PARAM([string]$AccountName,[string]$Domain,[string]$DBServer="localhost")
#------------------------------------------------------------------------------------------------------
# Change FIM Portal Admin account
#
# Written by Carol Wapshere
#
# Notes:
# -- Intended use is creating a DEV environment using a production DB - has not been tested in Prod!
# -- This script directly modifies the FIMService database - please back it up first!
#
# Usage: .\Change-FIMAdminAccount.ps1 -AccountName "newaccount" -Domain "newdomain" [-DBServer "servername"]
#
# Requires:
# -- RSAT powershell module feature
# -- SQL 2008 client
#
#------------------------------------------------------------------------------------------------------
function GetSidAsHex
{
PARAM($AccountName, $Domain)
END
{
$ntaccount = New-Object System.Security.Principal.NTAccount($Domain,$AccountName)
$objectSid = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])
$sid = New-Object system.Security.Principal.SecurityIdentifier $objectSid
$sidBytes = New-Object byte[] $sid.BinaryLength
$sid.GetBinaryForm( $sidBytes, 0 )
$hexArr = $sidBytes | ForEach-Object { $_.ToString("X2") }
$hexArr -join ''
}
}
#------------------------------------------------------------------------------------------------------
net stop FIMService
if(@(get-pssnapin | where-object {$_.Name -eq "sqlserverprovidersnapin100"}).count -eq 0) {add-pssnapin sqlserverprovidersnapin100}
if(@(get-pssnapin | where-object {$_.Name -eq "sqlservercmdletsnapin100"}).count -eq 0) {add-pssnapin sqlservercmdletsnapin100}
if(@(get-module | where-object {$_.Name -eq "ActiveDirectory"}).count -eq 0) {import-module ActiveDirectory}
$sqlLocation = "SQLSERVER:\SQL\$DBServer\DEFAULT\Databases\FIMService"
$currentLocation = get-location
if ($currentLocation.Path -ne $sqlLocation) {set-location $sqlLocation}
#------------------------------------------------------------------------------------------------------
#Get details about current Admin account
write-host
write-host "Current Admin account:"
$sqlQuery = "SELECT CONVERT(varchar(max),SecurityIdentifier,1) "`
+ "FROM [FIMService].[fim].[UserSecurityIdentifiers] "`
+ "where UserObjectKey = 2340"
$oldSid = Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " SID:" $oldSid.Column1
$sqlQuery = "SELECT ValueString "`
+ "FROM [FIMService].[fim].[ObjectValueString] "`
+ "where ObjectKey = 2340 "`
+ "and AttributeKey = 1"
$oldAccountName = Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " AccountName:" $oldAccountName.ValueString
$sqlQuery = "SELECT ValueString "`
+ "FROM [FIMService].[fim].[ObjectValueString] "`
+ "where ObjectKey = 2340 "`
+ "and AttributeKey = 66"
$oldDisplayName = Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " DisplayName:" $oldDisplayName.ValueString
$sqlQuery = "SELECT ValueString "`
+ "FROM [FIMService].[fim].[ObjectValueString] "`
+ "where ObjectKey = 2340 "`
+ "and AttributeKey = 117"
$oldMailNickname = Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " MailNickname:" $oldMailNickname.ValueString
$sqlQuery = "SELECT ValueString "`
+ "FROM [FIMService].[fim].[ObjectValueString] "`
+ "where ObjectKey = 2340 "`
+ "and AttributeKey = 68"
$oldDomain = Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " Domain:" $oldDomain.ValueString
write-host
#------------------------------------------------------------------------------------------------------
#Get details about New Admin Account
write-host "Replace with New Admin Account:"
$newSid = GetSidAsHex -AccountName $AccountName -Domain $Domain
$newSid = "0x" + $newSid
write-host " SID:" $newSid
write-host " AccountName:" $AccountName
$objDC = Get-ADDomainController -Discover -DomainName $Domain
$DC = [string]$objDC.HostName
$filter = "sAMAccountName -eq ""$AccountName"""
$user = Get-ADObject -Filter $filter -Properties * -Server $DC
$newDisplayName = $user.DisplayName
write-host " DisplayName:" $newDisplayName
write-host " MailNickname:" $AccountName
write-host " Domain:" $Domain
write-host
#------------------------------------------------------------------------------------------------------
write-host "Continue? y/n"
$continue = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
if ($continue.Character -eq "y" -or $continue.Character -eq "Y") {
write-host "Udating FIMService database:"
$sqlQuery = "UPDATE[FIMService].[fim].[UserSecurityIdentifiers] "`
+ "SET SecurityIdentifier = $newSID"`
+ "where UserObjectKey = 2340"
Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " Changed SID,"
$sqlQuery = "UPDATE [FIMService].[fim].[ObjectValueString] "`
+ "set ValueString = '$AccountName' "`
+ "where ObjectKey = 2340 "`
+ "and AttributeKey = 1"
Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " Changed AccountName,"
$sqlQuery = "UPDATE [FIMService].[fim].[ObjectValueString] "`
+ "set ValueString = '$newDisplayName' "`
+ "where ObjectKey = 2340 "`
+ "and AttributeKey = 66"
Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " Changed DisplayName,"
$sqlQuery = "UPDATE [FIMService].[fim].[ObjectValueString] "`
+ "set ValueString = '$AccountName' "`
+ "where ObjectKey = 2340 "`
+ "and AttributeKey = 117"
Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " Changed MailNickname,"
$sqlQuery = "UPDATE [FIMService].[fim].[ObjectValueString] "`
+ "set ValueString = '$Domain' "`
+ "where ObjectKey = 2340 "`
+ "and AttributeKey = 68"
Invoke-SQLCmd $sqlQuery -SuppressProviderContextWarning
write-host " Changed Domain."
write-host
}
#------------------------------------------------------------------------------------------------------
net start FIMService