update

2023-11-28 10:03:24 +01:00
parent c3bcd0d7a3
commit 92d8156af0
9 changed files with 426 additions and 0 deletions
--- a/Creation-OU.ps1
+++ b/Creation-OU.ps1
@ -0,0 +1,58 @@
+<#
+    .Example
+    Atempt to create OU that not exists in the desired path
+    $OUs = @(
+    $(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" })
+    )
+    .\Create-OU.ps1 -OUs $OUs -Verbose
+    PS C:\Tools> .\Create-OU.ps1 -OUs $OUs -Verbose
+    VERBOSE: Creating new OU 'OU=Desktops,ou=Workstations,DC=azureblog,DC=pl'
+    VERBOSE: Creating new OU 'OU=Kiosks,ou=Workstations,DC=azureblog,DC=pl'
+    VERBOSE: Creating new OU 'OU=Laptops,ou=Workstations,DC=azureblog,DC=pl'
+    VERBOSE: Creating new OU 'OU=Staging,ou=Workstations,DC=azureblog,DC=pl'
+    .Example
+    Atempt to create OU that already exists in the desired path
+    $OUs = @(
+    $(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" })
+    )
+    .\Create-OU.ps1 -OUs $OUs -Verbose
+    PS C:\Tools> .\Create-OU.ps1 -OUs $OUs -Verbose
+    VERBOSE: OU 'Desktops' already exists under 'ou=Workstations,DC=azureblog,DC=pl'
+    VERBOSE: OU 'Kiosks' already exists under 'ou=Workstations,DC=azureblog,DC=pl'
+    VERBOSE: OU 'Laptops' already exists under 'ou=Workstations,DC=azureblog,DC=pl'
+    VERBOSE: OU 'Staging' already exists under 'ou=Workstations,DC=azureblog,DC=pl
+#>
+
+[CmdletBinding()]
+param(
+    [PSObject] $OUs
+)
+$dNC = (Get-ADRootDSE).defaultNamingContext
+$OUs | ForEach-Object {
+    $name = $_.Name
+    $parentOU = $_.ParentOU
+    
+    if ($ParentOU -eq '') {
+        $ouPath = "$dNC"
+        $testOUpath = "OU=$name,$dNC"
+    }
+    else {
+        $ouPath = "$parentOU,$dNC"
+        $testOUPath = "OU=$name,$parentOU,$dNC"
+    }
+    
+    $OUTest = (Get-ADOrganizationalUnit -Filter 'DistinguishedName -like $testOUpath' | Measure-Object).Count
+    if ($OUtest -eq 0) {
+        Write-Verbose "Creating new OU '$testOUPath'"
+        New-ADOrganizationalUnit -Name $name -Path $OUPath -ProtectedFromAccidentalDeletion:$true
+    }
+    else {
+        Write-Verbose "OU '$name' already exists under '$ouPath'"
+    }
+}
--- a/Groupes-Standard.csv
+++ b/Groupes-Standard.csv
@ -0,0 +1,5 @@
+Name,samAccountName,GroupCategory,GroupScope,DisplayName,OU,Description,Membership
+Test Group 1,testgroup1,Security,Global,Test Group 1,"ou=Security Groups,OU=Groups",Group with random members,
+Test Group 2,testgroup2,Security,Global,Test Group 2,"ou=Security Groups,OU=Groups",Group with random members,
+Test Group 3,testgroup3,Security,Global,Test Group 3,"ou=Security Groups,OU=Groups",Group with random members,
+Test Group 4,testgroup4,Security,Global,Test Group 4,"ou=Security Groups,OU=Groups",Group with random members,
--- a/Set-OUComputerPermissions.ps1
+++ b/Set-OUComputerPermissions.ps1
@ -0,0 +1,36 @@
+<#
+    .Example 
+    $List = @(
+        $(New-Object PSObject -Property @{Group = "WorkstationMaintenance"; OUPrefix = "OU=Computer Quarantine"}),
+        $(New-Object PSObject -Property @{Group = "WorkstationMaintenance"; OUPrefix = "OU=Workstations"}),
+        $(New-Object PSObject -Property @{Group = "PAWMaint"; OUPrefix = "OU=Devices,OU=Tier 0,OU=Admin"}),
+        $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers"})
+    )
+    .\Set-OUComputerPermissions.ps1 -list $list -Verbose
+    
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $True)][PSOBject] $List
+)
+Import-Module ActiveDirectory
+
+$rootdse = Get-ADRootDSE
+$domain = Get-ADDomain
+$guidmap = @{ }
+Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
+
+$List | ForEach-Object {
+    $ouPrefix = $_.OUPrefix
+    $Group = $_.Group
+    $ouPath = "$OUPrefix,$($domain.DistinguishedName)"
+    $ou = Get-ADOrganizationalUnit -Identity $OUPAth
+    $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
+    $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild,DeleteChild", "Allow", $guidmap["Computer"], "All"))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["Computer"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["Computer"]))
+    Write-Verbose "Configuring Computer Permissions on '$ouPath' for group '$Group'"
+    Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
+}
--- a/Set-OUGPOPermissions.ps1
+++ b/Set-OUGPOPermissions.ps1
@ -0,0 +1,35 @@
+<#
+
+    .Example
