassigned_Users.ps1 @@ -21,12 +21,12 @@ $null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop $script = "remote/Delete_Unassigned_Users.ps1" # Passing a param to a remote script requires it to be a string -if ($dryRun.IsPresent){ +if ($dryRun.IsPresent) { Add-LogMessage -Level Info "Listing users not assigned to any security group from $($config.dc.vmName)..." $params = @{dryRun = "yes" } } else { Add-LogMessage -Level Info "Deleting users not assigned to any security group from $($config.dc.vmName)..." - $params = @{dryRun = "no"} + $params = @{dryRun = "no" } } $result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -Parameter $params diff --git a/deployment/administration/remote/Delete_Unassigned_Users.ps1 b/deployment/administration/remote/Delete_Unassigned_Users.ps1 index 563657a000..c154d5a012 100644 --- a/deployment/administration/remote/Delete_Unassigned_Users.ps1 +++ b/deployment/administration/remote/Delete_Unassigned_Users.ps1 @@ -25,11 +25,9 @@ if ($dryRun -eq "no") { try { Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop Start-ADSyncSyncCycle -PolicyType Delta - } - catch [System.IO.FileNotFoundException] { + } catch [System.IO.FileNotFoundException] { Write-Output "Skipping as Azure AD Sync is not installed" - } - catch { + } catch { Write-Output "Unable to run Azure Active Directory synchronisation!" } } \ No newline at end of file From 3f04b76d72472e1f670bc47c8747f84e654cede9 Mon Sep 17 00:00:00 2001 From: Ed Chalstrey Date: Mon, 11 Sep 2023 10:03:17 +0100 Subject: [PATCH 33/33] Update docs/source/roles/system_manager/manage_users.md Co-authored-by: James Robinson --- docs/source/roles/system_manager/manage_users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 883db30e0f..c83a2c80f3 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -137,7 +137,7 @@ The `DC1` is the source of truth for user details. If these details need to be c - Click on `Users` under `Manage` and search for the user - Confirm the user is no longer present -### {{x}} Automatically deleting all usassigned users +### {{x}} Automatically deleting all unassigned users In some situations, such as at the end of a project after an SRE has been torn down, you may want to remove all users from the SHM who are not assigned to the security group of any remaining attached SREs.