Completed Migration and integration
This commit is contained in:
Friedrich Weinmann
Родитель
5217f30c7b
Коммит
d7b584ef17
|
|
@ -1,4 +1,4 @@
|
|||
@{
|
||||
@{
|
||||
# Script module or binary module file associated with this manifest
|
||||
ModuleToProcess = 'PAWTools.psm1'
|
||||
|
||||
|
|
@ -25,9 +25,7 @@
|
|||
|
||||
# Modules that must be imported into the global environment prior to importing
|
||||
# this module
|
||||
RequiredModules = @(
|
||||
@{ ModuleName='PSFramework'; ModuleVersion='0.10.27.128' }
|
||||
)
|
||||
# RequiredModules = @( )
|
||||
|
||||
# Assemblies that must be loaded prior to importing this module
|
||||
# RequiredAssemblies = @('bin\PAWTools.dll')
|
||||
|
|
@ -39,7 +37,13 @@
|
|||
# FormatsToProcess = @('xml\PAWTools.Format.ps1xml')
|
||||
|
||||
# Functions to export from this module
|
||||
FunctionsToExport = ''
|
||||
FunctionsToExport = @(
|
||||
'Export-PAWResources'
|
||||
'Install-PAWPrerequisites'
|
||||
'New-PAWGroup'
|
||||
'New-PAWOrganizationalUnit'
|
||||
'Set-PAWOUDelegation'
|
||||
)
|
||||
|
||||
# Cmdlets to export from this module
|
||||
CmdletsToExport = ''
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
$script:ModuleRoot = $PSScriptRoot
|
||||
$script:ModuleRoot = $PSScriptRoot
|
||||
$script:ModuleVersion = "1.0.0.0"
|
||||
|
||||
# Detect whether at some level dotsourcing was enforced
|
||||
$script:doDotSource = Get-PSFConfigValue -FullName PAWTools.Import.DoDotSource -Fallback $false
|
||||
$script:doDotSource = $false
|
||||
if ($PAWTools_dotsourcemodule) { $script:doDotSource = $true }
|
||||
|
||||
<#
|
||||
|
|
@ -14,10 +14,10 @@ This is important when testing for paths.
|
|||
#>
|
||||
|
||||
# Detect whether at some level loading individual module files, rather than the compiled module was enforced
|
||||
$importIndividualFiles = Get-PSFConfigValue -FullName PAWTools.Import.IndividualFiles -Fallback $false
|
||||
$importIndividualFiles = $false
|
||||
if ($PAWTools_importIndividualFiles) { $importIndividualFiles = $true }
|
||||
if (Test-Path (Resolve-PSFPath -Path "$($script:ModuleRoot)\..\.git" -SingleItem -NewChild)) { $importIndividualFiles = $true }
|
||||
if (-not (Test-Path (Resolve-PSFPath "$($script:ModuleRoot)\commands.ps1" -SingleItem -NewChild))) { $importIndividualFiles = $true }
|
||||
if (Test-Path "$($script:ModuleRoot)\..\.git") { $importIndividualFiles = $true }
|
||||
if (-not (Test-Path "$($script:ModuleRoot)\commands.ps1")) { $importIndividualFiles = $true }
|
||||
|
||||
function Import-ModuleFile
|
||||
{
|
||||
|
|
@ -71,14 +71,14 @@ if ($importIndividualFiles)
|
|||
}
|
||||
else
|
||||
{
|
||||
if (Test-Path (Resolve-PSFPath "$($script:ModuleRoot)\resourcesBefore.ps1" -SingleItem -NewChild))
|
||||
if (Test-Path "$($script:ModuleRoot)\resourcesBefore.ps1")
|
||||
{
|
||||
. Import-ModuleFile -Path "$($script:ModuleRoot)\resourcesBefore.ps1"
|
||||
}
|
||||
|
||||
. Import-ModuleFile -Path "$($script:ModuleRoot)\commands.ps1"
|
||||
|
||||
if (Test-Path (Resolve-PSFPath "$($script:ModuleRoot)\resourcesAfter.ps1" -SingleItem -NewChild))
|
||||
if (Test-Path "$($script:ModuleRoot)\resourcesAfter.ps1")
|
||||
{
|
||||
. Import-ModuleFile -Path "$($script:ModuleRoot)\resourcesAfter.ps1"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,110 @@
|
|||
[
|
||||
{
|
||||
"Name": "Tier 0 Replication Maintenance",
|
||||
"samAccountName": "Tier0ReplicationMaintenance",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "Tier 0 Replication Maintenance",
|
||||
"OU": "OU=Groups,OU=Tier 0,OU=Admin",
|
||||
"Description": "Members of this group are Tier 0 Replication Maintenance",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"Name": "Tier 1 Server Maintenance",
|
||||
"samAccountName": "Tier1ServerMaintenance",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "Tier 1 Server Maintenance",
|
||||
"OU": "OU=Groups,OU=Tier 1,OU=Admin",
|
||||
"Description": "Members of this group perform Tier 1 Server Maintenance",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"Name": "Service Desk Operators",
|
||||
"samAccountName": "ServiceDeskOperators",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "Service Desk Operators",
|
||||
"OU": "OU=Groups,OU=Tier 2,OU=Admin",
|
||||
"Description": "Members of this group are Service Desk Operators",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"Name": "Workstation Maintenance",
|
||||
"samAccountName": "WorkstationMaintenance",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "Workstation Maintenance",
|
||||
"OU": "OU=Groups,OU=Tier 2,OU=Admin",
|
||||
"Description": "Members of this group perform Workstation Maintenance",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"Name": "Cloud Service Admins",
|
||||
"samAccountName": "cloudadmins",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "Cloud Service Admins",
|
||||
"OU": "OU=Groups,OU=Tier 0,OU=Admin",
|
||||
"Description": "Members of this group are permitted to connect to pre-identified cloud services via Privileged Access Workstations",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"Name": "PAW Users",
|
||||
"samAccountName": "pawusers",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "PAW Users",
|
||||
"OU": "OU=Groups,OU=Tier 0,OU=Admin",
|
||||
"Description": "Members of this group are permitted to log onto Privileged Access Workstations",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"Name": "PAW Maintenance",
|
||||
"samAccountName": "pawmaint",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "PAW Maintenance",
|
||||
"OU": "OU=Groups,OU=Tier 0,OU=Admin",
|
||||
"Description": "Members of this group maintain and support Privileged Access Workstations",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"Name": "Tier 1 Admins",
|
||||
"samAccountName": "tier1admins",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "Tier 1 Admins",
|
||||
"OU": "OU=Groups,OU=Tier 1,OU=Admin",
|
||||
"Description": "Members of this group are Tier 1 Administrators",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"Name": "Tier 2 Admins",
|
||||
"samAccountName": "tier2admins",
|
||||
"GroupCategory": "Security",
|
||||
"GroupScope": "Global",
|
||||
"DisplayName": "Tier 2 Admins",
|
||||
"OU": "OU=Groups,OU=Tier 2,OU=Admin",
|
||||
"Description": "Members of this group are Tier 2 Administrators",
|
||||
"Membership": [
|
||||
|
||||
]
|
||||
}
|
||||
]
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
TOPIC
|
||||
TOPIC
|
||||
about_PAWTools
|
||||
|
||||
SHORT DESCRIPTION
|
||||
|
|
|
|||
|
|
@ -0,0 +1,37 @@
|
|||
function Export-PAWResources
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Provides additional resources needed for configuring PAWs.
|
||||
|
||||
.DESCRIPTION
|
||||
Provides additional resources needed for configuring PAWs.
|
||||
This includes firewall and proxy rules to further lockdown the PAW.
|
||||
|
||||
These are required for following the online guide on PAW configuration.
|
||||
|
||||
.PARAMETER Path
|
||||
The path where to place the resources.
|
||||
by default, files are placed in the current path.
