From 2f463d02d70445f45a20f04787578ac937a6a4de Mon Sep 17 00:00:00 2001 From: mjfernez Date: Sat, 19 Feb 2022 15:35:26 -0500 Subject: Add AD scripts and bitwarden to pass script --- AD-powershell-tools/README.md | 1 + AD-powershell-tools/ad-bulk-reset.ps1 | 27 +++++++++++ AD-powershell-tools/inactive-ad-device-report.ps1 | 57 +++++++++++++++++++++++ bitwarden-tools/README.md | 2 + bitwarden-tools/bit2pass.py | 45 ++++++++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 AD-powershell-tools/README.md create mode 100644 AD-powershell-tools/ad-bulk-reset.ps1 create mode 100644 AD-powershell-tools/inactive-ad-device-report.ps1 create mode 100644 bitwarden-tools/README.md create mode 100644 bitwarden-tools/bit2pass.py diff --git a/AD-powershell-tools/README.md b/AD-powershell-tools/README.md new file mode 100644 index 0000000..2b65598 --- /dev/null +++ b/AD-powershell-tools/README.md @@ -0,0 +1 @@ +Some useful AD scripts I use diff --git a/AD-powershell-tools/ad-bulk-reset.ps1 b/AD-powershell-tools/ad-bulk-reset.ps1 new file mode 100644 index 0000000..aa16515 --- /dev/null +++ b/AD-powershell-tools/ad-bulk-reset.ps1 @@ -0,0 +1,27 @@ +# Usage: ad-bulk-reset.ps1 +Import-Module ActiveDirectory + +function Gen-Random-Password { + $str = "" + for ($i = 0; $i -lt 24 ; $i++) { + $rand = Get-Random -Minimum 32 -Maximum 127 + $str += [char]$rand + } + $newpwd = ConvertTo-SecureString -String [String]$str -AsPlainText -Force + return $newpwd +} + +# Import users from CSV +$csv = Get-Content $args[0] + +ForEach ($user in $csv) { + $newPassword = Gen-Random-Password + + # Reset user password. + Set-ADAccountPassword -Identity $user -NewPassword $newPassword -Reset + + # Force user to reset password at next logon. + # Remove this line if not needed for you + #Set-AdUser -Identity $user -ChangePasswordAtLogon $true + Write-Host $user"'s password has been reset" +} diff --git a/AD-powershell-tools/inactive-ad-device-report.ps1 b/AD-powershell-tools/inactive-ad-device-report.ps1 new file mode 100644 index 0000000..560a534 --- /dev/null +++ b/AD-powershell-tools/inactive-ad-device-report.ps1 @@ -0,0 +1,57 @@ +# PLEASE READ SCRIPT BEFORE RUNNING + +# Based largely on https://activedirectorypro.com/find-remove-old-computer-accounts-active-directory/ +# but changed his brack/object syntax to a string query + +# Usage +# \inactive-ad-device-report.ps1 "OU=Workstations,DC=example,DC=com" "dd/MM/yyyy" [-report] [-disable] + +# Report and disable are optional switches to print the results to a CSV +# and disable the computer accounts, respectively + +# A cutoff date and a search base, must be provided. + +# All computers with Login times before +# the cutoff date are included in the results of the report + +# The search base is an LDAP filter that must (at a minimum) specify +# your domain controller. And probably an OU you want to search, like: +# +# "OU=Workstations,DC=example,DC=com" + +# See here for an example: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps#example-4--get-computer-accounts-in-a-specific-location-using-an-ldapfilter +param ( + [Parameter(Mandatory)][string]$searchbase, + [Parameter(Mandatory)][string]$cutoff, + [switch]$report, + [switch]$disable +) +Import-Module ActiveDirectory +$today=(get-date -Format "yyyy-MM-dd") +try { + $filter = "(LastLogonDate -lt `"$cutoff`") -and (Enabled -eq `"$true`")" + $devices = Get-ADcomputer -filter $filter -properties LastLogonDate,Enabled,DistinguishedName ` + -SearchBase $searchbase ` + | select name, LastLogonDate, DistinguishedName + | sort LastLogonDate +} +catch { + write-error "Bad input. Usage: '.\inactive-ad-device-report.ps1 `"ldap-filter`" `"dd/MM/yyyy`" [-report] [-disable]'" +} + +if ($disable) { + ForEach ($device in $devices) { + Set-ADComputer -Identity $device.Name -Enabled $false -Verbose -WhatIf + } + + [Console]::Error.WriteLine("All devices disabled") +} + +if($report) { + $fn = "old-computers-$today.csv" + $devices | export-csv .\$fn + [Console]::Error.WriteLine("Saved result list to $fn") +} else { + [Console]::Error.WriteLine("Writing device list to stdout") + write-output $devices +} diff --git a/bitwarden-tools/README.md b/bitwarden-tools/README.md new file mode 100644 index 0000000..9cb9ded --- /dev/null +++ b/bitwarden-tools/README.md @@ -0,0 +1,2 @@ +(for now) just one script to handle importing Bitwarden data to UNIX +pass diff --git a/bitwarden-tools/bit2pass.py b/bitwarden-tools/bit2pass.py new file mode 100644 index 0000000..47a64b0 --- /dev/null +++ b/bitwarden-tools/bit2pass.py @@ -0,0 +1,45 @@ +#!/usr/bin/python3 +""" +bit2pass.py - grabs the bare minimum info from a bitwarden JSON export +(unencrypted) to populate a UNIX pass datastore. This assumes you named +your entry and gave it a password, otherwise, this script will yell at +you. + +This does NOT grab notes or usernames. I find that in pass to be kind of +useless since I rarely need to copy them. I use it purely for easy (and +secure) copying of passwords. If a really need the notes, it's probably +not something I'm going to be copying much. I also exclude anything +that's not a login because, well that's what bitwarden's good for... +Don't limit yourself to one tool + + +Usage: +0) (before running) Initialize a pass database: + pass init +1) python bit2pass.py +""" +import sys +import subprocess +import json +with open(sys.argv[1]) as f: + data = json.load(f) + +folders = { x['id'] : x['name'] for x in data['folders'] } +passwords = { + folders[x['folderId']] + '/' + x['name'] : + x['login']['password'] + for x in data['items'] + if x['type'] == 1 + } +print(passwords) + +for p in passwords: + echo = subprocess.run(["echo", passwords[p]], + check=True, + capture_output=True + ) + pass2pass = subprocess.run(["pass", "insert", "-e", p], + input=echo.stdout, + capture_output=True + ) + print(pass2pass.stdout) -- cgit v1.2.3