1. Technical background**
1.1. Requirements***
随着某技术部门人员大量扩招,开windows堡垒机账号远程登录的需求变为频繁.人工每次添加很糟心. 随着linux和windows 各大操作系统的高频操作切换 有时候竟然找不到windows server 系统授权远程登录用户在哪里配置.
1.2. Why do you need a windows bastion machine
公司网络业务系统使用zone和layer物理网络隔离,无法直接访问业务系统,(临时测试应用程序无法测试)
1.3 Are there other alternatives
1.开源jumpserver高版本可以支持
1.4 Why write scripts
1.公司内部堡垒机版本太低支持不了windows server 管理
2.手工配置太繁琐.人肉太累.
Not much to say directly on the script
2. Authorized users to remotely access script content
**# coding=utf-8**
import os
import random
import time
import sys
import logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)
time_line = time.strftime('%Y%m', time.localtime(time.time()))
log_path = 'C:\\Users\Administrator\\Desktop\\ops_adduser\\useradd.log'
logfile = log_path + time_line + 'winduseradd.log'
handler = logging.FileHandler(logfile, mode='a')
handler.setLevel(logging.INFO)
formatter = logging.Formatter("%(asctime)s - %(filename)s[line:%(lineno)d] - %(levelname)s: %(message)s")
handler.setFormatter(formatter)
logger.addHandler(handler)
def userWindUser(data):
""""
1.接受输出参数转化为字典
2.遍历字典.后续可以支持输入多个用户(目前支持单个用户)
3.固定+随机+特殊符合生成符合系统密码策略密码.
4.执行用户创建设置密码和加入远程登录系统组.
"""
user_dict = [{"name":data,"realname":data,"group":"Remote Desktop Users"},]
user_list = []
for i in user_dict:
username = i["name"]
group = i["group"]
realname=i["realname"]
randstr = random.randint(100,990)
password = "Lixing" + "#" + str(randstr)
logger.info("创建用户" + str(username) + "创建密码" + str(password))
user_list.append(username + ' : ' + password)
#创建用户并设置密码及禁止修改密码
command = "net user %s %s /passwordchg:no /expires:never /FULLNAME:%s /add" %(username, password,realname)
runOscmd(command)
#设置密码永不过期
command = "wmic useraccount where \"name='%s'\" set passwordexpires=false"%(username)
runOscmd(command)
#设置属组
command = "net localgroup \"%s\" %s /add" %(group,username)
runOscmd(command )
print(user_list) #输出账号和密码
return user_list
def runOscmd(cmd):
"""
1.执行windows系统命令方法
"""
import os
if cmd:
os.system(cmd)
else:
print("cmd error")
def accountWrite(username):
"""
1.创建用户和远程授权
2.判断返回是否有参数.
3.失败写入log文件中
"""
data=userWindUser(username)
if data:
logger.info("run success")
else:
logger.info("useradd user error"
if __name__ == "__main__":
"""
1.脚本入口
2.去除输入参数首尾空格.
3.不输出参数程序终止,log文件写入提示信息.
"""
try:
username = sys.argv[1]
if username:
reult=accountWrite(username.strip())
else:
print("please input user")
except Exception as e:
logger.info("没有输入用户,程序运行失败")
3. Use method introduction
···
1. Need to deploy python3.6 or above environment on windows server 2008
2. Add python system environment variablesto windowssystem 3. python
user_user.py ops #Create ops user and join remote login group
···