+    $List = @(
+        $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers"})
+    )
+    .\Set-OUGPOPermissions.ps1 -list $list -Verbose
+
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $True)][PSOBject] $List
+)
+Import-Module ActiveDirectory
+
+$rootdse = Get-ADRootDSE
+$domain = Get-ADDomain
+$guidmap = @{ }
+Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
+$extendedrightsmap = @{ }
+Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
+			
+$List | ForEach-Object {
+    $ouPrefix = $_.OUPrefix
+    $Group = $_.Group
+    $ouPath = "$OUPrefix,$($domain.DistinguishedName)"
+    $ou = Get-ADOrganizationalUnit -Identity $OUPAth
+    $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
+    $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty,WriteProperty", "Allow", $guidmap["gplink"], "All"))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["gpoptions"], "All"))
+    Write-Verbose "Configuring GPO Permissions on '$ouPath' for group '$Group'"
+    Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
+}
--- a/Set-OUGroupPermissions.ps1
+++ b/Set-OUGroupPermissions.ps1
@ -0,0 +1,35 @@
+<#
+    .Example
+    $List = @(
+        $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Groups,ou=Tier1,ou=Admin"})
+    )
+    .\Set-OUGroupPermissions.ps1 -list $list -Verbose 
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $True)][PSOBject] $List
+    
+)
+Import-Module ActiveDirectory
+
+$rootdse = Get-ADRootDSE
+$domain = Get-ADDomain
+$guidmap = @{ }
+Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
+$extendedrightsmap = @{ }
+Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
+
+$List | ForEach-Object {
+    $ouPrefix = $_.OUPrefix
+    $Group = $_.Group
+    $ouPath = "$OUPrefix,$($domain.DistinguishedName)"
+    $ou = Get-ADOrganizationalUnit -Identity $OUPAth
+    $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
+    $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["group"], "ALL"))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["group"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["group"]))
+    Write-Verbose "Configuring Group Permissions on '$ouPath' for group '$Group'"
+    Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
+}
--- a/Set-OUReplicationPermissions.ps1
+++ b/Set-OUReplicationPermissions.ps1
@ -0,0 +1,52 @@
+<#
+    .Example
+    $List = @(
+        $(New-Object PSObject -Property @{Group = "Tier0ReplicationMaintenance"; OUPrefix = "" })
+    )
+    .\Set-OUReplicationPermissions.ps1 -list $list -Verbose
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $True)][PSOBject] $List
+    
+)
+Import-Module ActiveDirectory
+
+$rootdse = Get-ADRootDSE
+$domain = Get-ADDomain
+$guidmap = @{ }
+Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
+$extendedrightsmap = @{ }
+Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
+
+$location = Get-Location
+Set-Location AD:
+$configCN = $rootdse.ConfigurationNamingContext
+$schemaNC = $rootdse.SchemaNamingContext
+$forestDnsZonesDN = "DC=ForestDnsZones," + $rootdse.RootDomainNamingContext
+$sitesDN = "CN=Sites," + $configCN
+$config = @($configCN, $schemaNC, $forestDnsZonesDN, $sitesDN)
+$List | ForEach-Object {
+    $group = $_.Group
+    if ($_.OUPrefix -eq ""){
+        $aclPath = $domain.DistinguishedName
+    }
+    else {
+        $aclPath = $_.OUPrefix + "," + $domain.DistinguishedName
+    }
+    $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $group).SID
+    foreach ($configEntry in $config) {
+        $acl = Get-ACL -Path($configEntry)
+        $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents"))
+        $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents"))
+        $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents"))
+        $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents"))
+        if ($configEntry -like "CN=Configuration*" -or $configEntry -like "CN=Schema*") {
+            $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Monitor active directory Replication"], "Descendents"))
+        }
+        Write-Verbose "Configuring Replication Maintenance Role Delegation on '$configEntry' for group '$group'"
+        Set-ACL -ACLObject $acl -Path ("AD:\" + $aclPath)
+    }
+}
+Set-Location $Location
--- a/Set-OUUserPermissions.ps1
+++ b/Set-OUUserPermissions.ps1
