For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Local User account creation with powershell and iControl

Problem this snippet solves:

This script will allow you to either interactively or by supplying command line arguments (it can also be modified to work with automation products) create local user accounts on a BIG-IP device

How to use this snippet:

make sure you have the powershell commandlets installed and registered.

Code :

#####################################################################################################################
# F5 user creation script#
# Take a device, login crendetials, requested username, actual name, email address and partition#
# then creates a user and emails them the details#
# last updated: 27/01/15 by Lee Payne#
# v1.0#
#####################################################################################################################



#########################################################
# Performs the base initialisation to the BIG-IP device #
#########################################################
function Do-Initialize()
{
#Checks if the snapin has been loaded and if not loads it
if ( (Get-PSSnapin | Where-Object { $_.Name -eq "iControlSnapIn"}) -eq $null )
{
Add-PSSnapIn iControlSnapIn
}
#Tries to log into the device with the supplied credentials
$success = Initialize-F5.iControl -HostName $bigip -Username $uid -Password $pwd;

#If an objects isnt returned representing the device it will log an error to the application event log
if ( $success -eq $null )
{ 
Write-EventLog -Logname Application -Source CSHARE-F5 -EntryType Error -EventId 1 -Message "Failed to bind to F5 device: $bigip"
}
#If it did work it returns the objects representing the device
return $success;
}
#checks if enough command line arguments have been supplied and if not prompts for the information
if ($args.Length -lt 4){
#Reads in the device you want to check
$bigip = Read-Host 'What device do you want to connect to?'
#reads in your username
$uid = Read-Host 'What is your username?'
#reads in your password (doesnt display it on the command line)
$pwd = Read-host 'What is your password?' -AsSecureString
#Take the secure password and turn it into plain text to send to the F5 device
$pwd = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd))
}
else{

#Reads in the device you want to check
$bigip = $args[0]
#reads in your username
$uid = $args[1]
#reads in your password
$pwd = $args[2]


}
#sets the variables for user creation
[String]$username 
[String]$name 
[String]$partition 
[String]$email

$error = 0

#initalize the device and switch to the correct partition
do-initialize $bigip $uid $pass
$(Get-F5.icontrol).ManagementPartition.set_active_partition("users")

#Create the objects required for the user
$userrole =   new-object -typename iControl.ManagementUserManagementUserPermission
$userpassword =  new-object -typename iControl.ManagementUserManagementPasswordInfo
$userinfo = New-Object -TypeName iControl.ManagementUserManagementUserInfo3[] 1
$userinfo[0] = new-object -typename iControl.ManagementUserManagementUserInfo3;

#Set the users role as operator and their partition as the one previously selected
$userrole.role = 1
$userrole.partition = $partition

#Set their user name as their domain login name "_" then the partition they need access to, this should be unique and the script will return an error if it's not unique
$user = new-object -typename iControl.ManagementUserManagementUserID
$user.name = $username +"_"+$partition
$user.full_name = $name

#set the password as unencrypted (it gets stored on the device encrypted)
$userpassword.is_encrypted = 0
#Generate a 12 character random password
$randomObj = New-Object System.Random
$NewPassword="" 
1..12 | ForEach { $NewPassword = $NewPassword + [char]$randomObj.next(33,126) } 
#set the random password as he account password
$userpassword.password = $NewPassword

#Set the array useringo with the details from above.
$userinfo[0].user = $user
$userinfo[0].password = $userpassword
$userinfo[0].login_shell = ""
$userinfo[0].permissions = $userrole
$user = $user.name.tostring()
#try to create the user, if this fails then the account already exists
try{
$(Get-F5.icontrol).managementusermanagement.create_user_3($userinfo)

write-host $user
write-host $NewPassword}
#If an error occurs set the variable
catch [System.Exception] {
$error = 1
}
#write out the values
write-host $user
write-host $NewPassword
return $error

Tested this on version:

11.5
Published Oct 10, 2015
Version 1.0
devops
iControl
microsoft
TMOS
No CommentsBe the first to comment