From 92d8156af042f79f7ac14b0fdd9e2fd4e8622572 Mon Sep 17 00:00:00 2001 From: hcornet Date: Tue, 28 Nov 2023 10:03:24 +0100 Subject: [PATCH] update --- Creation-OU.ps1 | 58 ++++++++++++++ Groupes-Standard.csv | 5 ++ Set-OUComputerPermissions.ps1 | 36 +++++++++ Set-OUGPOPermissions.ps1 | 35 +++++++++ Set-OUGroupPermissions.ps1 | 35 +++++++++ Set-OUReplicationPermissions.ps1 | 52 ++++++++++++ Set-OUUserPermissions.ps1 | 40 ++++++++++ Set-OUWorkstationPermissions.ps1 | 34 ++++++++ Tiering_steps.ps1 | 131 +++++++++++++++++++++++++++++++ 9 files changed, 426 insertions(+) create mode 100644 Creation-OU.ps1 create mode 100644 Groupes-Standard.csv create mode 100644 Set-OUComputerPermissions.ps1 create mode 100644 Set-OUGPOPermissions.ps1 create mode 100644 Set-OUGroupPermissions.ps1 create mode 100644 Set-OUReplicationPermissions.ps1 create mode 100644 Set-OUUserPermissions.ps1 create mode 100644 Set-OUWorkstationPermissions.ps1 create mode 100644 Tiering_steps.ps1 diff --git a/Creation-OU.ps1 b/Creation-OU.ps1 new file mode 100644 index 0000000..baa43ec --- /dev/null +++ b/Creation-OU.ps1 @@ -0,0 +1,58 @@ +<# + .Example + Atempt to create OU that not exists in the desired path + $OUs = @( + $(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" }) + ) + .\Create-OU.ps1 -OUs $OUs -Verbose + PS C:\Tools> .\Create-OU.ps1 -OUs $OUs -Verbose + VERBOSE: Creating new OU 'OU=Desktops,ou=Workstations,DC=azureblog,DC=pl' + VERBOSE: Creating new OU 'OU=Kiosks,ou=Workstations,DC=azureblog,DC=pl' + VERBOSE: Creating new OU 'OU=Laptops,ou=Workstations,DC=azureblog,DC=pl' + VERBOSE: Creating new OU 'OU=Staging,ou=Workstations,DC=azureblog,DC=pl' + .Example + Atempt to create OU that already exists in the desired path + $OUs = @( + $(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" }) + ) + .\Create-OU.ps1 -OUs $OUs -Verbose + PS C:\Tools> .\Create-OU.ps1 -OUs $OUs -Verbose + VERBOSE: OU 'Desktops' already exists under 'ou=Workstations,DC=azureblog,DC=pl' + VERBOSE: OU 'Kiosks' already exists under 'ou=Workstations,DC=azureblog,DC=pl' + VERBOSE: OU 'Laptops' already exists under 'ou=Workstations,DC=azureblog,DC=pl' + VERBOSE: OU 'Staging' already exists under 'ou=Workstations,DC=azureblog,DC=pl +#> + +[CmdletBinding()] +param( + [PSObject] $OUs +) +$dNC = (Get-ADRootDSE).defaultNamingContext +$OUs | ForEach-Object { + $name = $_.Name + $parentOU = $_.ParentOU + + if ($ParentOU -eq '') { + $ouPath = "$dNC" + $testOUpath = "OU=$name,$dNC" + } + else { + $ouPath = "$parentOU,$dNC" + $testOUPath = "OU=$name,$parentOU,$dNC" + } + + $OUTest = (Get-ADOrganizationalUnit -Filter 'DistinguishedName -like $testOUpath' | Measure-Object).Count + if ($OUtest -eq 0) { + Write-Verbose "Creating new OU '$testOUPath'" + New-ADOrganizationalUnit -Name $name -Path $OUPath -ProtectedFromAccidentalDeletion:$true + } + else { + Write-Verbose "OU '$name' already exists under '$ouPath'" + } +} diff --git a/Groupes-Standard.csv b/Groupes-Standard.csv new file mode 100644 index 0000000..6941cda --- /dev/null +++ b/Groupes-Standard.csv @@ -0,0 +1,5 @@ +Name,samAccountName,GroupCategory,GroupScope,DisplayName,OU,Description,Membership +Test Group 1,testgroup1,Security,Global,Test Group 1,"ou=Security Groups,OU=Groups",Group with random members, +Test Group 2,testgroup2,Security,Global,Test Group 2,"ou=Security Groups,OU=Groups",Group with random members, +Test Group 3,testgroup3,Security,Global,Test Group 3,"ou=Security Groups,OU=Groups",Group with random members, +Test Group 4,testgroup4,Security,Global,Test Group 4,"ou=Security Groups,OU=Groups",Group with random members, diff --git a/Set-OUComputerPermissions.ps1 b/Set-OUComputerPermissions.ps1 new file mode 100644 index 0000000..6633812 --- /dev/null +++ b/Set-OUComputerPermissions.ps1 @@ -0,0 +1,36 @@ +<# + .Example + $List = @( + $(New-Object PSObject -Property @{Group = "WorkstationMaintenance"; OUPrefix = "OU=Computer Quarantine"}), + $(New-Object PSObject -Property @{Group = "WorkstationMaintenance"; OUPrefix = "OU=Workstations"}), + $(New-Object PSObject -Property @{Group = "PAWMaint"; OUPrefix = "OU=Devices,OU=Tier 0,OU=Admin"}), + $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers"}) + ) + .