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Export-PAWResources
|
||||
|
||||
Exports all additional resources needed to the current path.
|
||||
#>
|
||||
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
[ValidateScript({ Test-Path $_ })]
|
||||
[string]
|
||||
$Path = "."
|
||||
)
|
||||
begin
|
||||
{
|
||||
$resolvedPath = "$((Resolve-Path $Path).Path)\"
|
||||
}
|
||||
process
|
||||
{
|
||||
Get-ChildItem "$($script:ModuleRoot)\data" | Where-Object Name -NE 'groups.json' | Copy-Item -Destination $resolvedPath
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
function Install-PAWPrerequisites
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Enables all features needed to apply the PAW framework.
|
||||
|
||||
.DESCRIPTION
|
||||
Enables all features needed to apply the PAW framework.
|
||||
|
||||
Notably, this command ensures that:
|
||||
- ActiveDirectory module is available
|
||||
- GroupPolicy module is available
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Install-PAWPrerequisites
|
||||
|
||||
Enables all features needed to apply the PAW framework.
|
||||
#>
|
||||
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
|
||||
[CmdletBinding()]
|
||||
Param (
|
||||
|
||||
)
|
||||
|
||||
process
|
||||
{
|
||||
try { Assert-ActiveDirectory -ErrorAction Stop }
|
||||
catch { $null = Add-WindowsFeature RSAT-AD-PowerShell }
|
||||
Import-Module ActiveDirectory
|
||||
try { Assert-GroupPolicy -ErrorAction Stop }
|
||||
catch { $null = Add-WindowsFeature Pgmc }
|
||||
Import-Module ActiveDirectory
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
function New-PAWGroup
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Generates the default groups needed for a PAW setup.
|
||||
|
||||
.DESCRIPTION
|
||||
Generates the default groups needed for a PAW setup.
|
||||
|
||||
.PARAMETER Confirm
|
||||
If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
|
||||
|
||||
.PARAMETER WhatIf
|
||||
If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> New-PAWGroup
|
||||
|
||||
Generates the default groups needed for a PAW setup.
|
||||
#>
|
||||
[CmdletBinding(SupportsShouldProcess = $true)]
|
||||
param (
|
||||
|
||||
)
|
||||
|
||||
try { Assert-ActiveDirectory -ErrorAction Stop }
|
||||
catch { throw }
|
||||
|
||||
$rootDSE = Get-ADInfo
|
||||
|
||||
$Groups = Get-Content "$($script:ModuleRoot)\data\groups.json" -Raw -Encoding UTF8 | ConvertFrom-Json
|
||||
foreach ($group in $Groups)
|
||||
{
|
||||
$destOU = '{0},{1}' -f $group.OU, $rootDSE
|
||||
|
||||
# Check if the target group already is present.
|
||||
if (Test-XADObject $group.samAccountName)
|
||||
{
|
||||
$object = Get-ADObject -Identity $group.samAccountName
|
||||
Write-Warning "Group $($group.samAccountName) already exists as $($object.DistinguishedName)"
|
||||
continue
|
||||
}
|
||||
|
||||
$paramNewADGroup = @{
|
||||
Name = $group.Name
|
||||
SamAccountName = $group.samAccountName
|
||||
GroupCategory = $group.GroupCategory
|
||||
GroupScope = $group.GroupScope
|
||||
DisplayName = $group.DisplayName
|
||||
Path = $destOU
|
||||
Description = $group.Description
|
||||
}
|
||||
if ($PSCmdlet.ShouldProcess($group.Name, 'Creating Group'))
|
||||
{
|
||||
Write-Verbose "Creating group: $($group.Name)"
|
||||
New-ADGroup @paramNewADGroup
|
||||
}
|
||||
|
||||
if ($group.Membership)
|
||||
{
|
||||
if ($PSCmdlet.ShouldProcess($group.Name, 'Adding Members to it'))
|
||||
{
|
||||
Write-Verbose "Adding members: $($group.Membership -join ', ')"
|
||||
Add-ADPrincipalGroupMembership -Identity $group.samAccountName -MemberOf $group.Membership
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,103 @@
|
|||
function New-PAWOrganizationalUnit
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Creates the entire OU structure used by the PAW model
|
||||
|
||||
.DESCRIPTION
|
||||
Creates the entire OU structure used by the PAW model
|
||||
|
||||
.PARAMETER Confirm
|
||||
If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
|
||||
|
||||
.PARAMETER WhatIf
|
||||
If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> New-PAWOrganizationalUnit
|
||||
|
||||
Creates the entire OU structure used by the PAW model
|
||||
#>
|
||||
[CmdletBinding(SupportsShouldProcess = $true)]
|
||||
param (
|
||||
|
||||
)
|
||||
|
||||
|
||||
if (-not ($PSCmdlet.ShouldProcess('PAW OU Structure', 'Creating')))
|
||||
{
|
||||
return
|
||||
}
|
||||
|
||||
try { Assert-ActiveDirectory -ErrorAction Stop }
|
||||
catch { throw }
|
||||
try { Assert-GroupPolicy -ErrorAction Stop }
|
||||
catch { throw }
|
||||
|
||||
# Get current working directory
|
||||
$sLocation = Get-Location
|
||||
$sDSE = Get-ADInfo
|
||||
|
||||
Write-Verbose 'Creating Top Level OUs'
|
||||
New-ADOrganizationalUnit -Name "Admin" -Path $sDSE
|
||||
New-ADOrganizationalUnit -Name "Groups" -Path $sDSE
|
||||
New-ADOrganizationalUnit -Name "Tier 1 Servers" -Path $sDSE
|
||||
New-ADOrganizationalUnit -Name "Workstations" -Path $sDSE
|
||||
New-ADOrganizationalUnit -Name "User Accounts" -Path $sDSE
|
||||
New-ADOrganizationalUnit -Name "Computer Quarantine" -Path $sDSE
|
||||
|
||||
|
||||
Write-Verbose 'Creating Sub OUs for Top Level Admin OU'
|
||||
New-ADOrganizationalUnit -Name "Tier 0" -Path "OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Tier 1" -Path "OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Tier 2" -Path "OU=Admin,$sDSE"
|
||||
|
||||
Write-Verbose 'Creating Sub OUs for Admin\Tier 0 OU'
|
||||
New-ADOrganizationalUnit -Name "Accounts" -Path "OU=Tier 0,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Tier 0,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Service Accounts" -Path "OU=Tier 0,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Devices" -Path "OU=Tier 0,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Tier 0 Servers" -Path "OU=Tier 0,OU=Admin,$sDSE"
|
||||
|
||||
Write-Verbose 'Creating Sub OUs for Admin\Tier 1 OU'
|
||||
New-ADOrganizationalUnit -Name "Accounts" -Path "OU=Tier 1,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Tier 1,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Service Accounts" -Path "OU=Tier 1,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Devices" -Path "OU=Tier 1,OU=Admin,$sDSE"
|
||||
|
||||
Write-Verbose 'Creating Sub OUs for Admin\Tier 2 OU'
|
||||
New-ADOrganizationalUnit -Name "Accounts" -Path "OU=Tier 2,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Tier 2,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Service Accounts" -Path "OU=Tier 2,OU=Admin,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Devices" -Path "OU=Tier 2,OU=Admin,$sDSE"
|
||||
|
||||
Write-Verbose 'Creating Sub OUs for Top Level Groups OU'
|
||||
New-ADOrganizationalUnit -Name "Security Groups" -Path "OU=Groups,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Distribution Groups" -Path "OU=Groups,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Contacts" -Path "OU=Groups,$sDSE"
|
||||
|
||||
Write-Verbose 'Creating Sub OUs for Top Level Tier 1 Servers OU'
|
||||
New-ADOrganizationalUnit -Name "Application" -Path "OU=Tier 1 Servers,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Collaboration" -Path "OU=Tier 1 Servers,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Database" -Path "OU=Tier 1 Servers,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Messaging" -Path "OU=Tier 1 Servers,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Staging" -Path "OU=Tier 1 Servers,$sDSE"
|
||||
|
||||
Write-Verbose 'Creating Sub OUs for Top Level Workstations OU'
|
||||
New-ADOrganizationalUnit -Name "Desktops" -Path "OU=Workstations,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Kiosks" -Path "OU=Workstations,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Laptops" -Path "OU=Workstations,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Staging" -Path "OU=Workstations,$sDSE"
|
||||
|
||||
Write-Verbose 'Creating Sub OUs for Top Level User Accounts OU'
|
||||
New-ADOrganizationalUnit -Name "Enabled Users" -Path "OU=User Accounts,$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Disabled Users" -Path "OU=User Accounts,$sDSE"
|
||||
|
||||
Write-Verbose 'Block inheritance for PAW OUs'
|
||||
$null = Set-GpInheritance -target "OU=Devices,OU=Tier 0,OU=Admin,$sDSE" -IsBlocked Yes
|
||||
$null = Set-GpInheritance -target "OU=Devices,OU=Tier 1,OU=Admin,$sDSE" -IsBlocked Yes
|
||||
$null = Set-GpInheritance -target "OU=Devices,OU=Tier 2,OU=Admin,$sDSE" -IsBlocked Yes
|
||||
|
||||
# Return to original working directory
|
||||
Set-Location $sLocation
|
||||
}
|
||||
|
|
@ -0,0 +1,226 @@
|
|||
function Set-PAWOUDelegation
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Sets up the delegations required for the PAW architecture.