@ -0,0 +1,40 @@
+<#
+    .Example
+    $List = @(
+        $(New-Object PSObject -Property @{Group = "ServiceDeskOperators"; OUPrefix = "OU=User Accounts"})
+    )
+    .\Set-OUUserPermissions.ps1 -list $list -Verbose 
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $True)][PSOBject] $List
+    
+)
+Import-Module ActiveDirectory
+
+$rootdse = Get-ADRootDSE
+$domain = Get-ADDomain
+$guidmap = @{ }
+Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
+$extendedrightsmap = @{ }
+Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
+
+$List | ForEach-Object {
+    $ouPrefix = $_.OUPrefix
+    $Group = $_.Group
+    $ouPath = "$OUPrefix,$($domain.DistinguishedName)"
+    $ou = Get-ADOrganizationalUnit -Identity $OUPAth
+    $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
+    $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["user"], "ALL"))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["user"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["user"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Reset Password"], "Descendents", $guidmap["user"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"]))
+    Write-Verbose "Configuring User Permissions on '$ouPath' for group '$Group'"
+    Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
+}
--- a/Set-OUWorkstationPermissions.ps1
+++ b/Set-OUWorkstationPermissions.ps1
@ -0,0 +1,34 @@
+<#
+    .Example
+    $List = @(
+        $(New-Object PSObject -Property @{Group = "ServiceDeskOperators"; OUPrefix = "OU=Workstations"})
+    .\Set-OUWorkstationPermissions.ps1 -list $list -Verbose
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $True)][PSOBject] $List
+)
+Import-Module ActiveDirectory
+
+$rootdse = Get-ADRootDSE
+$domain = Get-ADDomain
+$guidmap = @{ }
+Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
+$List | ForEach-Object {
+    $ouPrefix = $_.OUPrefix
+    $Group = $_.Group
+    $ouPath = "$OUPrefix,$($domain.DistinguishedName)"
+    $ou = Get-ADOrganizationalUnit -Identity $OUPAth
+    $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
+    $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["Computer"], "All"))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["Computer"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["Computer"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msTPM-OwnerInformation"], "Descendents", $guidmap["computer"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-KeyPackage"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-RecoveryPassword"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
+    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-VolumeGuid"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
+    Write-Verbose "Configuring Workstation Permissions on '$ouPath' for group '$Group'"
+    Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
+} 
--- a/Tiering_steps.ps1
+++ b/Tiering_steps.ps1
@ -0,0 +1,131 @@
+throw "This is not a robus script"
+$location = Get-Location
+Set-Location C:\Tools
+
+Import-Module ActiveDirectory
+$dNC = (Get-ADRootDSE).defaultNamingContext
+
+
+#region Create Top Level OU's
+$OUs = @(
+    $(New-Object PSObject -Property @{Name = "Admin"; ParentOU = "" }),
+    $(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "" }),
+    $(New-Object PSObject -Property @{Name = "Tier 1 Servers"; ParentOU = "" }),
+    $(New-Object PSObject -Property @{Name = "Workstations"; ParentOU = "" }),
+    $(New-Object PSObject -Property @{Name = "User accounts"; ParentOU = "" }),
+    $(New-Object PSObject -Property @{Name = "Quarantine"; ParentOU = "" })
+)
+.\Create-OU.ps1 -OUs $OUs -Verbose
+#endRegion 
+
+#region Create Sub Admin OU's
+$OUs = @(
+    $(New-Object PSObject -Property @{Name = "Tier0"; ParentOU = "ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Tier1"; ParentOU = "ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Tier2"; ParentOU = "ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier0,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier0,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier0,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier0,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Tier0 Servers"; ParentOU = "ou=Tier0,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier1,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier1,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier1,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier1,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier2,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier2,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier2,ou=Admin" }),
