sync: auto-sync from HOWARD-HOME at 2026-06-05 16:17:06

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 16:17:06

clients/cascades-tucson/scripts/ConfigureSCP.ps1

@@ -0,0 +1,111 @@
+#
+# Windows PowerShell script to configure the SCP for Hybrid Azure AD join
+#
+# CASCADES OF TUCSON - preconfigured copy (from Entra Connect, 2026-06-05)
+#   Tenant (azureADId) is baked in below: 207fa277-e9d8-4eb7-ada1-1064d2221498
+#   -Domain defaults to cascadestucson.com so this runs self-contained.
+#
+# HOW TO RUN: on a Domain Controller (CS-SERVER) in an ELEVATED PowerShell,
+#   as an ENTERPRISE ADMIN of cascades.local:
+#       .\ConfigureSCP.ps1
+#   (idempotent - creates the SCP if missing, updates the keywords if present)
+#
+# WHY: writes the Service Connection Point into AD's Configuration partition so
+#   domain-joined devices can discover the Entra tenant and Hybrid Entra Join.
+#
+
+param([string]$Domain = "cascadestucson.com", [switch]$Help)
+
+function funHelp()
+{
+     $helpTxt = @"
+
+     NAME:        ConfigureSCP.ps1
+     PURPOSE:     Configures the service connection point for Hybrid Azure AD join in the current forest
+     REQUIREMENT: Must be run by an Enterprise Admin of the current forest
+
+     PARAMETERS:
+
+        -Domain <NAME>  Specifies the Azure AD domain to use for device authentication
+               If you are using federation to authenticate with Azure AD, enter a federated domain name.
+               If you are not using federation, enter your primary *.onmicrosoft.com domain name.
+               (Cascades default: cascadestucson.com)
+
+        -Help           Prints the help file
+
+     EXAMPLES:
+
+     1. ConfigureSCP.ps1                         (uses cascadestucson.com)
+
+     2. ConfigureSCP.ps1 -Domain cascadestucson.com
+
+"@
+     $helpTxt
+     exit 1
+}
+
+if ($Help)
+{
+     funHelp
+}
+
+if (-not($Domain))
+{
+     Write-Output "You must specify a value for -Domain"
+     funhelp
+}
+
+Write-Output "Configuring the SCP for Hybrid Azure AD join in your Active Directory forest."
+
+## Set variables
+$azureADId = "azureADId:207fa277-e9d8-4eb7-ada1-1064d2221498"
+$azureADName = "azureADName:" + $Domain
+$keywords = "keywords"
+$ldap = "LDAP://"
+$rootDSE = New-Object System.DirectoryServices.DirectoryEntry($ldap + "RootDSE")
+$configCN = $rootDSE.Properties["configurationNamingContext"][0].ToString()
+$servicesCN = "CN=Services," + $configCN
+$drcCN = "CN=Device Registration Configuration," + $servicesCN
+$scpCN = "CN=62a0ff2e-97b9-4513-943f-0d221bd30080," + $drcCN
+
+## Get/Create: CN=Device Registration Configuration,CN=Services
+if ([System.DirectoryServices.DirectoryEntry]::Exists($ldap + $drcCN))
+{
+     $deDRC = New-Object System.DirectoryServices.DirectoryEntry($ldap + $drcCN)
+}
+else
+{
+     $de = New-Object System.DirectoryServices.DirectoryEntry($ldap + $servicesCN)
+     $deDRC = $de.Children.Add("CN=Device Registration Configuration", "container")
+     $deDRC.CommitChanges()
+}
+
+## Edit/Create: CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services
+if ([System.DirectoryServices.DirectoryEntry]::Exists($ldap + $scpCN))
+{
+     $deSCP = New-Object System.DirectoryServices.DirectoryEntry($ldap + $scpCN)
+     foreach ($value in $deSCP.Properties[$keywords].Value)
+     {
+          $deSCP.Properties[$keywords].Remove($value)
+     }
+     $deSCP.Properties[$keywords].Add($azureADName)
+     $deSCP.Properties[$keywords].Add($azureADId)
+     $deScp.CommitChanges()
+}
+else
+{
+     $deSCP = $deDRC.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint")
+     $deSCP.Properties[$keywords].Add($azureADName)
+     $deSCP.Properties[$keywords].Add($azureADId)
+     $deScp.CommitChanges()
+}
+
+if ($Error)
+{
+     Write-Output "Configuration could not be completed."
+     Write-Output $Error
+}
+else
+{
+     Write-Output "Configuration complete!"
+}