|
||||
|
||||
.DESCRIPTION
|
||||
Sets up the delegations required for the PAW architecture.
|
||||
|
||||
.PARAMETER Confirm
|
||||
If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
|
||||
|
||||
.PARAMETER WhatIf
|
||||
If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Set-PAWOUDelegation
|
||||
|
||||
Sets up the delegations required for the PAW architecture.
|
||||
|
||||
.NOTES
|
||||
Based on and includes the DIAD delegations by Heath Aubin and Jon Sabberton
|
||||
#>
|
||||
[CmdletBinding(SupportsShouldProcess = $true)]
|
||||
param (
|
||||
|
||||
)
|
||||
|
||||
try { Assert-ActiveDirectory -ErrorAction Stop }
|
||||
catch { throw }
|
||||
|
||||
#region Setup variables needed throughout the function
|
||||
$sLocation = Get-Location
|
||||
Set-Location ad:
|
||||
$rootdse = Get-ADRootDSE
|
||||
$domain = Get-ADDomain
|
||||
$configNC = $rootdse.ConfigurationNamingContext
|
||||
$schemaNC = $rootDSE.SchemaNamingContext
|
||||
$forestDnsZonesDN = "DC=ForestDnsZones," + $rootDSE.RootDomainNamingContext
|
||||
$sitesDN = "CN=Sites," + $configNC
|
||||
|
||||
# Set variables for OUs and Containers
|
||||
$userAccountsOU = "OU=User Accounts,"
|
||||
$workstationsOU = "OU=Workstations,"
|
||||
$computerQuarantineOU = "OU=Computer Quarantine,"
|
||||
$tier1ServersOU = "OU=Tier 1 Servers,"
|
||||
$PAWDevicesOU = "OU=Devices,OU=Tier 0,OU=Admin,"
|
||||
|
||||
# Set variables for Group objects
|
||||
$serviceDeskOperatorsGroup = "ServiceDeskOperators"
|
||||
$workstationMaintenanceGroup = "WorkstationMaintenance"
|
||||
$replicationMaintenanceGroup = "Tier0ReplicationMaintenance"
|
||||
$tier1ServerMaintenanceGroup = "Tier1ServerMaintenance"
|
||||
$PAWAdminsGroup = "PAWMaint"
|
||||
#endregion Setup variables needed throughout the function
|
||||
|
||||
#region Create Maps for GUID lookup
|
||||
# Create a hashtable to store the GUID value of each schema class and attribute
|
||||
$guidmap = @{ }
|
||||
Get-ADObject -SearchBase $schemaNC -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID |
|
||||
ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
|
||||
|
||||
# Create a hashtable to store the GUID value of each extended right in the forest
|
||||
$extendedrightsmap = @{ }
|
||||
Get-ADObject -SearchBase $configNC -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid |
|
||||
ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
|
||||
#endregion Create Maps for GUID lookup
|
||||
|
||||
#region Retrieve OU Info and prepare Identities
|
||||
# Get a reference to each of the OU's we want to set permissions on
|
||||
Write-Verbose "Getting OU Information"
|
||||
$userAcctsOUDN = Get-ADOrganizationalUnit -Identity ($userAccountsOU + $domain)
|
||||
$workstationsOUDN = Get-ADOrganizationalUnit -Identity ($workstationsOU + $domain)
|
||||
$computerQuarantineOUDN = Get-ADOrganizationalUnit -Identity ($computerQuarantineOU + $domain)
|
||||
$tier1ServersOUDN = Get-ADOrganizationalUnit -Identity ($tier1ServersOU + $domain)
|
||||
$PAWDevicesOUDN = Get-ADOrganizationalUnit -Identity ($PAWDevicesOU + $domain)
|
||||
|
||||
# Get the SID values of each group (principal) we wish to delegate access to
|
||||
Write-Verbose "Getting SID values for each group for delegations"
|
||||
$serviceDeskOpsSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $serviceDeskOperatorsGroup).SID
|
||||
$workstationMaintSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $workstationMaintenanceGroup).SID
|
||||
$replMaintGroupSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $replicationMaintenanceGroup).SID
|
||||
$tier1ServerMaintGroupSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $tier1ServerMaintenanceGroup).SID
|
||||
$PAWAdminsGroupSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $PAWAdminsGroup).SID
|
||||
#endregion Retrieve OU Info and prepare Identities
|
||||
|
||||
#region Get a copy of the current DACL on the OU's or Containers
|
||||
Write-Verbose "Getting existing Directory ACLs"
|
||||
$userAccountsOUACL = Get-ACL -Path $userAcctsOUDN
|
||||
$workstationsOUACL = Get-ACL -Path $workstationsOUDN
|
||||
$computerQuarantineACL = Get-ACL -Path $computerQuarantineOUDN
|
||||
$topLevelDomainACL = Get-ACL -Path $domain
|
||||
$configContainerACL = Get-ACL -Path $configNC
|
||||
$schemaNCACL = Get-ACL -Path $schemaNC
|
||||
$forestDnsZonesACL = Get-ACL -Path $forestDnsZonesDN
|
||||
$sitesACL = Get-ACL -Path $sitesDN
|
||||
$tier1ServersOUACL = Get-ACL -Path $tier1ServersOUDN
|
||||
$PAWDevicesOUACL = Get-ACL -Path $PAWDevicesOUDN
|
||||
#endregion Get a copy of the current DACL on the OU's or Containers
|
||||
|
||||
#region Create Delegation Rules
|
||||
# Set Service Desk Operators Permissions to Users
|
||||
Write-Verbose "Performing Service Desk Operators Role Delegations User Accounts OU"
|
||||
$userAccountsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID, "ReadProperty", "Allow", "Descendents", $guidmap["user"]))
|
||||
$userAccountsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID, "WriteProperty", "Allow", "Descendents", $guidmap["user"]))
|
||||
$userAccountsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID, "ExtendedRight", "Allow", $extendedrightsmap["Reset Password"], "Descendents", $guidmap["user"]))
|
||||
|
||||
# Set Service Desk Operator Permissions on Computers to access BitLocker and TPM information
|
||||
Write-Verbose "Performing Service Desk Operator Role Delegations to the Workstation OU"
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID, "ReadProperty", "Allow", $guidmap["msTPM-OwnerInformation"], "Descendents", $guidmap["computer"]))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID, "ReadProperty", "Allow", $guidmap["msFVE-KeyPackage"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID, "ReadProperty", "Allow", $guidmap["msFVE-RecoveryPassword"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID, "ReadProperty", "Allow", $guidmap["msFVE-VolumeGuid"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
|
||||
|
||||
# Set Workstation Maintenance Permissions on Computer objects in the Computer Quarantine OU
|
||||
Write-Verbose "Performing Workstation Maintenance Role Delegations to the Computer Quarantine OU"
|
||||
$computerQuarantineACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID, "CreateChild,DeleteChild", "Allow", $guidmap["computer"], "All"))
|
||||
$computerQuarantineACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID, "ReadProperty", "Allow", "Descendents", $guidmap["computer"]))
|
||||
$computerQuarantineACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID, "WriteProperty", "Allow", "Descendents", $guidmap["computer"]))
