Tips-Of-Mine/AD_Tiering_mode
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Hubert Cornet
2023-11-28 10:03:24 +01:00
parent c3bcd0d7a3
commit 92d8156af0
9 changed files with 426 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
Creation-OU.ps1 Normal file
View File

@ -0,0 +1,58 @@
<#
.Example
Atempt to create OU that not exists in the desired path
$OUs = @(
$(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" })
)
.\Create-OU.ps1 -OUs $OUs -Verbose
PS C:\Tools> .\Create-OU.ps1 -OUs $OUs -Verbose
VERBOSE: Creating new OU 'OU=Desktops,ou=Workstations,DC=azureblog,DC=pl'
VERBOSE: Creating new OU 'OU=Kiosks,ou=Workstations,DC=azureblog,DC=pl'
VERBOSE: Creating new OU 'OU=Laptops,ou=Workstations,DC=azureblog,DC=pl'
VERBOSE: Creating new OU 'OU=Staging,ou=Workstations,DC=azureblog,DC=pl'
.Example
Atempt to create OU that already exists in the desired path
$OUs = @(
$(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" })
)
.\Create-OU.ps1 -OUs $OUs -Verbose
PS C:\Tools> .\Create-OU.ps1 -OUs $OUs -Verbose
VERBOSE: OU 'Desktops' already exists under 'ou=Workstations,DC=azureblog,DC=pl'
VERBOSE: OU 'Kiosks' already exists under 'ou=Workstations,DC=azureblog,DC=pl'
VERBOSE: OU 'Laptops' already exists under 'ou=Workstations,DC=azureblog,DC=pl'
VERBOSE: OU 'Staging' already exists under 'ou=Workstations,DC=azureblog,DC=pl
#>
[CmdletBinding()]
param(
[PSObject] $OUs
)
$dNC = (Get-ADRootDSE).defaultNamingContext
$OUs | ForEach-Object {
$name = $_.Name
$parentOU = $_.ParentOU
if ($ParentOU -eq '') {
$ouPath = "$dNC"
$testOUpath = "OU=$name,$dNC"
}
else {
$ouPath = "$parentOU,$dNC"
$testOUPath = "OU=$name,$parentOU,$dNC"
}
$OUTest = (Get-ADOrganizationalUnit -Filter 'DistinguishedName -like $testOUpath' | Measure-Object).Count
if ($OUtest -eq 0) {
Write-Verbose "Creating new OU '$testOUPath'"
New-ADOrganizationalUnit -Name $name -Path $OUPath -ProtectedFromAccidentalDeletion:$true
}
else {
Write-Verbose "OU '$name' already exists under '$ouPath'"
}
}

5
Groupes-Standard.csv Normal file
View File

@ -0,0 +1,5 @@
Name,samAccountName,GroupCategory,GroupScope,DisplayName,OU,Description,Membership
Test Group 1,testgroup1,Security,Global,Test Group 1,"ou=Security Groups,OU=Groups",Group with random members,
Test Group 2,testgroup2,Security,Global,Test Group 2,"ou=Security Groups,OU=Groups",Group with random members,
Test Group 3,testgroup3,Security,Global,Test Group 3,"ou=Security Groups,OU=Groups",Group with random members,
Test Group 4,testgroup4,Security,Global,Test Group 4,"ou=Security Groups,OU=Groups",Group with random members,
1 Name samAccountName GroupCategory GroupScope DisplayName OU Description Membership
2 Test Group 1 testgroup1 Security Global Test Group 1 ou=Security Groups,OU=Groups Group with random members
3 Test Group 2 testgroup2 Security Global Test Group 2 ou=Security Groups,OU=Groups Group with random members
4 Test Group 3 testgroup3 Security Global Test Group 3 ou=Security Groups,OU=Groups Group with random members
5 Test Group 4 testgroup4 Security Global Test Group 4 ou=Security Groups,OU=Groups Group with random members