\Set-OUComputerPermissions.ps1 -list $list -Verbose + +#> + +[CmdletBinding()] +param( + [Parameter(Mandatory = $True)][PSOBject] $List +) +Import-Module ActiveDirectory + +$rootdse = Get-ADRootDSE +$domain = Get-ADDomain +$guidmap = @{ } +Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } + +$List | ForEach-Object { + $ouPrefix = $_.OUPrefix + $Group = $_.Group + $ouPath = "$OUPrefix,$($domain.DistinguishedName)" + $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild,DeleteChild", "Allow", $guidmap["Computer"], "All")) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["Computer"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["Computer"])) + Write-Verbose "Configuring Computer Permissions on '$ouPath' for group '$Group'" + Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) +} diff --git a/Set-OUGPOPermissions.ps1 b/Set-OUGPOPermissions.ps1 new file mode 100644 index 0000000..5f742d8 --- /dev/null +++ b/Set-OUGPOPermissions.ps1 @@ -0,0 +1,35 @@ +<# + + .Example + $List = @( + $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers"}) + ) + .\Set-OUGPOPermissions.ps1 -list $list -Verbose + +#> + +[CmdletBinding()] +param( + [Parameter(Mandatory = $True)][PSOBject] $List +) +Import-Module ActiveDirectory + +$rootdse = Get-ADRootDSE +$domain = Get-ADDomain +$guidmap = @{ } +Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } +$extendedrightsmap = @{ } +Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid } + +$List | ForEach-Object { + $ouPrefix = $_.OUPrefix + $Group = $_.Group + $ouPath = "$OUPrefix,$($domain.DistinguishedName)" + $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty,WriteProperty", "Allow", $guidmap["gplink"], "All")) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["gpoptions"], "All")) + Write-Verbose "Configuring GPO Permissions on '$ouPath' for group '$Group'" + Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) +} diff --git a/Set-OUGroupPermissions.ps1 b/Set-OUGroupPermissions.ps1 new file mode 100644 index 0000000..3b23c26 --- /dev/null +++ b/Set-OUGroupPermissions.ps1 @@ -0,0 +1,35 @@ +<# + .Example + $List = @( + $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Groups,ou=Tier1,ou=Admin"}) + ) + .\Set-OUGroupPermissions.ps1 -list $list -Verbose +#> + +[CmdletBinding()] +param( + [Parameter(Mandatory = $True)][PSOBject] $List + +) +Import-Module ActiveDirectory + +$rootdse = Get-ADRootDSE +$domain = Get-ADDomain +$guidmap = @{ } +Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } +$extendedrightsmap = @{ } +Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid } + +$List | ForEach-Object { + $ouPrefix = $_.OUPrefix + $Group = $_.Group + $ouPath = "$OUPrefix,$($domain.DistinguishedName)" + $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["group"], "ALL")) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["group"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["group"])) + Write-Verbose "Configuring Group Permissions on '$ouPath' for group '$Group'" + Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) +} diff --git a/Set-OUReplicationPermissions.ps1 b/Set-OUReplicationPermissions.ps1 new file mode 100644 index 0000000..cb3254f --- /dev/null +++ b/Set-OUReplicationPermissions.ps1 @@ -0,0 +1,52 @@ +<# + .Example + $List = @( + $(New-Object PSObject -Property @{Group = "Tier0ReplicationMaintenance"; OUPrefix = "" }) + ) + .\Set-OUReplicationPermissions.ps1 -list $list -Verbose +#> + +[CmdletBinding()] +param( + [Parameter(Mandatory = $True)][PSOBject] $List + +) +Import-Module ActiveDirectory + +$rootdse = Get-ADRootDSE +$domain = Get-ADDomain +$guidmap = @{ } +Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } +$extendedrightsmap = @{ } +Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid } + +$location = Get-Location +Set-Location AD: +$configCN = $rootdse.ConfigurationNamingContext +$schemaNC = $rootdse.SchemaNamingContext +$forestDnsZonesDN = "DC=ForestDnsZones," + $rootdse.RootDomainNamingContext +$sitesDN = "CN=Sites," + $configCN +$config = @($configCN, $schemaNC, $forestDnsZonesDN, $sitesDN) +$List | ForEach-Object { + $group = $_.Group + if ($_.OUPrefix -eq ""){ + $aclPath = $domain.DistinguishedName + } + else { + $aclPath = $_.OUPrefix + "," + $domain.DistinguishedName + } + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $group).SID + foreach ($configEntry in $config) { + $acl = Get-ACL -Path($configEntry) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents")) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents")) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents")) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents")) + if ($configEntry -like "CN=Configuration*" -or $configEntry -like "CN=Schema*") { + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Monitor active directory Replication"], "Descendents")) + } + Write-Verbose "Configuring Replication Maintenance Role Delegation on '$configEntry' for group '$group'" + Set-ACL -ACLObject $acl -Path ("AD:\" + $aclPath) + } +} +Set-Location $Location diff --git a/Set-OUUserPermissions.ps1 b/Set-OUUserPermissions.ps1 new file mode 100644 index 0000000..7e35b7a --- /dev/null +++ b/Set-OUUserPermissions.ps1 @@ -0,0 +1,40 @@ +<# + .Example + $List = @( + $(New-Object PSObject -Property @{Group = "ServiceDeskOperators"; OUPrefix = "OU=User Accounts"}) + ) + .