|
||||
|
||||
# Set Workstation Maintenance Permissions on Computer objects in the Workstations OU
|
||||
Write-Verbose "Performing Workstation Maintenance Role Delegations to the Workstations OU"
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID, "CreateChild,DeleteChild", "Allow", $guidmap["computer"], "All"))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID, "ReadProperty", "Allow", "Descendents", $guidmap["computer"]))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID, "WriteProperty", "Allow", "Descendents", $guidmap["computer"]))
|
||||
|
||||
# Set PAW Admins Permissions on Computer objects in the PAW Devices OU
|
||||
Write-Verbose "Performing PAW Admins Role Delegations to the Tier 0\Devices OU"
|
||||
$PAWDevicesOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$PAWAdminsGroupSID, "CreateChild,DeleteChild", "Allow", $guidmap["computer"], "All"))
|
||||
$PAWDevicesOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$PAWAdminsGroupSID, "ReadProperty", "Allow", "Descendents", $guidmap["computer"]))
|
||||
$PAWDevicesOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$PAWAdminsGroupSID, "WriteProperty", "Allow", "Descendents", $guidmap["computer"]))
|
||||
|
||||
# Set Tier 0 Replication Maintenance Permissions within domain
|
||||
Write-Verbose "Performing Tier 0 Replication Maintenance Role Delegations"
|
||||
$topLevelDomainACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents"))
|
||||
$topLevelDomainACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents"))
|
||||
$topLevelDomainACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents"))
|
||||
$topLevelDomainACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Monitor active directory Replication"], "Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Monitor active directory Replication"], "Descendents"))
|
||||
$forestDnsZonesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents"))
|
||||
$forestDnsZonesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents"))
|
||||
$forestDnsZonesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents"))
|
||||
$forestDnsZonesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents"))
|
||||
$sitesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "CreateChild,DeleteChild", "Allow"))
|
||||
$sitesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID, "WriteProperty", "Allow"))
|
||||
|
||||
# Set Tier 1 Server Maintenance Permissions on Computer objects in the Tier 1 Servers OU
|
||||
Write-Verbose "Performing Tier 1 Server Maintenance Role Delegations to the Tier 1 Servers OU"
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID, "CreateChild,DeleteChild", "Allow", $guidmap["computer"], "All"))
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID, "ReadProperty", "Allow", "Descendents", $guidmap["computer"]))
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID, "WriteProperty", "Allow", "Descendents", $guidmap["computer"]))
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID, "ReadProperty,WriteProperty", "Allow", $guidmap["gplink"], "All"))
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID, "ReadProperty", "Allow", $guidmap["gpoptions"], "All"))
|
||||
#endregion Create Delegation Rules
|
||||
|
||||
#region Apply the modified DACL to the OU or Containers
|
||||
if ($PSCmdlet.ShouldProcess('PAW Organizational Units', 'Apply custom Delegations'))
|
||||
{
|
||||
Write-Verbose "Applying all Updated ACLs"
|
||||
Set-ACL -ACLObject $userAccountsOUACL -Path "AD:\$($userAcctsOUDN)"
|
||||
Set-ACL -ACLObject $workstationsOUACL -Path "AD:\$($workstationsOUDN)"
|
||||
Set-ACL -ACLObject $computerQuarantineACL -Path "AD:\$($computerQuarantineOUDN)"
|
||||
Set-ACL -ACLObject $topLevelDomainACL -Path "AD:\$($domain)"
|
||||
Set-ACL -ACLObject $configContainerACL -Path "AD:\$($configNC)"
|
||||
Set-ACL -ACLObject $schemaNCACL -Path "AD:\$($schemaNC)"
|
||||
Set-ACL -ACLObject $forestDnsZonesACL -Path "AD:\$($forestDnsZonesDN)"
|
||||
Set-ACL -ACLObject $sitesACL -Path "AD:\$($sitesDN)"
|
||||
Set-ACL -ACLObject $tier1ServersOUACL -Path "AD:\$($tier1ServersOUDN)"
|
||||
Set-ACL -ACLObject $PAWDevicesOUACL -Path "AD:\$($PAWDevicesOUDN)"
|
||||
Write-Verbose "--Completed PAW and DIAD Active Directory Delegations--"
|
||||
}
|
||||
#endregion Apply the modified DACL to the OU or Containers
|
||||
|
||||
# Return to original working directory
|
||||
Set-Location $sLocation
|
||||
}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<#
|
||||
<#
|
||||
This is an example configuration file
|
||||
|
||||
By default, it is enough to have a single one of them,
|
||||
|
|
@ -11,5 +11,5 @@ feel totally free to split them into multiple files.
|
|||
Set-PSFConfig -Module 'PAWTools' -Name 'Example.Setting' -Value 10 -Initialize -Validation 'integer' -Handler { } -Description "Example configuration setting. Your module can then use the setting using 'Get-PSFConfigValue'"
|
||||
#>
|
||||
|
||||
Set-PSFConfig -Module 'PAWTools' -Name 'Import.DoDotSource' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be dotsourced on import. By default, the files of this module are read as string value and invoked, which is faster but worse on debugging."
|
||||
Set-PSFConfig -Module 'PAWTools' -Name 'Import.IndividualFiles' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be imported individually. During the module build, all module code is compiled into few files, which are imported instead by default. Loading the compiled versions is faster, using the individual files is easier for debugging and testing out adjustments."
|
||||
#Set-PSFConfig -Module 'PAWTools' -Name 'Import.DoDotSource' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be dotsourced on import. By default, the files of this module are read as string value and invoked, which is faster but worse on debugging."
|
||||
#Set-PSFConfig -Module 'PAWTools' -Name 'Import.IndividualFiles' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be imported individually. During the module build, all module code is compiled into few files, which are imported instead by default. Loading the compiled versions is faster, using the individual files is easier for debugging and testing out adjustments."
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
function Assert-ActiveDirectory
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Ensures the active directory module is available.
|
||||
|
||||
.DESCRIPTION
|
||||
Ensures the active directory module is available.
|
||||
Will import it if needed.
|
||||
Will throw an exception if unavailable.
