分配本地组成员资格& CRM服务帐户的权限
PowerShell执行此操作:
- 在CRM服务器上禁用UAC(您可以在安装后重新打开)
- 关闭CRM服务器上的防火墙(您可以在安装后重新打开并配置防火墙规则) 将CRM应用程序帐户添加到前端服务器中的IIS_IUSRS和性能日志用户组
- 将CRM部署帐户添加到部署服务器中的IIS_IUSRS和本地管理员组
- 将CRM异步服务帐户添加到后端服务器中的Performance Log Users组
- 授予相应服务帐户的“服务登录”权限
- 将CRM部署帐户添加到SQL Server中的本地管理员组
-
将CRM部署帐户作为sysadmin
添加到SQL Serverfunction Assign-Permissions { $fullRolesServers = "WDPWD99A0310" foreach($server in $fullRolesServers) { $session0 = New-PSSession -ComputerName $server -Credential Administrator; $output = Invoke-Command -ScriptBlock{ function Disable-Uac() { if((Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -ea 0).EnableLUA -eq 0) { Write-Host "UAC is disabled" -f darkcyan; } else { Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 0 Write-Host "UAC has been disabled" -f darkGreen; } } Write-Host "Server:$env:computerName - Disabling UAC" -f darkcyan; Disable-Uac; Write-Host "Server:$env:computerName - Turning Off Firewall" -f darkcyan; netsh advfirewall set allprofiles state off; }; Remove-PSSession -Session $session0; $iisGroup = "WinNT://"+$server+"/IIS_IUSRS,group" $perfoGroup = "WinNT://"+$server+"/Performance Log Users,group" $adminGroup = "WinNT://"+$server+"/Administrators,group" Write-Host "Server:$server - Adding CRM Application Account to IIS_IUSRS and Performance Log Users groups" -ForegroundColor DarkCyan if(!(([ADSI]$iisGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path))) {([ADSI]$iisGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);} if(!(([ADSI]$perfoGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path))) {([ADSI]$perfoGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);} Write-Host "Server:$server - Adding CRM Deployment Account to IIS_IUSRS and Local Administrators groups" -ForegroundColor DarkCyan if(!(([ADSI]$iisGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path))) {([ADSI]$iisGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);} if(!(([ADSI]$adminGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path))) {([ADSI]$adminGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);} Write-Host "Server:$server - Adding CRM Async Service Account to Performance Log Users group" -ForegroundColor DarkCyan if(!(([ADSI]$perfoGroup).IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAsyncSvc").path))) {([ADSI]$perfoGroup).psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAsyncSvc").path);} $output=Invoke-Command -ComputerName $server -ScriptBlock{ function AddLogonAsAService($accountToAdd) { if( [string]::IsNullOrEmpty($accountToAdd) ) { Write-Host "no account specified" -f red; exit; } $sidstr = $null try { $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd" $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier]) $sidstr = $sid.Value.ToString() } catch { $sidstr = $null } Write-Host "Server:$env:computerName - Adding ""Logon as a Service"" right to Account: $accountToAdd" -ForegroundColor DarkCyan if( [string]::IsNullOrEmpty($sidstr) ) { Write-Host "Account not found!" -ForegroundColor Red exit -1 } #Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan $tmp = [System.IO.Path]::GetTempFileName() #Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan secedit.exe /export /cfg "$($tmp)" $c = Get-Content -Path $tmp $currentSetting = "" foreach($s in $c) { if( $s -like "SeServiceLogonRight*") { $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries) $currentSetting = $x[1].Trim() } } if( $currentSetting -notlike "*$($sidstr)*" ) { Write-Host "Modify Setting 'Logon as a Service'" -ForegroundColor DarkCyan if( [string]::IsNullOrEmpty($currentSetting) ) { $currentSetting = "*$($sidstr)" } else { $currentSetting = "*$($sidstr),$($currentSetting)" } #Write-Host "$currentSetting" $outfile = @" [Unicode] Unicode=yes [Version] signature="`$CHICAGO`$" Revision=1 [Privilege Rights] SeServiceLogonRight = $($currentSetting) "@ $tmp2 = [System.IO.Path]::GetTempFileName() #Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force Push-Location (Split-Path $tmp2) try { secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS } finally { Pop-Location } } else { Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkGreen } Write-Host "Done." -ForegroundColor DarkGreen } AddLogonAsAService "TESTBIZTALK\CRMAsyncSvc"; AddLogonAsAService "TESTBIZTALK\CRMSandboxSvc"; AddLogonAsAService "TESTBIZTALK\CRMAppSvc"; AddLogonAsAService "TESTBIZTALK\CRMVssSvc"; AddLogonAsAService "TESTBIZTALK\CRMMonSvc"; } } if(!(([ADSI]"WinNT://WDVMA76A0530/Administrators,group").IsMember(([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path))) {([ADSI]"WinNT://WDVMA76A0530/Administrators,group").psbase.Invoke("Add",([ADSI]"WinNT://TESTBIZTALK/CRMAppSvc").path);} $output=Invoke-Command -ComputerName WDVMA76A0530 -ScriptBlock{ function createLogin() { try { $instanceName = "MSSQLSERVER" $LoginName = "TESTBIZTALK\CRMAppSvc" Import-Module SQLPS -DisableNameChecking if ($instanceName -eq "MSSQLSERVER") { $server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList WDVMA76A0530 } else { $server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList WDVMA76A0530\$instanceName } if ($server.Logins.Contains($LoginName)) { Write-Host $LoginName "Already exists..." } else { $SqlLogin = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Login -ArgumentList $server, "$LoginName" $SqlLogin.LoginType = 'WindowsUser' $SqlLogin.Create() $SqlLogin.AddToRole('sysadmin') Write-Host $LoginName "Login created successfully" -f darkgreen; } } catch { Write-Host "Could not create Login - Error: " $($_.Exception.Message) -f red; } } createLogin; } } Assign-Permissions;
打开建议那些对本地机器上的PowerShell远程处理和CRM 2016安装感兴趣。
环境细节: TestDC1域控制器 WDPWD99A0310 CRM WDVMA76A0530 SQL
1 个答案:
答案 0 :(得分:0)
我在其他“ LAB”环境中具有用于“为CRM服务帐户分配本地组成员身份和权限”的PowerShell脚本。.以前的脚本存在“ PowerShell Remoting”问题,请确保已在您的环境中对其进行了完全设置。
“ PowerShell远程处理”
遵循路径:计算机配置\策略\ Windows设置\安全设置\具有高级安全性的Windows防火墙 在这里,右键单击“入站规则”,然后单击“新建规则”。在出现的窗口中,启用“预定义类型”并选择“ Windows远程管理”。
选择是否允许访问域/专用网络和/或公共网络。
最后,保留启用连接的权限,然后单击“完成”,以在Windows防火墙中创建新规则。
#PS Function: Assign Local Group Membership & Permissions for CRM Service Accounts
function Assign-Permissions
{
$fullRolesServers = "BTLab2016".Split(";");
foreach($server in $fullRolesServers)
{
$session0 = New-PSSession -ComputerName $server;
$output = Invoke-Command -Session $session0 -ScriptBlock{
function Disable-Uac()
{
if((Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -ea 0).EnableLUA -eq 0)
{
Write-Host "UAC is disabled" -f darkcyan;
}
else
{
Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 0
Write-Host "UAC has been disabled" -f darkGreen;
}
}
Write-Host "Server:$env:computerName - Disabling UAC" -f darkcyan;
Disable-Uac;
Write-Host "Server:$env:computerName - Turning Off Firewall" -f darkcyan;
netsh advfirewall set allprofiles state off;
};
Remove-PSSession -Session $session0;
$iisGroup = "WinNT://"+$server+"/IIS_IUSRS,group"
$perfoGroup = "WinNT://"+$server+"/Performance Log Users,group"
$adminGroup = "WinNT://"+$server+"/Administrators,group"
Write-Host "Server:$server - Adding CRM Application Account to IIS_IUSRS and Performance Log Users groups" -ForegroundColor DarkCyan
if(!(([ADSI]$iisGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
{([ADSI]$iisGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
if(!(([ADSI]$perfoGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
{([ADSI]$perfoGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
Write-Host "Server:$server - Adding CRM Deployment Account to IIS_IUSRS and Local Administrators groups" -ForegroundColor DarkCyan