\Set-OUUserPermissions.ps1 -list $list -Verbose +#> + +[CmdletBinding()] +param( + [Parameter(Mandatory = $True)][PSOBject] $List + +) +Import-Module ActiveDirectory + +$rootdse = Get-ADRootDSE +$domain = Get-ADDomain +$guidmap = @{ } +Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } +$extendedrightsmap = @{ } +Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid } + +$List | ForEach-Object { + $ouPrefix = $_.OUPrefix + $Group = $_.Group + $ouPath = "$OUPrefix,$($domain.DistinguishedName)" + $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["user"], "ALL")) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["user"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["user"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Reset Password"], "Descendents", $guidmap["user"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"])) + Write-Verbose "Configuring User Permissions on '$ouPath' for group '$Group'" + Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) +} diff --git a/Set-OUWorkstationPermissions.ps1 b/Set-OUWorkstationPermissions.ps1 new file mode 100644 index 0000000..ad9e801 --- /dev/null +++ b/Set-OUWorkstationPermissions.ps1 @@ -0,0 +1,34 @@ +<# + .Example + $List = @( + $(New-Object PSObject -Property @{Group = "ServiceDeskOperators"; OUPrefix = "OU=Workstations"}) + .\Set-OUWorkstationPermissions.ps1 -list $list -Verbose +#> + +[CmdletBinding()] +param( + [Parameter(Mandatory = $True)][PSOBject] $List +) +Import-Module ActiveDirectory + +$rootdse = Get-ADRootDSE +$domain = Get-ADDomain +$guidmap = @{ } +Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } +$List | ForEach-Object { + $ouPrefix = $_.OUPrefix + $Group = $_.Group + $ouPath = "$OUPrefix,$($domain.DistinguishedName)" + $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["Computer"], "All")) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["Computer"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["Computer"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msTPM-OwnerInformation"], "Descendents", $guidmap["computer"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-KeyPackage"], "Descendents", $guidmap["msFVE-RecoveryInformation"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-RecoveryPassword"], "Descendents", $guidmap["msFVE-RecoveryInformation"])) + $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-VolumeGuid"], "Descendents", $guidmap["msFVE-RecoveryInformation"])) + Write-Verbose "Configuring Workstation Permissions on '$ouPath' for group '$Group'" + Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) +} diff --git a/Tiering_steps.ps1 b/Tiering_steps.ps1 new file mode 100644 index 0000000..c669514 --- /dev/null +++ b/Tiering_steps.ps1 @@ -0,0 +1,131 @@ +throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + +Import-Module ActiveDirectory +$dNC = (Get-ADRootDSE).defaultNamingContext + + +#region Create Top Level OU's +$OUs = @( + $(New-Object PSObject -Property @{Name = "Admin"; ParentOU = "" }), + $(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "" }), + $(New-Object PSObject -Property @{Name = "Tier 1 Servers"; ParentOU = "" }), + $(New-Object PSObject -Property @{Name = "Workstations"; ParentOU = "" }), + $(New-Object PSObject -Property @{Name = "User accounts"; ParentOU = "" }), + $(New-Object PSObject -Property @{Name = "Quarantine"; ParentOU = "" }) +) +.