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Assert-ActiveDirectory
|
||||
|
||||
Ensures the active directory module is available.
|
||||
#>
|
||||
[CmdletBinding()]
|
||||
Param (
|
||||
|
||||
)
|
||||
|
||||
process
|
||||
{
|
||||
if (-not (Get-Module ActiveDirectory -ListAvailable))
|
||||
{
|
||||
throw "Could not find the active directory module. Run on computer with the module or execute 'Add-WindowsFeature RSAT-AD-PowerShell' to install it locally."
|
||||
}
|
||||
Import-Module ActiveDirectory -Scope Global
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
function Assert-GroupPolicy
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Ensures the group policy module is available.
|
||||
|
||||
.DESCRIPTION
|
||||
Ensures the group policy module is available.
|
||||
Will import it if needed.
|
||||
Will throw an exception if unavailable.
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Assert-GroupPolicy
|
||||
|
||||
Ensures the group policy module is available.
|
||||
#>
|
||||
[CmdletBinding()]
|
||||
Param (
|
||||
|
||||
)
|
||||
|
||||
process
|
||||
{
|
||||
if (-not (Get-Module GroupPolicy -ListAvailable))
|
||||
{
|
||||
throw "Could not find the Group Policy module. Run on computer with the module or execute 'Add-WindowsFeature Pgmc' to install it locally."
|
||||
}
|
||||
Import-Module GroupPolicy -Scope Global
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
function Get-ADInfo
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Returns the default naming context of the current domain.
|
||||
|
||||
.DESCRIPTION
|
||||
Returns the default naming context of the current domain.
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Get-ADInfo
|
||||
|
||||
Returns the default naming context of the current domain.
|
||||
#>
|
||||
[OutputType([System.String])]
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
|
||||
)
|
||||
(Get-ADRootDSE).defaultNamingContext
|
||||
}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
function Test-XADObject
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Tests, whether an object in AD exists.
|
||||
|
||||
.DESCRIPTION
|
||||
Tests, whether an object in AD exists.
|
||||
|
||||
.PARAMETER Identity
|
||||
A unique identity reference, such as SamAccountName, UPN or DistinguishedName
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Test-XADGroupObject -Identity $Identity
|
||||
|
||||
Returns whether the identity information offered in $Identity has a matching AD Object
|
||||
#>
|
||||
[OutputType([System.Boolean])]
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, HelpMessage = "Identity of the AD object to verify if exists or not.")]
|
||||
[Object]
|
||||
$Identity
|
||||
)
|
||||
|
||||
try { $auxObject = Get-ADObject -Identity $Identity -ErrorAction Stop }
|
||||
catch { return $false }
|
||||
if ($auxObject) { return $true }
|
||||
return $false
|
||||
}
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
<#
|
||||
New-PSFLicense -Product 'PAWTools' -Manufacturer 'Friedrich Weinmann' -ProductVersion $script:ModuleVersion -ProductType Module -Name MIT -Version "1.0.0.0" -Date (Get-Date "2018-10-09") -Text @"
|
||||
Copyright (c) 2018 Friedrich Weinmann
|
||||
|
||||
|
|
@ -18,4 +19,5 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
"@
|
||||
"@
|
||||
#>
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# Add all things you want to run after importing the main code
|
||||
# Add all things you want to run after importing the main code
|
||||
|
||||
# Load Configurations
|
||||
foreach ($file in (Get-ChildItem "$ModuleRoot\internal\configurations\*.ps1" -ErrorAction Ignore)) {
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
# Add all things you want to run before importing the main code
|
||||
# Add all things you want to run before importing the main code
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<#
|
||||
<#
|
||||
# Example:
|
||||
Register-PSFTeppArgumentCompleter -Command Get-Alcohol -Parameter Type -Name PAWTools.alcohol
|
||||
#>
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<#
|
||||
<#
|
||||
# Example:
|
||||
Register-PSFTeppScriptblock -Name "PAWTools.alcohol" -ScriptBlock { 'Beer','Mead','Whiskey','Wine','Vodka','Rum (3y)', 'Rum (5y)', 'Rum (7y)' }
|
||||
#>
|
||||
|
|
@ -1,8 +1,6 @@
|
|||
# List of forbidden commands
|
||||
# List of forbidden commands
|
||||
$global:BannedCommands = @(
|
||||
'Write-Host',
|
||||
'Write-Verbose',
|
||||
'Write-Warning',
|
||||
'Write-Error',
|
||||
'Write-Output',
|
||||
'Write-Information',
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
$moduleRoot = (Resolve-Path "$PSScriptRoot\..\..").Path
|
||||
$moduleRoot = (Resolve-Path "$PSScriptRoot\..\..").Path
|
||||
|
||||
. "$PSScriptRoot\FileIntegrity.Exceptions.ps1"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# List of functions that should be ignored
|
||||
# List of functions that should be ignored
|
||||
$global:FunctionHelpTestExceptions = @(
|
||||
|
||||
)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
<#
|
||||
<#
|
||||
.NOTES
|
||||
The original test this is based upon was written by June Blender.
|
||||
After several rounds of modifications it stands now as it is, but the honor remains hers.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
Describe "Validating the module manifest" {
|
||||
Describe "Validating the module manifest" {
|
||||
$moduleRoot = (Resolve-Path "$PSScriptRoot\..\..").Path
|
||||
$manifest = ((Get-Content "$moduleRoot\PAWTools.psd1") -join "`n") | Invoke-Expression
|
||||
[version]$moduleVersion = Get-Item "$moduleRoot\PAWTools.psm1" | Select-String -Pattern '\$script:ModuleVersion = "(.*?)"' | ForEach-Object { $_.Matches[0].Groups[1].Value }
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
[CmdletBinding()]
|
||||
[CmdletBinding()]
|
||||
Param (
|
||||
[switch]
|
||||
$SkipTest,
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
param (
|
||||
param (
|
||||
$TestGeneral = $true,
|
||||
|
||||
$TestFunctions = $true,
|
||||
|
|
|
|||
|
|
@ -1,59 +0,0 @@
|
|||
#Add-Log -LogEntry(Attempting to add Windows Feature RSAT-AD-PowerShell)
|
||||
Import-Module ServerManager
|
||||
Add-WindowsFeature RSAT-AD-PowerShell | out-null
|
||||
Import-Module ActiveDirectory
|
||||
|
||||
Function Get-ADInfo(){
|
||||
$sDSE = (Get-ADRootDSE).defaultNamingContext
|
||||
return $sDSE
|
||||
}
|
||||
|
||||
Function Get-OU($sName){
|
||||
$sOU=(Get-ADOrganizationalUnit -Filter {Name -like $sName}).DistinguishedName
|
||||
return $sOU
|
||||
}
|
||||
|
||||
function Test-XADGroupObject() {
|
||||
[CmdletBinding()]
|
||||
Param (
|
||||
[Parameter(Mandatory=$true,
|
||||
Position=0,
|
||||
ValueFromPipeline=$true,
|
||||
HelpMessage="Identity of the AD object to verify if exists or not."
|
||||
)]
|
||||
[Object] $Identity
|
||||
)
|
||||
trap [Exception] {
|
||||
return $false
|
||||
}
|
||||
$auxObject = Get-ADObject -Identity $Identity
|
||||
if ($auxObject = $Identity){
|
||||
return $true
|
||||
}
|
||||
else
|
||||
{
|
||||
return $false
|
||||
}
|
||||
}
|
||||
|
||||
function Test-XADObject() {
|
||||
[CmdletBinding()]
|
||||
Param (
|
||||
[Parameter(Mandatory=$true,
|
||||
Position=0,
|
||||
ValueFromPipeline=$true,
|
||||
HelpMessage="Identity of the AD object to verify if exists or not."