36
Set-OUComputerPermissions.ps1 Normal file
View File

@ -0,0 +1,36 @@
<#
.Example
$List = @(
$(New-Object PSObject -Property @{Group = "WorkstationMaintenance"; OUPrefix = "OU=Computer Quarantine"}),
$(New-Object PSObject -Property @{Group = "WorkstationMaintenance"; OUPrefix = "OU=Workstations"}),
$(New-Object PSObject -Property @{Group = "PAWMaint"; OUPrefix = "OU=Devices,OU=Tier 0,OU=Admin"}),
$(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers"})
)
.\Set-OUComputerPermissions.ps1 -list $list -Verbose
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $True)][PSOBject] $List
)
Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
$List | ForEach-Object {
$ouPrefix = $_.OUPrefix
$Group = $_.Group
$ouPath = "$OUPrefix,$($domain.DistinguishedName)"
$ou = Get-ADOrganizationalUnit -Identity $OUPAth
$adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
$acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild,DeleteChild", "Allow", $guidmap["Computer"], "All"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["Computer"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["Computer"]))
Write-Verbose "Configuring Computer Permissions on '$ouPath' for group '$Group'"
Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
}

35
Set-OUGPOPermissions.ps1 Normal file
View File

@ -0,0 +1,35 @@
<#
.Example
$List = @(
$(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers"})
)
.\Set-OUGPOPermissions.ps1 -list $list -Verbose
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $True)][PSOBject] $List
)
Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
$extendedrightsmap = @{ }
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
$List | ForEach-Object {
$ouPrefix = $_.OUPrefix
$Group = $_.Group
$ouPath = "$OUPrefix,$($domain.DistinguishedName)"
$ou = Get-ADOrganizationalUnit -Identity $OUPAth
$adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
$acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty,WriteProperty", "Allow", $guidmap["gplink"], "All"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["gpoptions"], "All"))
Write-Verbose "Configuring GPO Permissions on '$ouPath' for group '$Group'"
Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
}

35
Set-OUGroupPermissions.ps1 Normal file
View File

@ -0,0 +1,35 @@
<#
.Example
$List = @(
$(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Groups,ou=Tier1,ou=Admin"})
)
.\Set-OUGroupPermissions.ps1 -list $list -Verbose
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $True)][PSOBject] $List
)
Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
$extendedrightsmap = @{ }
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
$List | ForEach-Object {
$ouPrefix = $_.OUPrefix
$Group = $_.Group
$ouPath = "$OUPrefix,$($domain.DistinguishedName)"
$ou = Get-ADOrganizationalUnit -Identity $OUPAth
$adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
$acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["group"], "ALL"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["group"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["group"]))
Write-Verbose "Configuring Group Permissions on '$ouPath' for group '$Group'"
Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
}

52
Set-OUReplicationPermissions.ps1 Normal file
View File

@ -0,0 +1,52 @@
<#
.Example
$List = @(
$(New-Object PSObject -Property @{Group = "Tier0ReplicationMaintenance"; OUPrefix = "" })
)
.\Set-OUReplicationPermissions.ps1 -list $list -Verbose
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $True)][PSOBject] $List
)
Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
$extendedrightsmap = @{ }
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
$location = Get-Location
Set-Location AD:
$configCN = $rootdse.ConfigurationNamingContext
$schemaNC = $rootdse.SchemaNamingContext
$forestDnsZonesDN = "DC=ForestDnsZones," + $rootdse.RootDomainNamingContext
$sitesDN = "CN=Sites," + $configCN
$config = @($configCN, $schemaNC, $forestDnsZonesDN, $sitesDN)
$List | ForEach-Object {
$group = $_.Group
if ($_.OUPrefix -eq ""){
$aclPath = $domain.DistinguishedName
}
else {
$aclPath = $_.OUPrefix + "," + $domain.DistinguishedName
}
$adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $group).SID
foreach ($configEntry in $config) {
$acl = Get-ACL -Path($configEntry)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents"))
if ($configEntry -like "CN=Configuration*" -or $configEntry -like "CN=Schema*") {
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Monitor active directory Replication"], "Descendents"))
}
Write-Verbose "Configuring Replication Maintenance Role Delegation on '$configEntry' for group '$group'"
Set-ACL -ACLObject $acl -Path ("AD:\" + $aclPath)
}
}
Set-Location $Location

