Managing VPN IPs in Active Directory with PowerShell
This article is about PowerShell and the tasks I use it for.
There is an option to set a Static IP for VPN users on their Active Directory User. You can, of course, do this manually. On the other hand, isn't it better to let PowerShell do the work for you?
I think so, so I created this script.
<#
vpn-ips-fixer.ps1
Created 28Apr2022 by B.M.C webmaster@phantomcode.com: Get assigned VPN IPs, output CSV, remove IPs from users not in the security group, add IPs to users who are but don't already have one.
Handy: https://community.spiceworks.com/topic/1202200-using-msradiusframedipaddress
#>
Write-Output "Starting Log Management"
#LOG MANAGEMENT - I schedule tasks to run Powershell scripts and want my logs to follow a consistent standard, this is how I do it.
. C:\belfry\managelogs.ps1 $MyInvocation.MyCommand.Name
#End LOG MANAGEMENT
$tempcsv="C:\temp\vpn-ips-csv.txt"
If (Test-Path $tempcsv){
 rm -Force -Verbose $tempcsv
}
function sendAlert
{ #A good write up is here: https://www.gngrninja.com/script-ninja/2018/3/10/using-discord-webhooks-with-powershell
Param($message)
Write-Output "Running sendAlert`nMessage:`n$message"
$uriDiscord = "https://discord.com/api/webhooks/899999999999999999/VvXXXXXXXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXX" #Alerts
$Body = "$message`n`nMonitor on " + $env:computername +" by "+$MyInvocation.MyCommand.Name+"`n"
$payload = [PSCustomObject]@{
content = $Body
}
try {
Invoke-RestMethod -uri $uriDiscord -Method Post -body ($payload|ConvertTo-Json) -ContentType 'Application/Json' | Out-Null
}catch{
Write-Error (Get-Date) ": Update to webhook went wrong..."
}
}
$vpnusers=$null;Get-ADGroupMember -Identity "VPN Users"|Select-Object SamAccountName|Sort-Object SamAccountName|%{$vpnusers += $_.SamAccountName}
$iplist=@{}
#Get the list of curret assignments
Get-ADUser -Filter {msRADIUSFramedIPAddress -like '*' -and Enabled -eq $true} -Properties Enabled,msRADIUSFramedIPAddress|Sort-Object -Property SamAccountName|%{
$thisip=([system.net.ipaddress] $_.msRADIUSFramedIPAddress). ipaddresstostring
$thisname=$_.Name
$thisacct=$_.SamAccountName
If ($vpnusers.contains($thisacct)){
$octet=$thisip.split(".")[0]
#Write-Output "Assigned: $thisip $thisacct $thisname"
If ($iplist.$octet){
Write-Host "Assigned,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet,WARNING! $octet was already assigned to $($iplist.$octet)" -ForegroundColor DarkGreen -BackgroundColor White
}Else{
#Write-Output "Updating hashtable with $octet $thisacct $thisname"
$iplist[$octet]="$thisacct $thisname"
While ($octet.length -lt 3){$octet="0$octet"}
Write-Output "Assigned,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet"|Out-File -Append -Encoding ascii -FilePath $tempcsv
}
}
}Â
#Get the list of diabled users still assigned an IP
Get-ADUser -Filter {msRADIUSFramedIPAddress -like '*' -and Enabled -ne $true} -Properties Enabled,msRADIUSFramedIPAddress|Sort-Object -Property SamAccountName|%{
$thisip=([system.net.ipaddress] $_.msRADIUSFramedIPAddress). ipaddresstostring
$thisname=$_.Name
$thisacct=$_.SamAccountName
If ($vpnusers.contains($thisacct)){
$octet=$thisip.split(".")[0]
While ($octet.length -lt 3){$octet="0$octet"}
Write-Output "REMOVED,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet"|tee -Append -FilePath $tempcsv
Set-ADUser -Identity $thisacct -Remove @{msRADIUSFramedIPAddress="$($_.msRADIUSFramedIPAddress)"}
sendAlert "Static IP $thisip removed for $thisacct : $thisname"
 }
}Â
#Get the list of users assigned an IP but not in the group
Get-ADUser -Filter {msRADIUSFramedIPAddress -like '*' -and Enabled -eq $true} -Properties Enabled,msRADIUSFramedIPAddress|Sort-Object -Property SamAccountName|%{
$thisip=([system.net.ipaddress] $_.msRADIUSFramedIPAddress). ipaddresstostring
$thisname=$_.Name
$thisacct=$_.SamAccountName
If (-not($vpnusers.contains($thisacct))){
$octet=$thisip.split(".")[0]
While ($octet.length -lt 3){$octet="0$octet"}
Write-Output "REMOVED,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet"|tee -Append -FilePath $tempcsv
Set-ADUser -Identity $thisacct -Remove @{msRADIUSFramedIPAddress="$($_.msRADIUSFramedIPAddress)"}
sendAlert "Static IP $thisip removed for $thisacct : $thisname"
}
}
#Get the list of new IPs available to assign to users who don't have an assignment
Get-ADUser -Filter {Enabled -eq $true} -Properties Enabled,msRADIUSFramedIPAddress|Sort-Object -Property SamAccountName|%{
If (-not($_.msRADIUSFramedIPAddress)){
$thisname=$_.Name
$thisacct=$_.SamAccountName
If ($vpnusers.contains($thisacct)){
#Write-Output "$thisacct "
$octet=0
2..254|%{
$testvalue=$_
If ( $octet-eq 0 ){
#Write-Output "useoctet is at default"
If ($iplist.Keys -contains "$testvalue"){
#Write-Output "$testvalue is not available"
}Else{
#Write-Output "$testvalue is available"
$octet=$testvalue
$iplist["$octet"]="$thisacct $thisname"
$myip="192.168.1.$octet"
$bytes=([IPAddress]$myip).GetAddressBytes()
[Array]::Reverse($bytes)
$decip=[BitConverter]::ToUInt32($bytes,0)
Set-ADUser -Identity $thisacct -Add @{msRADIUSFramedIPAddress="$decip"}
sendAlert "Static IP $myip added for $thisacct : $thisname"
While ("$octet".length -lt 3){$octet="0$octet"}
Write-Output "ADD,$thisname,$thisacct,10.10.21.$octet,192.168.1.$octet"|tee -Append -FilePath $tempcsv
}
}
}
}
}
}
$csvfile="C:\temp\vpn-ips.csv"
If (Test-Path $csvfile){
rm -Verbose -Force $csvfile
}
mv -Verbose -Force -Path $tempcsv -Destination $csvfile
<#
PS C:\> $myip="192.168.1.254";$bytes=([IPAddress]$myip).GetAddressBytes();[Array]::Reverse($bytes);[BitConverter]::ToUInt32($bytes,0)
3232236030
PS C:\> $myip="3232236030";([system.net.ipaddress] $myip).ipaddresstostring
192.168.1.254
#>
Stop-Transcript