-
Notifications
You must be signed in to change notification settings - Fork 7
Invoke admu from jcagent
The JumpCloud Agent can help admins migrate Domain accounts to Local Accounts by invoking the ADMU remotely. As with any automation task, information about systems needs to be gathered prior to running any scripts. In order to automate the process of migrating users across multiple systems, the JumpCloud agent must first be installed on the systems you wish to migrate. The agent will remotely gather user data from the systems to migrate.
- GitHub Account
- JumpCloud Admin Account API Key
- JumpCloud PowerShell Module installed on a local device
There are two steps to the remote migration process.
- Collect Data & Upload CSV: Searching for and recording data about the systems
- Remote Invocation: Remotely trigger the ADMU on systems to migrate their intended users.
The first script takes data collected by the JumpCloud agent for every device in your organization. That data is combined into a single CSV file and uploaded to GitHub this script can be run locally on a system. The generated CSV file must be manually edited to inform the second script which users should be migrated to corresponding JumpCloud usernames.
The second script is to be run as a JumpCloud Command. It references the CSV created in the first script and attempts to migrate users and systems based on the data in the generated CSV file.
In order to gather data about systems, a location to store data is required. In these scripts data will be written back to a private GitHub Repository. In order to write data to a private github repository, a personal access token with full repo access is required.
Within GitHub create a private repository called "JumpCloud-ADMU-Discovery". This repository name can be changed as long as the $GHRepoName variable is updated to match the repository name.
On a local device, download the collection script and open it using a text editor.
Populate the variables:
$GHUsername - This is your GitHub account username.
$GHToken - This is the generated GitHub token with required rights.
$GHRepoName - This is the name that will be used when creating the GitHub repo.
After editing these variables save the file.
In a PowerShell terminal window with the JumpCloud Agent already installed. Run the Connect-JCOnline command to connect to your JumpCloud Organization. When prompted, enter you administrator API Key.
Run the script through the PowerShell terminal window:
./path/to/1_ADMU_Collect.ps1The script should fetch all JumpCloud systems in the organization, filter users that are managed by AD and upload that list of user to the GitHub repository under the file "jcdiscovery.csv".
Each user should contain an entry for:
SID
LocalPath
LocalComputerName
LocalUsername
JumpCloudUserNameThe LocalUserName field will display a username unless the system secure channel is broken, in which case the account SID will be displayed.
If the script is run multiple times on the same system it will overwrite the csv file with the latest user data.
This "jcdiscovery.csv" file can be edited directly on GitHub or with a local CSV editor. The invoke script will reference this file on GitHub when migrations are attempted on individual machines. Each row contains an AD user, the JumpCloudUserName cell needs to be populated for any user that should be migrated on any device.
The invoke script will download the jcdiscovery.csv to the system, install the ADMU PowerShell module, search the CSV for a matching system hostname and invoke the ADMU with the values in the corresponding row.
Example CSV:
| SID | LocalPath | LocalComputerName | LocalUsername | JumpCloudUserName |
|---|---|---|---|---|
| S-1-5-21-41106789-669517676-457226549-1065 | C:\Users\tg2gadmin | JOE-61AC71RME1D | JOE-61AC71RME1D\bob.fay | |
| S-1-5-21-156575111-3938707022-2951340204-1159 | C:\Users\bobfay | JOEWORKMAN181C | S-1-5-21-156575111-3938707022-2951340204-1159 | bob.fay |
If for example, the "JOEWORKMAN181C" system ran the invoke script, it would download the entire CSV, compare it's hostname to values in the CSV and in this case attempt to migrate the user SID "S-1-5-21-156575111-3938707022-2951340204-1159" to a local user "bob.fay"
Populate the variables of the script. Refer to the ADMU documentation for parameter behavior
$JumpCloudUserName
$SelectedUserName
$TempPassword
$LeaveDomain
$ForceReboot
$UpdateHomePath
$InstallJCAgent
$AutobindJCUser
$JumpCloudConnectKey
$JumpCloudAPIKeyThe remote invoke script should be run on the same systems the discovery script was run. User accounts will be remotely converted to local accounts and if the auto-bind parameter is set those users will be bound as JumpCloud users to those systems.
It's recommended to change the default timeout command time of this script in the JumpCloud console as some accounts with larger data sets can take more than the default two min timeout to complete migration. There's no harm in increasing the value to 900 seconds (15 mins).