【问题标题】:Assign Local Group Membership & Permissions for CRM Service Accounts为 CRM 服务帐户分配本地组成员资格和权限
【发布时间】:2017-11-14 16:25:30
【问题描述】:

PowerShell 会这样做:

  • 在 CRM 服务器上禁用 UAC(您可以在安装后重新打开它)
  • 关闭 CRM 服务器上的防火墙(您可以在安装并配置防火墙规则后将其重新打开) 将 CRM 应用程序帐户添加到前端服务器中的 IIS_IUSRS 和性能日志用户组
  • 将 CRM 部署帐户添加到部署服务器中的 IIS_IUSRS 和本地管理员组
  • 将 CRM 异步服务帐户添加到后端服务器中的性能日志用户组
  • 向相应的服务帐户授予作为服务登录的权限
  • 将 CRM 部署帐户添加到 SQL Server 中的本地管理员组
  • 将 CRM 部署帐户作为系统管理员添加到 SQL Server

    function Assign-Permissions
            {
              $fullRolesServers = "WDPWD99A0310"
              foreach($server in $fullRolesServers)
              {
                $session0 = New-PSSession -ComputerName $server -Credential Administrator;
                $output = Invoke-Command -ScriptBlock{
                  function Disable-Uac()
                  {
                    if((Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -ea 0).EnableLUA -eq 0)
                    {
                      Write-Host "UAC is disabled" -f darkcyan;
                    }
                    else              
                    {
                      Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 0
                      Write-Host "UAC has been disabled" -f darkGreen;
                    }
                  }                
                  Write-Host "Server:$env:computerName - Disabling UAC" -f darkcyan;
                  Disable-Uac;
                  Write-Host "Server:$env:computerName - Turning Off Firewall"  -f darkcyan;
                  netsh advfirewall set allprofiles state off;
                };
                Remove-PSSession -Session $session0;
    
                $iisGroup = "WinNT://"+$server+"/IIS_IUSRS,group"
                $perfoGroup = "WinNT://"+$server+"/Performance Log Users,group"
                $adminGroup = "WinNT://"+$server+"/Administrators,group"
    
                Write-Host "Server:$server - Adding CRM Application Account to IIS_IUSRS and Performance Log Users groups" -ForegroundColor DarkCyan
                if(!(([ADSI]$iisGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path)))
                     {([ADSI]$iisGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);}
    
                if(!(([ADSI]$perfoGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path)))
                     {([ADSI]$perfoGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);}
    
                Write-Host "Server:$server - Adding CRM Deployment Account to IIS_IUSRS and Local Administrators groups" -ForegroundColor DarkCyan
                if(!(([ADSI]$iisGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path)))
                     {([ADSI]$iisGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);}
                if(!(([ADSI]$adminGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path)))
                     {([ADSI]$adminGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);}
    
                Write-Host "Server:$server - Adding CRM Async Service Account to Performance Log Users group" -ForegroundColor DarkCyan
                if(!(([ADSI]$perfoGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAsyncSvc").path)))
                     {([ADSI]$perfoGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAsyncSvc").path);}
    
                $output=Invoke-Command -ComputerName $server -ScriptBlock{
                function AddLogonAsAService($accountToAdd)
                {
                  if( [string]::IsNullOrEmpty($accountToAdd) ) 
                  {
                    Write-Host "no account specified" -f red;
                    exit;
                  }
                  $sidstr = $null
                  try
                  {
                    $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
                    $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
                    $sidstr = $sid.Value.ToString()
                  }
                  catch 
                  {
                    $sidstr = $null
                  }
                  Write-Host "Server:$env:computerName - Adding ""Logon as a Service"" right to Account: $accountToAdd" -ForegroundColor DarkCyan
                  if( [string]::IsNullOrEmpty($sidstr) )
                  {
                     Write-Host "Account not found!" -ForegroundColor Red
                     exit -1
                  }
                  #Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
                  $tmp = [System.IO.Path]::GetTempFileName()
                  #Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
                  secedit.exe /export /cfg "$($tmp)" 
    
                  $c = Get-Content -Path $tmp 
                  $currentSetting = ""
    
                  foreach($s in $c)
                  {
                    if( $s -like "SeServiceLogonRight*")
                    {
                      $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
                      $currentSetting = $x[1].Trim()
                    }
                  }
                  if( $currentSetting -notlike "*$($sidstr)*" )
                  {
                    Write-Host "Modify Setting 'Logon as a Service'" -ForegroundColor DarkCyan
                    if( [string]::IsNullOrEmpty($currentSetting) )
                    {
                      $currentSetting = "*$($sidstr)"
                    }
                    else
                    {
                      $currentSetting = "*$($sidstr),$($currentSetting)"
                    }
                    #Write-Host "$currentSetting"
                    $outfile = @"
            [Unicode]
            Unicode=yes
            [Version]
            signature="`$CHICAGO`$"
            Revision=1
            [Privilege Rights]
            SeServiceLogonRight = $($currentSetting)
            "@
                    $tmp2 = [System.IO.Path]::GetTempFileName()
                    #Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
                    $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
                    Push-Location (Split-Path $tmp2)
    