if(!(([ADSI]$iisGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
{([ADSI]$iisGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
if(!(([ADSI]$adminGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
{([ADSI]$adminGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
Write-Host "Server:$server - Adding CRM Async Service Account to Performance Log Users group" -ForegroundColor DarkCyan
if(!(([ADSI]$perfoGroup).IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAsyncServiceDEV").path)))
{([ADSI]$perfoGroup).psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAsyncServiceDEV").path);}
$output=Invoke-Command -ComputerName $server -ScriptBlock{
function AddLogonAsAService($accountToAdd)
{
if( [string]::IsNullOrEmpty($accountToAdd) )
{
Write-Host "no account specified" -f red;
exit;
}
$sidstr = $null
try
{
$ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
$sidstr = $sid.Value.ToString()
}
catch
{
$sidstr = $null
}
Write-Host "Server:$env:computerName - Adding ""Logon as a Service"" right to Account: $accountToAdd" -ForegroundColor DarkCyan
if( [string]::IsNullOrEmpty($sidstr) )
{
Write-Host "Account not found!" -ForegroundColor Red
exit -1
}
#Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan
$tmp = [System.IO.Path]::GetTempFileName()
#Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
secedit.exe /export /cfg "$($tmp)"
$c = Get-Content -Path $tmp
$currentSetting = ""
foreach($s in $c)
{
if( $s -like "SeServiceLogonRight*")
{
$x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
}
}
if( $currentSetting -notlike "*$($sidstr)*" )
{
Write-Host "Modify Setting 'Logon as a Service'" -ForegroundColor DarkCyan
if( [string]::IsNullOrEmpty($currentSetting) )
{
$currentSetting = "*$($sidstr)"
}
else
{
$currentSetting = "*$($sidstr),$($currentSetting)"
}
#Write-Host "$currentSetting"
$outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SeServiceLogonRight = $($currentSetting)
"@
$tmp2 = [System.IO.Path]::GetTempFileName()
#Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
Push-Location (Split-Path $tmp2)
try
{
secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS
}
finally
{
Pop-Location
}
}
else
{
Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkGreen
}
Write-Host "Done." -ForegroundColor DarkGreen
}
AddLogonAsAService "BIZTALK2016\CrmAsyncServiceDEV";
AddLogonAsAService "BIZTALK2016\CrmSandboxServiceDEV";
AddLogonAsAService "BIZTALK2016\CrmAppServiceDEV";
AddLogonAsAService "BIZTALK2016\CrmVssServiceDEV";
AddLogonAsAService "BIZTALK2016\CrmMonServiceDEV";
}
}
if(!(([ADSI]"WinNT://BTLab2016/Administrators,group").IsMember(([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path)))
{([ADSI]"WinNT://BTLab2016/Administrators,group").psbase.Invoke("Add",([ADSI]"WinNT://BIZTALK2016/CrmAppServiceDEV").path);}
$output=Invoke-Command -ComputerName BTLab2016 -ScriptBlock{
function createLogin()
{
try
{
$instanceName = "MSSQLSERVER"
$LoginName = "BIZTALK2016\CrmAppServiceDEV"
Import-Module SQLPS -DisableNameChecking
if ($instanceName -eq "MSSQLSERVER")
{
$server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList BTLab2016
}
else
{
$server = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Server -ArgumentList BTLab2016\$instanceName
}
if ($server.Logins.Contains($LoginName))
{
Write-Host $LoginName "Already exists..."
}
else
{
$SqlLogin = New-Object -TypeName Microsoft.SqlServer.Management.Smo.Login -ArgumentList $server, "$LoginName"
$SqlLogin.LoginType = 'WindowsUser'
$SqlLogin.Create()
$SqlLogin.AddToRole('sysadmin')
Write-Host $LoginName "Login created successfully" -f darkgreen;
}
}
catch
{
Write-Host "Could not create Login - Error: " $($_.Exception.Message) -f red;
}
}
createLogin;
}
}
Assign-Permissions;
结果:
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?