\Create-OU.ps1 -OUs $OUs -Verbose +#endRegion + +#region Create Sub Admin OU's +$OUs = @( + $(New-Object PSObject -Property @{Name = "Tier0"; ParentOU = "ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Tier1"; ParentOU = "ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Tier2"; ParentOU = "ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier0,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier0,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier0,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier0,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Tier0 Servers"; ParentOU = "ou=Tier0,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier1,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier1,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier1,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier1,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier2,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier2,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier2,ou=Admin" }), + $(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier2,ou=Admin" }) +) +.\Create-OU.ps1 -OUs $OUs -Verbose +#endRegion + +#region Create Sub Groups OU's +$OUs = @( + $(New-Object PSObject -Property @{Name = "Security Groups"; ParentOU = "ou=Groups" }), + $(New-Object PSObject -Property @{Name = "Distribution Groups"; ParentOU = "ou=Groups" }), + $(New-Object PSObject -Property @{Name = "Contacts"; ParentOU = "ou=Groups" }) +) +.\Create-OU.ps1 -OUs $OUs -Verbose +$OUs = @( + $(New-Object PSObject -Property @{Name = "Application"; ParentOU = "ou=Tier 1 Servers" }), + $(New-Object PSObject -Property @{Name = "Collaboration"; ParentOU = "ou=Tier 1 Servers" }), + $(New-Object PSObject -Property @{Name = "Database"; ParentOU = "ou=Tier 1 Servers" }), + $(New-Object PSObject -Property @{Name = "Messaging"; ParentOU = "ou=Tier 1 Servers" }), + $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Tier 1 Servers" }) +) +.\Create-OU.ps1 -OUs $OUs -Verbose +$OUs = @( + $(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }), + $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" }) +) +.\Create-OU.ps1 -OUs $OUs -Verbose +#endRegion + +#region Create Sub User Accounts OU's +$OUs = @( + $(New-Object PSObject -Property @{Name = "Enabled Users"; ParentOU = "ou=User Accounts" }), + $(New-Object PSObject -Property @{Name = "Disabled Users"; ParentOU = "ou=User Accounts" }) +) +.\Create-OU.ps1 -OUs $OUs -Verbose +#endRegion + +#Region Block inheritance for PAW OUs +Set-GpInheritance -Target "OU=Devices,OU=Tier0,OU=Admin,$dnc" -IsBlocked Yes | Out-Null +Set-GpInheritance -Target "OU=Devices,OU=Tier1,OU=Admin,$dnc" -IsBlocked Yes | Out-Null +Set-GpInheritance -Target "OU=Devices,OU=Tier2,OU=Admin,$dnc" -IsBlocked Yes | Out-Null +#endRegion + +#Region create Groups +$csv = Read-Host -Prompt "Please provide full path to Admin Groups csv file" +.\Create-Group.ps1 -CSVfile $csv -Verbose +$csv = Read-Host -Prompt "Please provide full path to Standard Groups csv file" +.\Create-Group.ps1 -CSVfile $csv -Verbose +#endRegion + + +#Region Create OU Delegation +$List = @( + $(New-Object PSObject -Property @{Group = "Tier2ServiceDeskOperators"; OUPrefix = "OU=User Accounts" }), + $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Accounts,ou=Tier1,ou=Admin" }), + $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Service Accounts,ou=Tier1,ou=Admin" }), + $(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Accounts,ou=Tier2,ou=Admin" }), + $(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Service Accounts,ou=Tier2,ou=Admin" }) +) +.\Set-OUUserPermissions.ps1 -list $list -Verbose + +$List = @( + $(New-Object PSObject -Property @{Group = "Tier2ServiceDeskOperators"; OUPrefix = "OU=Workstations" }), + $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Devices,ou=Tier1,ou=Admin" }), + $(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Devices,ou=Tier2,ou=Admin" }) +) +.\Set-OUWorkstationPermissions.ps1 -list $list -Verbose + +$List = @( + $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Groups,ou=Tier1,ou=Admin"}), + $(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Groups,ou=Tier2,ou=Admin"}) +) +.\Set-OUGroupPermissions.ps1 -list $list -Verbose + +$List = @( + $(New-Object PSObject -Property @{Group = "Tier2Tier2WorkstationMaintenance"; OUPrefix = "OU=Quarantine" }), + $(New-Object PSObject -Property @{Group = "Tier2WorkstationMaintenance"; OUPrefix = "OU=Workstations" }), + $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers" }) +) +.\Set-OUComputerPermissions.ps1 -list $list -Verbose + +$List = @( + $(New-Object PSObject -Property @{Group = "Tier0ReplicationMaintenance"; OUPrefix = "" }) +) +.\Set-OUReplicationPermissions.ps1 -list $list -Verbose + +$List = @( + $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers" }) +) +.\Set-OUGPOPermissions.ps1 -list $list -Verbose + +#endRegion + +Set-Location $location