40
Set-OUUserPermissions.ps1 Normal file
View File

@ -0,0 +1,40 @@
<#
.Example
$List = @(
$(New-Object PSObject -Property @{Group = "ServiceDeskOperators"; OUPrefix = "OU=User Accounts"})
)
.\Set-OUUserPermissions.ps1 -list $list -Verbose
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $True)][PSOBject] $List
)
Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
$extendedrightsmap = @{ }
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
$List | ForEach-Object {
$ouPrefix = $_.OUPrefix
$Group = $_.Group
$ouPath = "$OUPrefix,$($domain.DistinguishedName)"
$ou = Get-ADOrganizationalUnit -Identity $OUPAth
$adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
$acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["user"], "ALL"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Reset Password"], "Descendents", $guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"]))
Write-Verbose "Configuring User Permissions on '$ouPath' for group '$Group'"
Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
}

34
Set-OUWorkstationPermissions.ps1 Normal file
View File

@ -0,0 +1,34 @@
<#
.Example
$List = @(
$(New-Object PSObject -Property @{Group = "ServiceDeskOperators"; OUPrefix = "OU=Workstations"})
.\Set-OUWorkstationPermissions.ps1 -list $list -Verbose
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $True)][PSOBject] $List
)
Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
$List | ForEach-Object {
$ouPrefix = $_.OUPrefix
$Group = $_.Group
$ouPath = "$OUPrefix,$($domain.DistinguishedName)"
$ou = Get-ADOrganizationalUnit -Identity $OUPAth
$adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
$acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["Computer"], "All"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["Computer"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["Computer"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msTPM-OwnerInformation"], "Descendents", $guidmap["computer"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-KeyPackage"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-RecoveryPassword"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-VolumeGuid"], "Descendents", $guidmap["msFVE-RecoveryInformation"]))
Write-Verbose "Configuring Workstation Permissions on '$ouPath' for group '$Group'"
Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
}

