Managing VPN IPs in Active Directory with PowerShell

This article is about PowerShell and the tasks I use it for.

There is an option to set a Static IP for VPN users on their Active Directory User. You can, of course, do this manually. On the other hand, isn't it better to let PowerShell do the work for you?

I think so, so I created this script.

<#

vpn-ips-fixer.ps1

Created 28Apr2022 by B.M.C webmaster@phantomcode.com: Get assigned VPN IPs, output CSV, remove IPs from users not in the security group, add IPs to users who are but don't already have one.

Handy: https://community.spiceworks.com/topic/1202200-using-msradiusframedipaddress

#>

Write-Output "Starting Log Management"

#LOG MANAGEMENT - I schedule tasks to run Powershell scripts and want my logs to follow a consistent standard, this is how I do it.

. C:\belfry\managelogs.ps1 $MyInvocation.MyCommand.Name

#End LOG MANAGEMENT

$tempcsv="C:\temp\vpn-ips-csv.txt"

If (Test-Path $tempcsv){

 rm -Force -Verbose $tempcsv

}

function sendAlert

{ #A good write up is here: https://www.gngrninja.com/script-ninja/2018/3/10/using-discord-webhooks-with-powershell

Param($message)

Write-Output "Running sendAlert`nMessage:`n$message"

$uriDiscord = "https://discord.com/api/webhooks/899999999999999999/VvXXXXXXXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXX" #Alerts

$Body = "$message`n`nMonitor on " + $env:computername +" by "+$MyInvocation.MyCommand.Name+"`n"

$payload = [PSCustomObject]@{

content = $Body

}

try {

Invoke-RestMethod -uri $uriDiscord -Method Post -body ($payload|ConvertTo-Json) -ContentType 'Application/Json' | Out-Null

}catch{

Write-Error (Get-Date) ": Update to webhook went wrong..."

}

}

$vpnusers=$null;Get-ADGroupMember -Identity "VPN Users"|Select-Object SamAccountName|Sort-Object SamAccountName|%{$vpnusers += $_.SamAccountName}

$iplist=@{}

#Get the list of curret assignments

Get-ADUser -Filter {msRADIUSFramedIPAddress -like '*' -and Enabled -eq $true} -Properties Enabled,msRADIUSFramedIPAddress|Sort-Object -Property SamAccountName|%{

$thisip=([system.net.ipaddress] $_.msRADIUSFramedIPAddress). ipaddresstostring

$thisname=$_.Name

$thisacct=$_.SamAccountName

If ($vpnusers.contains($thisacct)){

$octet=$thisip.split(".")[0]

#Write-Output "Assigned: $thisip $thisacct $thisname"

If ($iplist.$octet){

Write-Host "Assigned,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet,WARNING! $octet was already assigned to $($iplist.$octet)" -ForegroundColor DarkGreen -BackgroundColor White

}Else{

#Write-Output "Updating hashtable with $octet $thisacct $thisname"

$iplist[$octet]="$thisacct $thisname"

While ($octet.length -lt 3){$octet="0$octet"}

Write-Output "Assigned,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet"|Out-File -Append -Encoding ascii -FilePath $tempcsv

}

}

} 

#Get the list of diabled users still assigned an IP

Get-ADUser -Filter {msRADIUSFramedIPAddress -like '*' -and Enabled -ne $true} -Properties Enabled,msRADIUSFramedIPAddress|Sort-Object -Property SamAccountName|%{

$thisip=([system.net.ipaddress] $_.msRADIUSFramedIPAddress). ipaddresstostring

$thisname=$_.Name

$thisacct=$_.SamAccountName

If ($vpnusers.contains($thisacct)){

$octet=$thisip.split(".")[0]

While ($octet.length -lt 3){$octet="0$octet"}

Write-Output "REMOVED,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet"|tee -Append -FilePath $tempcsv

Set-ADUser -Identity $thisacct -Remove @{msRADIUSFramedIPAddress="$($_.msRADIUSFramedIPAddress)"}

sendAlert "Static IP $thisip removed for $thisacct : $thisname"

  }

} 

#Get the list of users assigned an IP but not in the group

Get-ADUser -Filter {msRADIUSFramedIPAddress -like '*' -and Enabled -eq $true} -Properties Enabled,msRADIUSFramedIPAddress|Sort-Object -Property SamAccountName|%{

$thisip=([system.net.ipaddress] $_.msRADIUSFramedIPAddress). ipaddresstostring

$thisname=$_.Name

$thisacct=$_.SamAccountName

If (-not($vpnusers.contains($thisacct))){

$octet=$thisip.split(".")[0]

While ($octet.length -lt 3){$octet="0$octet"}

Write-Output "REMOVED,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet"|tee -Append -FilePath $tempcsv

Set-ADUser -Identity $thisacct -Remove @{msRADIUSFramedIPAddress="$($_.msRADIUSFramedIPAddress)"}

sendAlert "Static IP $thisip removed for $thisacct : $thisname"

}

}

#Get the list of new IPs available to assign to users who don't have an assignment

Get-ADUser -Filter {Enabled -eq $true} -Properties Enabled,msRADIUSFramedIPAddress|Sort-Object -Property SamAccountName|%{

If (-not($_.msRADIUSFramedIPAddress)){

$thisname=$_.Name

$thisacct=$_.SamAccountName

If ($vpnusers.contains($thisacct)){

#Write-Output "$thisacct "

$octet=0

2..254|%{

$testvalue=$_

If ( $octet-eq 0 ){

#Write-Output "useoctet is at default"

If ($iplist.Keys -contains "$testvalue"){

#Write-Output "$testvalue is not available"

}Else{

#Write-Output "$testvalue is available"

$octet=$testvalue

$iplist["$octet"]="$thisacct $thisname"

$myip="192.168.1.$octet"

$bytes=([IPAddress]$myip).GetAddressBytes()

[Array]::Reverse($bytes)

$decip=[BitConverter]::ToUInt32($bytes,0)

Set-ADUser -Identity $thisacct -Add @{msRADIUSFramedIPAddress="$decip"}

sendAlert "Static IP $myip added for $thisacct : $thisname"

While ("$octet".length -lt 3){$octet="0$octet"}

Write-Output "ADD,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet"|tee -Append -FilePath $tempcsv

}

}

}

}

}

}

$csvfile="C:\temp\vpn-ips.csv"

If (Test-Path $csvfile){

rm -Verbose -Force $csvfile

}

mv -Verbose -Force -Path $tempcsv -Destination $csvfile

<#

PS C:\> $myip="192.168.1.254";$bytes=([IPAddress]$myip).GetAddressBytes();[Array]::Reverse($bytes);[BitConverter]::ToUInt32($bytes,0)

3232236030

PS C:\> $myip="3232236030";([system.net.ipaddress] $myip).ipaddresstostring

192.168.1.254

#>

Stop-Transcript