                    try
                    {
                      secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
                    }
                    finally
                    { 
                      Pop-Location
                    }
                  }
                  else
                  {
                    Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkGreen
                  }
                  Write-Host "Done." -ForegroundColor DarkGreen
                }
                AddLogonAsAService "TESTBIZTALK\CRMAsyncSvc";
                AddLogonAsAService "TESTBIZTALK\CRMSandboxSvc";
                AddLogonAsAService "TESTBIZTALK\CRMAppSvc";
                AddLogonAsAService "TESTBIZTALK\CRMVssSvc";
                AddLogonAsAService "TESTBIZTALK\CRMMonSvc";
              }
            }
            if(!(([ADSI]"WinNT://WDVMA76A0530/Administrators,group").IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path)))
                {([ADSI]"WinNT://WDVMA76A0530/Administrators,group").psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);}
    
            $output=Invoke-Command -ComputerName WDVMA76A0530 -ScriptBlock{
              function createLogin()
              {
                try
                {
                  $instanceName = "MSSQLSERVER"
                  $LoginName = "TESTBIZTALK\CRMAppSvc"
                  Import-Module SQLPS -DisableNameChecking
                  if ($instanceName -eq "MSSQLSERVER")
                  {
                    $server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList WDVMA76A0530
                  }
                  else
                  {
                    $server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList WDVMA76A0530\$instanceName        
                  }              
                  if ($server.Logins.Contains($LoginName))
                  {    
                    Write-Host $LoginName "Already exists..."
                  }
                  else
                  {
                    $SqlLogin = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Login -ArgumentList $server, "$LoginName"
                    $SqlLogin.LoginType = 'WindowsUser'        
                    $SqlLogin.Create()
                    $SqlLogin.AddToRole('sysadmin')
                    Write-Host $LoginName "Login created successfully"  -f darkgreen;
                  }
                }
                catch
                {     
                  Write-Host "Could not create Login - Error: " $($_.Exception.Message) -f red;
                }
               }
               createLogin;
              }
            }
            Assign-Permissions;
    

开放建议那些对从本地计算机进行 powershell 远程处理和 CRM 2016 安装感兴趣的人。

环境细节: TestDC1 域控制器 WDPWD99A0310 客户关系管理 WDVMA76A0530 SQL

【问题讨论】:

    标签: sql-server powershell dynamics-crm crm dynamics-crm-2016


    【解决方案1】:

    我在其他“实验室”环境中为“为 CRM 服务帐户分配本地组成员资格和权限”工作了 PowerShell 脚本。以前脚本的问题在于“PowerShell 远程处理”,请确保它已在您的环境中完全设置。

    “PowerShell 远程处理”

    按照路径:计算机配置\策略\Windows设置\安全设置\高级安全Windows防火墙 在这里,右键单击入站规则,然后在新建规则中。在出现的窗口中,启用预定义类型并选择 Windows 远程管理。

    选择是否允许访问域/专用网络和/或公共网络。

    最后,启用允许连接并单击“完成”以在 Windows 防火墙中创建新规则。

    #PS Function: Assign Local Group Membership & Permissions for CRM Service Accounts 
            function Assign-Permissions
        {
          $fullRolesServers = "BTLab2016".Split(";");
          foreach($server in $fullRolesServers)
          {
            $session0 = New-PSSession -ComputerName $server;
            $output = Invoke-Command -Session $session0 -ScriptBlock{
              function Disable-Uac()
              {
                if((Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -ea 0).EnableLUA -eq 0)
                {
                  Write-Host "UAC is disabled" -f darkcyan;
                }
                else              
                {
                  Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 0
                  Write-Host "UAC has been disabled" -f darkGreen;
                }
              }                
              Write-Host "Server:$env:computerName - Disabling UAC" -f darkcyan;
              Disable-Uac;
              Write-Host "Server:$env:computerName - Turning Off Firewall"  -f darkcyan;
              netsh advfirewall set allprofiles state off;
            };
            Remove-PSSession -Session $session0;
    
            $iisGroup = "WinNT://"+$server+"/IIS_IUSRS,group"
            $perfoGroup = "WinNT://"+$server+"/Performance Log Users,group"
            $adminGroup = "WinNT://"+$server+"/Administrators,group"
            
            Write-Host "Server:$server - Adding CRM Application Account to IIS_IUSRS and Performance Log Users groups" -ForegroundColor DarkCyan
            if(!(([ADSI]$iisGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
                 {([ADSI]$iisGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
            
            if(!(([ADSI]$perfoGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
                 {([ADSI]$perfoGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
    