131
Tiering_steps.ps1 Normal file
View File

@ -0,0 +1,131 @@
throw "This is not a robus script"
$location = Get-Location
Set-Location C:\Tools
Import-Module ActiveDirectory
$dNC = (Get-ADRootDSE).defaultNamingContext
#region Create Top Level OU's
$OUs = @(
$(New-Object PSObject -Property @{Name = "Admin"; ParentOU = "" }),
$(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "" }),
$(New-Object PSObject -Property @{Name = "Tier 1 Servers"; ParentOU = "" }),
$(New-Object PSObject -Property @{Name = "Workstations"; ParentOU = "" }),
$(New-Object PSObject -Property @{Name = "User accounts"; ParentOU = "" }),
$(New-Object PSObject -Property @{Name = "Quarantine"; ParentOU = "" })
)
.\Create-OU.ps1 -OUs $OUs -Verbose
#endRegion
#region Create Sub Admin OU's
$OUs = @(
$(New-Object PSObject -Property @{Name = "Tier0"; ParentOU = "ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Tier1"; ParentOU = "ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Tier2"; ParentOU = "ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier0,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier0,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier0,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier0,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Tier0 Servers"; ParentOU = "ou=Tier0,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier1,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier1,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier1,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier1,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Accounts"; ParentOU = "ou=Tier2,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Groups"; ParentOU = "ou=Tier2,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Service Accounts"; ParentOU = "ou=Tier2,ou=Admin" }),
$(New-Object PSObject -Property @{Name = "Devices"; ParentOU = "ou=Tier2,ou=Admin" })
)
.\Create-OU.ps1 -OUs $OUs -Verbose
#endRegion
#region Create Sub Groups OU's
$OUs = @(
$(New-Object PSObject -Property @{Name = "Security Groups"; ParentOU = "ou=Groups" }),
$(New-Object PSObject -Property @{Name = "Distribution Groups"; ParentOU = "ou=Groups" }),
$(New-Object PSObject -Property @{Name = "Contacts"; ParentOU = "ou=Groups" })
)
.\Create-OU.ps1 -OUs $OUs -Verbose
$OUs = @(
$(New-Object PSObject -Property @{Name = "Application"; ParentOU = "ou=Tier 1 Servers" }),
$(New-Object PSObject -Property @{Name = "Collaboration"; ParentOU = "ou=Tier 1 Servers" }),
$(New-Object PSObject -Property @{Name = "Database"; ParentOU = "ou=Tier 1 Servers" }),
$(New-Object PSObject -Property @{Name = "Messaging"; ParentOU = "ou=Tier 1 Servers" }),
$(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Tier 1 Servers" })
)
.\Create-OU.ps1 -OUs $OUs -Verbose
$OUs = @(
$(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }),
$(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" })
)
.\Create-OU.ps1 -OUs $OUs -Verbose
#endRegion
#region Create Sub User Accounts OU's
$OUs = @(
$(New-Object PSObject -Property @{Name = "Enabled Users"; ParentOU = "ou=User Accounts" }),
$(New-Object PSObject -Property @{Name = "Disabled Users"; ParentOU = "ou=User Accounts" })
)
.\Create-OU.ps1 -OUs $OUs -Verbose
#endRegion
#Region Block inheritance for PAW OUs
Set-GpInheritance -Target "OU=Devices,OU=Tier0,OU=Admin,$dnc" -IsBlocked Yes | Out-Null
Set-GpInheritance -Target "OU=Devices,OU=Tier1,OU=Admin,$dnc" -IsBlocked Yes | Out-Null
Set-GpInheritance -Target "OU=Devices,OU=Tier2,OU=Admin,$dnc" -IsBlocked Yes | Out-Null
#endRegion
#Region create Groups
$csv = Read-Host -Prompt "Please provide full path to Admin Groups csv file"
.\Create-Group.ps1 -CSVfile $csv -Verbose
$csv = Read-Host -Prompt "Please provide full path to Standard Groups csv file"
.\Create-Group.ps1 -CSVfile $csv -Verbose
#endRegion
#Region Create OU Delegation
$List = @(
$(New-Object PSObject -Property @{Group = "Tier2ServiceDeskOperators"; OUPrefix = "OU=User Accounts" }),
$(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Accounts,ou=Tier1,ou=Admin" }),
$(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Service Accounts,ou=Tier1,ou=Admin" }),
$(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Accounts,ou=Tier2,ou=Admin" }),
$(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Service Accounts,ou=Tier2,ou=Admin" })
)
.\Set-OUUserPermissions.ps1 -list $list -Verbose
$List = @(
$(New-Object PSObject -Property @{Group = "Tier2ServiceDeskOperators"; OUPrefix = "OU=Workstations" }),
$(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Devices,ou=Tier1,ou=Admin" }),
$(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Devices,ou=Tier2,ou=Admin" })
)
.\Set-OUWorkstationPermissions.ps1 -list $list -Verbose
$List = @(
$(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Groups,ou=Tier1,ou=Admin"}),
$(New-Object PSObject -Property @{Group = "Tier2Admins"; OUPrefix = "OU=Groups,ou=Tier2,ou=Admin"})
)
.\Set-OUGroupPermissions.ps1 -list $list -Verbose
$List = @(
$(New-Object PSObject -Property @{Group = "Tier2Tier2WorkstationMaintenance"; OUPrefix = "OU=Quarantine" }),
$(New-Object PSObject -Property @{Group = "Tier2WorkstationMaintenance"; OUPrefix = "OU=Workstations" }),
$(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers" })
)
.\Set-OUComputerPermissions.ps1 -list $list -Verbose
$List = @(
$(New-Object PSObject -Property @{Group = "Tier0ReplicationMaintenance"; OUPrefix = "" })
)
.\Set-OUReplicationPermissions.ps1 -list $list -Verbose
$List = @(
$(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers" })
)
.\Set-OUGPOPermissions.ps1 -list $list -Verbose
#endRegion
Set-Location $location