+    $(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier2,ou=Admin" })
+)
+.\Create-OU.ps1 -OUs $OUs -Verbose
+#endRegion
+
+#region Create Sub Groups OU's
+$OUs = @(
+    $(New-Object PSObject -Property @{Name = "Security Groups"; ParentOU = "ou=Groups" }),
+    $(New-Object PSObject -Property @{Name = "Distribution Groups"; ParentOU = "ou=Groups" }),
+    $(New-Object PSObject -Property @{Name = "Contacts"; ParentOU = "ou=Groups" })
+)
+.\Create-OU.ps1 -OUs $OUs -Verbose
+$OUs = @(
+    $(New-Object PSObject -Property @{Name = "Application"; ParentOU = "ou=Tier 1 Servers" }),
+    $(New-Object PSObject -Property @{Name = "Collaboration"; ParentOU = "ou=Tier 1 Servers" }),
+    $(New-Object PSObject -Property @{Name = "Database"; ParentOU = "ou=Tier 1 Servers" }),
+    $(New-Object PSObject -Property @{Name = "Messaging"; ParentOU = "ou=Tier 1 Servers" }),
+    $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Tier 1 Servers" })
+)
+.\Create-OU.ps1 -OUs $OUs -Verbose
+$OUs = @(
+    $(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }),
+    $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" })
+)
+.\Create-OU.ps1 -OUs $OUs -Verbose
+#endRegion
+
+#region Create Sub User Accounts OU's
+$OUs = @(
+    $(New-Object PSObject -Property @{Name = "Enabled Users"; ParentOU = "ou=User Accounts" }),
+    $(New-Object PSObject -Property @{Name = "Disabled Users"; ParentOU = "ou=User Accounts" })
+)
+.\Create-OU.ps1 -OUs $OUs -Verbose
+#endRegion
+
+#Region Block inheritance for PAW OUs
+Set-GpInheritance -Target "OU=Devices,OU=Tier0,OU=Admin,$dnc" -IsBlocked Yes | Out-Null
+Set-GpInheritance -Target "OU=Devices,OU=Tier1,OU=Admin,$dnc" -IsBlocked Yes | Out-Null
+Set-GpInheritance -Target "OU=Devices,OU=Tier2,OU=Admin,$dnc" -IsBlocked Yes | Out-Null
+#endRegion
+
+#Region create Groups 
+$csv = Read-Host -Prompt "Please provide full path to Admin Groups csv file"
+.\Create-Group.ps1 -CSVfile $csv -Verbose
+$csv = Read-Host -Prompt "Please provide full path to Standard Groups csv file"
+.\Create-Group.ps1 -CSVfile $csv -Verbose
+#endRegion
+
+
+#Region Create OU Delegation
+$List = @(
+    $(New-Object PSObject -Property @{Group = "Tier2ServiceDeskOperators"; OUPrefix = "OU=User Accounts" }),
+    $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Accounts,ou=Tier1,ou=Admin" }),
+    $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Service Accounts,ou=Tier1,ou=Admin" }),
+    $(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Accounts,ou=Tier2,ou=Admin" }),
+    $(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Service Accounts,ou=Tier2,ou=Admin" })
+)
+.\Set-OUUserPermissions.ps1 -list $list -Verbose 
+
+$List = @(
+    $(New-Object PSObject -Property @{Group = "Tier2ServiceDeskOperators"; OUPrefix = "OU=Workstations" }),
+    $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Devices,ou=Tier1,ou=Admin" }),
+    $(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Devices,ou=Tier2,ou=Admin" })
+)
+.\Set-OUWorkstationPermissions.ps1 -list $list -Verbose
+
+$List = @(
+    $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Groups,ou=Tier1,ou=Admin"}),
+    $(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Groups,ou=Tier2,ou=Admin"})
+)
+.\Set-OUGroupPermissions.ps1 -list $list -Verbose
+
+$List = @(
+    $(New-Object PSObject -Property @{Group = "Tier2Tier2WorkstationMaintenance"; OUPrefix = "OU=Quarantine" }),
+    $(New-Object PSObject -Property @{Group = "Tier2WorkstationMaintenance"; OUPrefix = "OU=Workstations" }),
+    $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers" })
+)
+.\Set-OUComputerPermissions.ps1 -list $list -Verbose
+
+$List = @(
+    $(New-Object PSObject -Property @{Group = "Tier0ReplicationMaintenance"; OUPrefix = "" })
+)
+.\Set-OUReplicationPermissions.ps1 -list $list -Verbose
+
+$List = @(
+    $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers" })
+)
+.\Set-OUGPOPermissions.ps1 -list $list -Verbose
+
+#endRegion
+
+Set-Location $location