            Write-Host "Server:$server - Adding CRM Deployment Account to IIS_IUSRS and Local Administrators groups" -ForegroundColor DarkCyan
            if(!(([ADSI]$iisGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
                 {([ADSI]$iisGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
            if(!(([ADSI]$adminGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
                 {([ADSI]$adminGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
    
            Write-Host "Server:$server - Adding CRM Async Service Account to Performance Log Users group" -ForegroundColor DarkCyan
            if(!(([ADSI]$perfoGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAsyncServiceDEV").path)))
                 {([ADSI]$perfoGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAsyncServiceDEV").path);}
    
            $output=Invoke-Command -ComputerName $server -ScriptBlock{
            function AddLogonAsAService($accountToAdd)
            {
              if( [string]::IsNullOrEmpty($accountToAdd) ) 
              {
                Write-Host "no account specified" -f red;
                exit;
              }
              $sidstr = $null
              try
              {
                $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
                $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
                $sidstr = $sid.Value.ToString()
              }
              catch 
              {
                $sidstr = $null
              }
              Write-Host "Server:$env:computerName - Adding ""Logon as a Service"" right to Account: $accountToAdd" -ForegroundColor DarkCyan
              if( [string]::IsNullOrEmpty($sidstr) )
              {
                 Write-Host "Account not found!" -ForegroundColor Red
                 exit -1
              }
              #Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
              $tmp = [System.IO.Path]::GetTempFileName()
              #Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
              secedit.exe /export /cfg "$($tmp)" 
                            
              $c = Get-Content -Path $tmp 
              $currentSetting = ""
    
              foreach($s in $c)
              {
                if( $s -like "SeServiceLogonRight*")
                {
                  $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
                  $currentSetting = $x[1].Trim()
                }
              }
              if( $currentSetting -notlike "*$($sidstr)*" )
              {
                Write-Host "Modify Setting 'Logon as a Service'" -ForegroundColor DarkCyan
                if( [string]::IsNullOrEmpty($currentSetting) )
                {
                  $currentSetting = "*$($sidstr)"
                }
                else
                {
                  $currentSetting = "*$($sidstr),$($currentSetting)"
                }
                #Write-Host "$currentSetting"
                $outfile = @"
        [Unicode]
        Unicode=yes
        [Version]
        signature="`$CHICAGO`$"
        Revision=1
        [Privilege Rights]
        SeServiceLogonRight = $($currentSetting)
        "@
                $tmp2 = [System.IO.Path]::GetTempFileName()
                #Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
                $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
                Push-Location (Split-Path $tmp2)
          
                try
                {
                  secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
                }
                finally
                { 
                  Pop-Location
                }
              }
              else
              {
                Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkGreen
              }
              Write-Host "Done." -ForegroundColor DarkGreen
            }
            AddLogonAsAService "BIZTALK2016\CrmAsyncServiceDEV";
            AddLogonAsAService "BIZTALK2016\CrmSandboxServiceDEV";
            AddLogonAsAService "BIZTALK2016\CrmAppServiceDEV";
            AddLogonAsAService "BIZTALK2016\CrmVssServiceDEV";
            AddLogonAsAService "BIZTALK2016\CrmMonServiceDEV";
          }
        }
        if(!(([ADSI]"WinNT://BTLab2016/Administrators,group").IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
            {([ADSI]"WinNT://BTLab2016/Administrators,group").psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
    
        $output=Invoke-Command -ComputerName BTLab2016 -ScriptBlock{
          function createLogin()
          {
            try
            {
              $instanceName = "MSSQLSERVER"
              $LoginName = "BIZTALK2016\CrmAppServiceDEV"
              Import-Module SQLPS -DisableNameChecking
              if ($instanceName -eq "MSSQLSERVER")
              {
                $server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList BTLab2016
              }
              else
              {
                $server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList BTLab2016\$instanceName        
              }              
              if ($server.Logins.Contains($LoginName))
              {    
                Write-Host $LoginName "Already exists..."
              }
              else
              {
                $SqlLogin = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Login -ArgumentList $server, "$LoginName"
                $SqlLogin.LoginType = 'WindowsUser'        
                $SqlLogin.Create()
                $SqlLogin.AddToRole('sysadmin')
                Write-Host $LoginName "Login created successfully"  -f darkgreen;
              }
            }
            catch
            {     
              Write-Host "Could not create Login - Error: " $($_.Exception.Message) -f red;
            }
           }
           createLogin;
          }
        }
    Assign-Permissions;
    

    结果:

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2021-10-09
      • 2011-07-21
      • 1970-01-01
      • 1970-01-01
      • 2014-01-04
      • 2019-05-23
      • 1970-01-01
      • 2020-07-03
      相关资源
      最近更新 更多