|
||||
)]
|
||||
[Object] $Identity
|
||||
)
|
||||
trap [Exception] {
|
||||
return $false
|
||||
}
|
||||
$auxObject = Get-ADObject -Identity $Identity
|
||||
return $true
|
||||
}
|
||||
|
||||
Function Get-User($sName){
|
||||
$sUser=(Get-ADUser -Filter {Name -like $sName}).DistinguishedName
|
||||
return $sUser
|
||||
}
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
# Create-PAWGroups.ps1
|
||||
|
||||
#Include PS Environment
|
||||
#. ..\..\Scripts\Custom\PSEnvironment.ps1
|
||||
. .\\ADEnvironment.ps1
|
||||
|
||||
#Configure Local Variables
|
||||
$sSourceDir = Get-Location
|
||||
$rootDSE = (Get-ADRootDSE).defaultNamingContext
|
||||
|
||||
$Groups = Import-Csv $sSourceDir"\Groups.csv"
|
||||
foreach ($Group in $Groups){
|
||||
$groupName = $Group.Name
|
||||
$groupOUPrefix = $Group.OU
|
||||
$destOU = $Group.OU + "," + $rootDSE
|
||||
$groupDN = "CN=" + $groupName + "," + $destOU
|
||||
#$groupDN = $Group.OU + "," + $rootDSE
|
||||
# Check if the target group already is present.
|
||||
$checkForGroup = Test-XADGroupObject $groupDN
|
||||
If (!$checkForGroup)
|
||||
{
|
||||
# The group is not present, creating group.
|
||||
# Add-Log -LogEntry("Creating the group " + $Group.Name + " in " + $groupDN)
|
||||
New-ADGroup -Name $Group.Name -SamAccountName $Group.samAccountName -GroupCategory $Group.GroupCategory -GroupScope $Group.GroupScope -DisplayName $Group.DisplayName -Path $destOU -Description $Group.Description
|
||||
|
||||
If ($Group.Membership -ne ""){
|
||||
# Add-Log -LogEntry("Adding " + $Group.Name + " to " + $Group.Membership);
|
||||
Add-ADPrincipalGroupMembership -Identity $Group.samAccountName -MemberOf $Group.Membership;
|
||||
}
|
||||
$error.Clear()
|
||||
}
|
||||
Else
|
||||
{
|
||||
# The group is present, log a message.
|
||||
# Add-Log -LogEntry("The group name " + $Group.Name + " already exists in the " + $destOU + " OU.")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1,90 +0,0 @@
|
|||
# Create-PAWOUs.ps1
|
||||
|
||||
#Include PS Environment
|
||||
#. ..\..\Scripts\Custom\PSEnvironment.ps1
|
||||
. .\\ADEnvironment.ps1
|
||||
|
||||
#Get current working directory
|
||||
$sLocation = Get-Location
|
||||
|
||||
$DomainName = (Get-ADDomain).Name
|
||||
$sDSE = (Get-ADRootDSE).defaultNamingContext
|
||||
|
||||
#$sPath = ("OU="+ $DomainName + " Objects," + $($sDSE))
|
||||
|
||||
#Creating Top Level OUs
|
||||
|
||||
New-ADOrganizationalUnit -Name "Admin" -Path "$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Groups" -Path "$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Tier 1 Servers" -Path "$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Workstations" -Path "$sDSE"
|
||||
New-ADOrganizationalUnit -Name "User Accounts" -Path "$sDSE"
|
||||
New-ADOrganizationalUnit -Name "Computer Quarantine" -Path "$sDSE"
|
||||
|
||||
|
||||
#Creating Sub OUs for Top Level Admin OU
|
||||
|
||||
New-ADOrganizationalUnit -Name "Tier 0" -Path ("OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Tier 1" -Path ("OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Tier 2" -Path ("OU=Admin,$sDSE")
|
||||
|
||||
#Creating Sub OUs for Admin\Tier 0 OU
|
||||
|
||||
New-ADOrganizationalUnit -Name "Accounts" -Path ("OU=Tier 0,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Groups" -Path ("OU=Tier 0,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Service Accounts" -Path ("OU=Tier 0,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Devices" -Path ("OU=Tier 0,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Tier 0 Servers" -Path ("OU=Tier 0,OU=Admin,$sDSE")
|
||||
|
||||
#Creating Sub OUs for Admin\Tier 1 OU
|
||||
|
||||
New-ADOrganizationalUnit -Name "Accounts" -Path ("OU=Tier 1,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Groups" -Path ("OU=Tier 1,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Service Accounts" -Path ("OU=Tier 1,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Devices" -Path ("OU=Tier 1,OU=Admin,$sDSE")
|
||||
|
||||
#Creating Sub OUs for Admin\Tier 2 OU
|
||||
|
||||
New-ADOrganizationalUnit -Name "Accounts" -Path ("OU=Tier 2,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Groups" -Path ("OU=Tier 2,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Service Accounts" -Path ("OU=Tier 2,OU=Admin,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Devices" -Path ("OU=Tier 2,OU=Admin,$sDSE")
|
||||
|
||||
#Creating Sub OUs for Top Level Groups OU
|
||||
|
||||
New-ADOrganizationalUnit -Name "Security Groups" -Path ("OU=Groups,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Distribution Groups" -Path ("OU=Groups,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Contacts" -Path ("OU=Groups,$sDSE")
|
||||
|
||||
#Creating Sub OUs for Top Level Tier 1 Servers OU
|
||||
|
||||
New-ADOrganizationalUnit -Name "Application" -Path ("OU=Tier 1 Servers,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Collaboration" -Path ("OU=Tier 1 Servers,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Database" -Path ("OU=Tier 1 Servers,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Messaging" -Path ("OU=Tier 1 Servers,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Staging" -Path ("OU=Tier 1 Servers,$sDSE")
|
||||
|
||||
#Creating Sub OUs for Top Level Workstations OU
|
||||
|
||||
New-ADOrganizationalUnit -Name "Desktops" -Path ("OU=Workstations,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Kiosks" -Path ("OU=Workstations,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Laptops" -Path ("OU=Workstations,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Staging" -Path ("OU=Workstations,$sDSE")
|
||||
|
||||
#Creating Sub OUs for Top Level User Accounts OU
|
||||
|
||||
New-ADOrganizationalUnit -Name "Enabled Users" -Path ("OU=User Accounts,$sDSE")
|
||||
New-ADOrganizationalUnit -Name "Disabled Users" -Path ("OU=User Accounts,$sDSE")
|
||||
|
||||
#Block inheritance for PAW OUs
|
||||
|
||||
Import-Module ServerManager
|
||||
Add-WindowsFeature Gpmc | Out-Null
|
||||
Import-Module GroupPolicy
|
||||
|
||||
Set-GpInheritance -target "OU=Devices,OU=Tier 0,OU=Admin,$sDSE" -IsBlocked Yes | Out-Null
|
||||
Set-GpInheritance -target "OU=Devices,OU=Tier 1,OU=Admin,$sDSE" -IsBlocked Yes | Out-Null
|
||||
Set-GpInheritance -target "OU=Devices,OU=Tier 2,OU=Admin,$sDSE" -IsBlocked Yes | Out-Null
|
||||
|
||||
#Return to original working directory
|
||||
Set-Location $sLocation
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
Name,samAccountName,GroupCategory,GroupScope,DisplayName,OU,Description,Membership
|
||||
Tier 0 Replication Maintenance,Tier0ReplicationMaintenance,Security,Global,Tier 0 Replication Maintenance,"OU=Groups,OU=Tier 0,OU=Admin",Members of this group are Tier 0 Replication Maintenance,
|
||||
Tier 1 Server Maintenance,Tier1ServerMaintenance,Security,Global,Tier 1 Server Maintenance,"OU=Groups,OU=Tier 1,OU=Admin",Members of this group perform Tier 1 Server Maintenance,
|
||||
Service Desk Operators,ServiceDeskOperators,Security,Global,Service Desk Operators,"OU=Groups,OU=Tier 2,OU=Admin",Members of this group are Service Desk Operators,
|
||||
Workstation Maintenance,WorkstationMaintenance,Security,Global,Workstation Maintenance,"OU=Groups,OU=Tier 2,OU=Admin",Members of this group perform Workstation Maintenance,
|
||||
Cloud Service Admins,cloudadmins,Security,Global,Cloud Service Admins,"OU=Groups,OU=Tier 0,OU=Admin",Members of this group are permitted to connect to pre-identified cloud services via Privileged Access Workstations,
|
||||
PAW Users,pawusers,Security,Global,PAW Users,"OU=Groups,OU=Tier 0,OU=Admin",Members of this group are permitted to log onto Privileged Access Workstations,
|
||||
PAW Maintenance,pawmaint,Security,Global,PAW Maintenance,"OU=Groups,OU=Tier 0,OU=Admin",Members of this group maintain and support Privileged Access Workstations,
|
||||
Tier 1 Admins,tier1admins,Security,Global,Tier 1 Admins,"OU=Groups,OU=Tier 1,OU=Admin",Members of this group are Tier 1 Administrators,
|
||||
Tier 2 Admins,tier2admins,Security,Global,Tier 2 Admins,"OU=Groups,OU=Tier 2,OU=Admin",Members of this group are Tier 2 Administrators,
|
||||
|
|
|
@ -1,204 +0,0 @@
|
|||
# Delegate-PAWOURights.ps1
|
||||
# Based on and includes the DIAD delegations by Heath Aubin and Jon Sabberton
|
||||
|
||||
#Include PS Environment
|
||||
#. ..\..\Scripts\Custom\PSEnvironment.ps1
|
||||
. .\\ADEnvironment.ps1
|
||||
|
||||
# Add-Log -LogEntry("--Beginning PAW and DIAD Active Directory Delegations--");
|
||||
|
||||
#Get current working directory
|
||||
$sLocation = Get-Location
|
||||
|
||||
#Bring up an Active Directory command prompt so we can use this later on in the script
|
||||
Set-Location ad:
|
||||
|
||||
#Get a reference to the RootDSE of the current domain
|
||||
$rootdse = Get-ADRootDSE
|
||||
|
||||
#Get a reference to the current domain
|
||||
$domain = Get-ADDomain
|
||||
|
||||
#Set the Configuration Naming Context
|
||||
$configCN = $rootdse.ConfigurationNamingContext
|
||||
|
||||
#Set the Schema Naming Context
|
||||
$schemaNC = $rootDSE.SchemaNamingContext
|
||||
|
||||
#Set the ForestDnsZones Naming Context
|
||||
$forestDnsZonesDN = "DC=ForestDnsZones,"+$rootDSE.RootDomainNamingContext
|
||||
|
||||
#Set the Sites Naming Context
|
||||
$sitesDN = "CN=Sites,"+$configCN
|
||||
#Create a hashtable to store the GUID value of each schema class and attribute
|
||||
$guidmap = @{}
|
||||
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
|
||||
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
|
||||
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
|
||||
#Create a hashtable to store the GUID value of each extended right in the forest
|
||||
$extendedrightsmap = @{}
|
||||
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
|
||||
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
|
||||
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
|
||||
# Set variables for OUs and Containers
|
||||
$userAccountsOU = "OU=User Accounts,"
|
||||
$workstationsOU = "OU=Workstations,"
|
||||
$computerQuarantineOU = "OU=Computer Quarantine,"
|
||||
$tier1ServersOU = "OU=Tier 1 Servers,"
|
||||
$PAWDevicesOU = "OU=Devices,OU=Tier 0,OU=Admin,"
|
||||
|
||||
# Set variables for Group objects
|
||||
$serviceDeskOperatorsGroup = "ServiceDeskOperators"
|
||||
$workstationMaintenanceGroup = "WorkstationMaintenance"
|
||||
$replicationMaintenanceGroup = "Tier0ReplicationMaintenance"
|
||||
$tier1ServerMaintenanceGroup = "Tier1ServerMaintenance"
|
||||
$PAWAdminsGroup = "PAWMaint"
|
||||
|
||||
#Get a reference to each of the OU's we want to set permissions on
|
||||
#Add-Log -LogEntry("Getting OU Information");
|
||||
$userAcctsOUDN = Get-ADOrganizationalUnit -Identity ($userAccountsOU+$domain)
|
||||
$workstationsOUDN = Get-ADOrganizationalUnit -Identity ($workstationsOU+$domain)
|
||||
$computerQuarantineOUDN = Get-ADOrganizationalUnit -Identity ($computerQuarantineOU+$domain)
|
||||
$tier1ServersOUDN = Get-ADOrganizationalUnit -Identity ($tier1ServersOU+$domain)
|
||||
$PAWDevicesOUDN = Get-ADOrganizationalUnit -Identity ($PAWDevicesOU+$domain)
|
||||
|
||||
#Get the SID values of each group (principal) we wish to delegate access to
|
||||
#Add-Log -LogEntry("Getting SID values for each group for delegations");
|
||||
$serviceDeskOpsSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $serviceDeskOperatorsGroup).SID
|
||||
$workstationMaintSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $workstationMaintenanceGroup).SID
|
||||
$replMaintGroupSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $replicationMaintenanceGroup).SID
|
||||
$tier1ServerMaintGroupSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $tier1ServerMaintenanceGroup).SID
|
||||
$PAWAdminsGroupSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $PAWAdminsGroup).SID
|
||||
|
||||
#Get a copy of the current DACL on the OU's or Containers
|
||||
#Add-Log -LogEntry("Getting existing Directory ACLs");
|
||||
$userAccountsOUACL = Get-ACL -Path ($userAcctsOUDN);
|
||||
$workstationsOUACL = Get-ACL -Path ($workstationsOUDN);
|
||||
$computerQuarantineACL = Get-ACL -Path ($computerQuarantineOUDN)
|
||||
$topLevelDomainACL = Get-ACL -Path($domain)
|
||||
$configContainerACL = Get-ACL -Path($configCN)
|
||||
$schemaNCACL = Get-ACL -Path($schemaNC)
|
||||
$forestDnsZonesACL = Get-ACL -Path($forestDnsZonesDN)
|
||||
$sitesACL = Get-ACL -Path($sitesDN)
|
||||
$tier1ServersOUACL = Get-ACL -Path ($tier1ServersOUDN)
|
||||
$PAWDevicesOUACL = Get-ACL -Path ($PAWDevicesOUDN)
|
||||
|
||||
#Set Service Desk Operators Permissions to Users
|
||||
#Add-Log -LogEntry("Performing Service Desk Operators Role Delegations User Accounts OU");
|
||||
$userAccountsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID,"ReadProperty","Allow","Descendents",$guidmap["user"]))
|
||||
$userAccountsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID,"WriteProperty","Allow","Descendents",$guidmap["user"]))
|
||||
$userAccountsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
|
||||
|
||||
#Set Service Desk Operator Permissions on Computers to access BitLocker and TPM information
|
||||
#Add-Log -LogEntry("Performing Service Desk Operator Role Delegations to the Workstation OU");
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID,"ReadProperty","Allow",$guidmap["msTPM-OwnerInformation"],"Descendents",$guidmap["computer"]))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID,"ReadProperty","Allow",$guidmap["msFVE-KeyPackage"],"Descendents",$guidmap["msFVE-RecoveryInformation"]))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID,"ReadProperty","Allow",$guidmap["msFVE-RecoveryPassword"],"Descendents",$guidmap["msFVE-RecoveryInformation"]))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$serviceDeskOpsSID,"ReadProperty","Allow",$guidmap["msFVE-VolumeGuid"],"Descendents",$guidmap["msFVE-RecoveryInformation"]))
|
||||
|
||||
#Set Workstation Maintenance Permissions on Computer objects in the Computer Quarantine OU
|
||||
#Add-Log -LogEntry("Performing Workstation Maintenance Role Delegations to the Computer Quarantine OU");
|
||||
$computerQuarantineACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID,"CreateChild,DeleteChild","Allow",$guidmap["computer"],"All"))
|
||||
$computerQuarantineACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID,"ReadProperty","Allow","Descendents",$guidmap["computer"]))
|
||||
$computerQuarantineACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID,"WriteProperty","Allow","Descendents",$guidmap["computer"]))
|
||||
|
||||
#Set Workstation Maintenance Permissions on Computer objects in the Workstations OU
|
||||
#Add-Log -LogEntry("Performing Workstation Maintenance Role Delegations to the Workstations OU");
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID,"CreateChild,DeleteChild","Allow",$guidmap["computer"],"All"))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID,"ReadProperty","Allow","Descendents",$guidmap["computer"]))
|
||||
$workstationsOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$workstationMaintSID,"WriteProperty","Allow","Descendents",$guidmap["computer"]))
|
||||
|
||||
#Set PAW Admins Permissions on Computer objects in the PAW Devices OU
|
||||
#Add-Log -LogEntry("Performing PAW Admins Role Delegations to the Tier 0\Devices OU");
|
||||
$PAWDevicesOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$PAWAdminsGroupSID,"CreateChild,DeleteChild","Allow",$guidmap["computer"],"All"))
|
||||
$PAWDevicesOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$PAWAdminsGroupSID,"ReadProperty","Allow","Descendents",$guidmap["computer"]))
|
||||
$PAWDevicesOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$PAWAdminsGroupSID,"WriteProperty","Allow","Descendents",$guidmap["computer"]))
|
||||
|
||||
#Set Tier 0 Replication Maintenance Permissions within domain
|
||||
#Add-Log -LogEntry("Performing Tier 0 Replication Maintenance Role Delegations");
|
||||
$topLevelDomainACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Manage Replication Topology"],"Descendents"))
|
||||
$topLevelDomainACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replicating Directory Changes"],"Descendents"))
|
||||
$topLevelDomainACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replicating Directory Changes All"],"Descendents"))
|
||||
$topLevelDomainACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replication Synchronization"],"Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Manage Replication Topology"],"Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replicating Directory Changes"],"Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replicating Directory Changes All"],"Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replication Synchronization"],"Descendents"))
|
||||
$configContainerACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Monitor active directory Replication"],"Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Manage Replication Topology"],"Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replicating Directory Changes"],"Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replicating Directory Changes All"],"Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replication Synchronization"],"Descendents"))
|
||||
$schemaNCACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Monitor active directory Replication"],"Descendents"))
|
||||
$forestDnsZonesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Manage Replication Topology"],"Descendents"))
|
||||
$forestDnsZonesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replicating Directory Changes"],"Descendents"))
|
||||
$forestDnsZonesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replicating Directory Changes All"],"Descendents"))
|
||||
$forestDnsZonesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"ExtendedRight","Allow",$extendedrightsmap["Replication Synchronization"],"Descendents"))
|
||||
$sitesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"CreateChild,DeleteChild","Allow"))
|
||||
$sitesACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$replMaintGroupSID,"WriteProperty","Allow"))
|
||||
|
||||
#Set Tier 1 Server Maintenance Permissions on Computer objects in the Tier 1 Servers OU
|
||||
#Add-Log -LogEntry("Performing Tier 1 Server Maintenance Role Delegations to the Tier 1 Servers OU");
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID,"CreateChild,DeleteChild","Allow",$guidmap["computer"],"All"))
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID,"ReadProperty","Allow","Descendents",$guidmap["computer"]))
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID,"WriteProperty","Allow","Descendents",$guidmap["computer"]))
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID,"ReadProperty,WriteProperty","Allow",$guidmap["gplink"],"All"))
|
||||
$tier1ServersOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
|
||||
$tier1ServerMaintGroupSID,"ReadProperty","Allow",$guidmap["gpoptions"],"All"))
|
||||
|
||||
#Apply the modified DACL to the OU or Containers
|
||||
#Add-Log -LogEntry("Applying all Updated ACLs");
|
||||
Set-ACL -ACLObject $userAccountsOUACL -Path ("AD:\"+($userAcctsOUDN));
|
||||
Set-ACL -ACLObject $workstationsOUACL -Path ("AD:\"+($workstationsOUDN));
|
||||
Set-ACL -ACLObject $computerQuarantineACL -Path ("AD:\"+($computerQuarantineOUDN));
|
||||
Set-ACL -ACLObject $topLevelDomainACL -Path ("AD:\"+($domain));
|
||||
Set-ACL -ACLObject $configContainerACL -Path ("AD:\"+($configCN));
|
||||
Set-ACL -ACLObject $schemaNCACL -Path ("AD:\"+($schemaNC));
|
||||
Set-ACL -ACLObject $forestDnsZonesACL -Path ("AD:\"+($forestDnsZonesDN));
|
||||
Set-ACL -ACLObject $sitesACL -Path ("AD:\"+($sitesDN));
|
||||
Set-ACL -ACLObject $tier1ServersOUACL -Path ("AD:\"+($tier1ServersOUDN));
|
||||
Set-ACL -ACLObject $PAWDevicesOUACL -Path ("AD:"+($PAWDevicesOUDN));
|
||||
#Add-Log -LogEntry("--Completed PAW and DIAD Active Directory Delegations--");
|
||||
|
||||
#Return to original working directory
|
||||
Set-Location $sLocation
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<#
|
||||
<#
|
||||
This script publishes the module to the gallery.
|
||||
It expects as input an ApiKey authorized to publish the module.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
Write-Host "Installing Pester" -ForegroundColor Cyan
|
||||
Write-Host "Installing Pester" -ForegroundColor Cyan
|
||||
Install-Module Pester -Force -SkipPublisherCheck
|
||||
Write-Host "Installing PSFramework" -ForegroundColor Cyan
|
||||
Install-Module PSFramework -Force -SkipPublisherCheck
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# Guide for available variables and working with secrets:
|
||||
# Guide for available variables and working with secrets:
|
||||
# https://docs.microsoft.com/en-us/vsts/build-release/concepts/definitions/build/variables?tabs=powershell
|
||||
|
||||
# Needs to ensure things are Done Right and only legal commits to master get built
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
<#
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Installs the PAWTools Module from github
|
||||
|
||||
|
|
@ -45,7 +45,7 @@ Param (
|
|||
$ModuleName = "PAWTools"
|
||||
|
||||
# Base path to the github repository
|
||||
$BaseUrl = "https://github.com/<InsertUsernameHere>/PAWTools"
|
||||
$BaseUrl = "https://github.com/Microsoft/PAWTools"
|
||||
|
||||
# If the module is in a subfolder of the cloned repository, specify relative path here. Empty string to skip.
|
||||
$SubFolder = "PAWTools"
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче