From ad43503820a69768c6e7c04702072e9a11ead70c Mon Sep 17 00:00:00 2001 From: hcornet Date: Tue, 28 Nov 2023 17:36:11 +0100 Subject: [PATCH] update --- Creation-Groupe.ps1 | 40 ----------- Creation-OU.ps1 | 58 ---------------- Groupes-Administrateur.csv | 42 ++++++------ Groupes-Standard.csv | 10 +-- OU-Computer-Permissions.csv | 4 ++ OU-GPO-Permissions.csv | 2 + OU-Group-Permissions.csv | 3 + OU-Replication-Permissions.csv | 2 + OU-Standard.csv | 59 ++++++++++++++++ OU-User-Permissions.csv | 6 ++ OU-Workstation-Permissions.csv | 4 ++ Step-01-Creation-OU.ps1 | 42 ++++++++++++ Step-02-Creation-Groupe.ps1 | 68 +++++++++++++++++++ ...s.ps1 => Step-03-Set-OUUserPermissions.ps1 | 29 +++++--- ...> Step-04-Set-OUWorkstationPermissions.ps1 | 25 ++++--- ....ps1 => Step-05-Set-OUGroupPermissions.ps1 | 26 ++++--- ...1 => Step-06-Set-OUComputerPermissions.ps1 | 29 ++++---- ...> Step-07-Set-OUReplicationPermissions.ps1 | 37 ++++++---- ...ns.ps1 => Step-08-Set-OUGPOPermissions.ps1 | 25 ++++--- 19 files changed, 316 insertions(+), 195 deletions(-) delete mode 100644 Creation-Groupe.ps1 delete mode 100644 Creation-OU.ps1 create mode 100644 OU-Computer-Permissions.csv create mode 100644 OU-GPO-Permissions.csv create mode 100644 OU-Group-Permissions.csv create mode 100644 OU-Replication-Permissions.csv create mode 100644 OU-Standard.csv create mode 100644 OU-User-Permissions.csv create mode 100644 OU-Workstation-Permissions.csv create mode 100644 Step-01-Creation-OU.ps1 create mode 100644 Step-02-Creation-Groupe.ps1 rename Set-OUUserPermissions.ps1 => Step-03-Set-OUUserPermissions.ps1 (86%) rename Set-OUWorkstationPermissions.ps1 => Step-04-Set-OUWorkstationPermissions.ps1 (84%) rename Set-OUGroupPermissions.ps1 => Step-05-Set-OUGroupPermissions.ps1 (80%) rename Set-OUComputerPermissions.ps1 => Step-06-Set-OUComputerPermissions.ps1 (63%) rename Set-OUReplicationPermissions.ps1 => Step-07-Set-OUReplicationPermissions.ps1 (81%) rename Set-OUGPOPermissions.ps1 => Step-08-Set-OUGPOPermissions.ps1 (78%) diff --git a/Creation-Groupe.ps1 b/Creation-Groupe.ps1 deleted file mode 100644 index 8031e16..0000000 --- a/Creation-Groupe.ps1 +++ /dev/null @@ -1,40 +0,0 @@ -<# - .Example - $csv = Read-Host -Prompt "Please provide full path to Groups csv file" - .\Creation-Groupe.ps1 -CSVfile $csv -Verbose - PS C:\Tools> $csv = Read-Host -Prompt "Please provide full path to Groups csv file" - Please provide full path to Groups csv file: c:\tools\groups.csv - PS C:\Tools> .\Creation-Groupe.ps1 -CSVfile $csv -Verbose - VERBOSE: Creating new Group 'Tier0ReplicationMaintenance' under 'OU=Groups,OU=Tier0,OU=Admin,DC=azureblog,DC=pl' - VERBOSE: Creating new Group 'Tier1ServerMaintenance' under 'OU=Groups,OU=Tier1,OU=Admin,DC=azureblog,DC=pl' - VERBOSE: Creating new Group 'ServiceDeskOperators' under 'OU=Groups,OU=Tier2,OU=Admin,DC=azureblog,DC=pl' - VERBOSE: Creating new Group 'WorkstationMaintenance' under 'OU=Groups,OU=Tier2,OU=Admin,DC=azureblog,DC=pl' - VERBOSE: Group 'tier1admins'already exists. - VERBOSE: Group 'tier2admins'already exists. -#> - -[CmdletBinding()] -param( - [string] $CSVfile -) -$dNC = (Get-ADRootDSE).defaultNamingContext -$groups = Import-Csv $CSVfile -foreach ($group in $groups) { - $groupName = $group.Name - $groupOUPrefix = $group.OU - $destOU = $group.OU + "," + $dNC - $groupDN = "CN=" + $groupName + "," + $destOU - $checkForGroup = Get-ADGroup -filter 'Name -eq $groupName' -ErrorAction SilentlyContinue - If ($checkForGroup.count -eq 0 ) { - Write-Verbose "Creating new Group '$($Group.samAccountName)' under '$destOU'" - New-ADGroup -Name $Group.Name -SamAccountName $Group.samAccountName -GroupCategory $Group.GroupCategory -GroupScope $Group.GroupScope -DisplayName $Group.DisplayName -Path $destOU -Description $Group.Description - If ($Group.Membership -ne "") { - Write-Verbose "Adding Group Membership '$($Group.Membership)' for group '$($Group.samAccountName)'" - Add-ADPrincipalGroupMembership -Identity $Group.samAccountName -MemberOf $Group.Membership - } - $error.Clear() - } - Else { - Write-Verbose "Group '$($Group.samAccountName)'already exists." - } -} diff --git a/Creation-OU.ps1 b/Creation-OU.ps1 deleted file mode 100644 index baa43ec..0000000 --- a/Creation-OU.ps1 +++ /dev/null @@ -1,58 +0,0 @@ -<# - .Example - Atempt to create OU that not exists in the desired path - $OUs = @( - $(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }), - $(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }), - $(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }), - $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" }) - ) - .\Create-OU.ps1 -OUs $OUs -Verbose - PS C:\Tools> .\Create-OU.ps1 -OUs $OUs -Verbose - VERBOSE: Creating new OU 'OU=Desktops,ou=Workstations,DC=azureblog,DC=pl' - VERBOSE: Creating new OU 'OU=Kiosks,ou=Workstations,DC=azureblog,DC=pl' - VERBOSE: Creating new OU 'OU=Laptops,ou=Workstations,DC=azureblog,DC=pl' - VERBOSE: Creating new OU 'OU=Staging,ou=Workstations,DC=azureblog,DC=pl' - .Example - Atempt to create OU that already exists in the desired path - $OUs = @( - $(New-Object PSObject -Property @{Name = "Desktops"; ParentOU = "ou=Workstations" }), - $(New-Object PSObject -Property @{Name = "Kiosks"; ParentOU = "ou=Workstations" }), - $(New-Object PSObject -Property @{Name = "Laptops"; ParentOU = "ou=Workstations" }), - $(New-Object PSObject -Property @{Name = "Staging"; ParentOU = "ou=Workstations" }) - ) - .\Create-OU.ps1 -OUs $OUs -Verbose - PS C:\Tools> .\Create-OU.ps1 -OUs $OUs -Verbose - VERBOSE: OU 'Desktops' already exists under 'ou=Workstations,DC=azureblog,DC=pl' - VERBOSE: OU 'Kiosks' already exists under 'ou=Workstations,DC=azureblog,DC=pl' - VERBOSE: OU 'Laptops' already exists under 'ou=Workstations,DC=azureblog,DC=pl' - VERBOSE: OU 'Staging' already exists under 'ou=Workstations,DC=azureblog,DC=pl -#> - -[CmdletBinding()] -param( - [PSObject] $OUs -) -$dNC = (Get-ADRootDSE).defaultNamingContext -$OUs | ForEach-Object { - $name = $_.Name - $parentOU = $_.ParentOU - - if ($ParentOU -eq '') { - $ouPath = "$dNC" - $testOUpath = "OU=$name,$dNC" - } - else { - $ouPath = "$parentOU,$dNC" - $testOUPath = "OU=$name,$parentOU,$dNC" - } - - $OUTest = (Get-ADOrganizationalUnit -Filter 'DistinguishedName -like $testOUpath' | Measure-Object).Count - if ($OUtest -eq 0) { - Write-Verbose "Creating new OU '$testOUPath'" - New-ADOrganizationalUnit -Name $name -Path $OUPath -ProtectedFromAccidentalDeletion:$true - } - else { - Write-Verbose "OU '$name' already exists under '$ouPath'" - } -} diff --git a/Groupes-Administrateur.csv b/Groupes-Administrateur.csv index 5cb2a69..1f92da4 100644 --- a/Groupes-Administrateur.csv +++ b/Groupes-Administrateur.csv @@ -1,21 +1,21 @@ -Name,samAccountName,GroupCategory,GroupScope,DisplayName,OU,Description,Membership -Tier 0 PAW Users,Tier0PAWUsers,Security,Global,Tier 0 PAW Users,"OU=Groups,OU=Tier0,OU=Admin",Members of this group are permitted to log onto Tier0 Privileged Access Workstations using normal accounts, -Tier 0 PAW Maintenance,Tier0PAWMaint,Security,Global,Tier 0 PAW Maintenance,"OU=Groups,OU=Tier0,OU=Admin",Members of this group maintain and support Tier0 Privileged Access Workstations, -Tier 0 Replication Maintenance,Tier0ReplicationMaintenance,Security,Global,Tier 0 Replication Maintenance,"OU=Groups,OU=Tier0,OU=Admin",Members of this group are Tier 0 Replication Maintenance, -Tier 0 Servers,Tier0Servers,Security,Global,Tier 0 Servers,"OU=Groups,OU=Tier0,OU=Admin",Group that contain all Tier 0 servers, -Tier 0 Sync Servers,Tier0SyncServers,Security,Global,Tier 0 Sync Servers,"OU=Groups,OU=Tier0,OU=Admin",Group that contain all Tier 0 synchronisation servers, -Tier 0 Physical Access,Tier0PhysicalAccess,Security,Global,Tier 0 PhysicalAccess,"OU=Groups,OU=Tier0,OU=Admin",Group that contain users allowed to access physical domain controller, -Tier 0 Physical DC,Tier0PhysicalDC,Security,Global,Tier 0 PhysicalDC,"OU=Groups,OU=Tier0,OU=Admin",Group that contain physical domain controller computer object, -Tier 0 Service Accounts,Tier0serviceaccounts,Security,Global,Tier 0 Service Accounts,"OU=Groups,OU=Tier0,OU=Admin",Group that contain all Tier 0 svc accouts, -Tier 0 PAW Computers,Tier0PAWComputers,Security,Global,Tier 0 PAW Computers,"OU=Groups,OU=Tier0,OU=Admin",Group with members of the tier 0 devices servers and domaincontrollers, -Tier 1 Admins,tier1admins,Security,Global,Tier 1 Admins,"OU=Groups,OU=Tier1,OU=Admin",Members of this group are Tier 1 Administrators, -Tier 1 Server Maintenance,Tier1ServerMaintenance,Security,Global,Tier 1 Server Maintenance,"OU=Groups,OU=Tier1,OU=Admin",Members of this group perform Tier 1 Server Maintenance, -Tier 1 PAW Users,Tier1PAWUsers,Security,Global,Tier 1 PAW Users,"OU=Groups,OU=Tier1,OU=Admin",Members of this group are permitted to log onto Tier1 Privileged Access Workstations using normal accounts, -Tier 1 PAW Computers,Tier1PAWComputers,Security,Global,Tier 1 PAW Computers,"OU=Groups,OU=Tier1,OU=Admin",Group with members of the Tier 1 devices and servers, -Tier 1 PAW Maintenance,Tier1PAWMaint,Security,Global,Tier1 PAW Maintenance,"OU=Groups,OU=Tier1,OU=Admin",Members of this group maintain and support Tier0 Privileged Access Workstations, -Tier 1 Servers,Tier1Servers,Security,Global,Tier 1 Servers,"OU=Groups,OU=Tier1,OU=Admin",Group that contain all Tier 1 servers, -Tier 1 Service Accounts,Tier1serviceaccounts,Security,Global,Tier 1serviceaccounts,"OU=Groups,OU=Tier1,OU=Admin",Group that contain all Tier 1 svc accouts, -Tier 2 Admins,tier2admins,Security,Global,Tier 2 Admins,"OU=Groups,OU=Tier2,OU=Admin",Members of this group are Tier 2 Administrators, -Tier 2 Service Desk Operators,Tier2ServiceDeskOperators,Security,Global,Tier 2 Service Desk Operators,"OU=Groups,OU=Tier2,OU=Admin",Members of this group are Service Desk Operators, -Tier 2 Workstation Maintenance,Tier2WorkstationMaintenance,Security,Global,Tier 2 Workstation Maintenance,"OU=Groups,OU=Tier2,OU=Admin",Members of this group perform Workstation Maintenance, -Tier 2 Service Accounts,Tier2serviceaccounts,Security,Global,Tier 2 Service Accounts,"OU=Groups,OU=Tier2,OU=Admin",Group that contain all Tier 2 svc accouts, +Name;samAccountName;GroupCategory;GroupScope;DisplayName;OU;Description;Membership +Tier 0 PAW Users;Tier0PAWUsers;Security;Global;Tier 0 PAW Users;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Members OU=Groupes,OU=of this group are permitted to log onto Tier0 Privileged Access Workstations using normal accounts; +Tier 0 PAW Maintenance;Tier0PAWMaint;Security;Global;Tier 0 PAW Maintenance;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Members of this group maintain and support Tier0 Privileged Access Workstations; +Tier 0 Replication Maintenance;Tier0ReplicationMaintenance;Security;Global;Tier 0 Replication Maintenance;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Members of this group are Tier 0 Replication Maintenance; +Tier 0 Servers;Tier0Servers;Security;Global;Tier 0 Servers;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Group that contain all Tier 0 servers; +Tier 0 Sync Servers;Tier0SyncServers;Security;Global;Tier 0 Sync Servers;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Group that contain all Tier 0 synchronisation servers; +Tier 0 Physical Access;Tier0PhysicalAccess;Security;Global;Tier 0 PhysicalAccess;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Group that contain users allowed to access physical domain controller; +Tier 0 Physical DC;Tier0PhysicalDC;Security;Global;Tier 0 PhysicalDC;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Group that contain physical domain controller computer object; +Tier 0 Service Accounts;Tier0serviceaccounts;Security;Global;Tier 0 Service Accounts;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Group that contain all Tier 0 svc accouts; +Tier 0 PAW Computers;Tier0PAWComputers;Security;Global;Tier 0 PAW Computers;"OU=Groupes,OU=Tier0,OU=Admins,OU=SocieteA";Group with members of the tier 0 devices servers and domaincontrollers; +Tier 1 Admins;tier1admins;Security;Global;Tier 1 Admins;"OU=Groupes,OU=Tier1,OU=Admins,OU=SocieteA";Members of this group are Tier 1 Administrators; +Tier 1 Server Maintenance;Tier1ServerMaintenance;Security;Global;Tier 1 Server Maintenance;"OU=Groupes,OU=Tier1,OU=Admins,OU=SocieteA";Members of this group perform Tier 1 Server Maintenance; +Tier 1 PAW Users;Tier1PAWUsers;Security;Global;Tier 1 PAW Users;"OU=Groupes,OU=Tier1,OU=Admins,OU=SocieteA";Members of this group are permitted to log onto Tier1 Privileged Access Workstations using normal accounts; +Tier 1 PAW Computers;Tier1PAWComputers;Security;Global;Tier 1 PAW Computers;"OU=Groupes,OU=Tier1,OU=Admins,OU=SocieteA";Group with members of the Tier 1 devices and servers; +Tier 1 PAW Maintenance;Tier1PAWMaint;Security;Global;Tier1 PAW Maintenance;"OU=Groupes,OU=Tier1,OU=Admins,OU=SocieteA";Members of this group maintain and support Tier0 Privileged Access Workstations; +Tier 1 Servers;Tier1Servers;Security;Global;Tier 1 Servers;"OU=Groupes,OU=Tier1,OU=Admins,OU=SocieteA";Group that contain all Tier 1 servers; +Tier 1 Service Accounts;Tier1serviceaccounts;Security;Global;Tier 1serviceaccounts;"OU=Groupes,OU=Tier1,OU=Admins,OU=SocieteA";Group that contain all Tier 1 svc accouts; +Tier 2 Admins;tier2admins;Security;Global;Tier 2 Admins;"OU=Groupes,OU=Tier2,OU=Admins,OU=SocieteA";Members of this group are Tier 2 Administrators; +Tier 2 Service Desk Operators;Tier2ServiceDeskOperators;Security;Global;Tier 2 Service Desk Operators;"OU=Groupes,OU=Tier2,OU=Admins,OU=SocieteA";Members of this group are Service Desk Operators; +Tier 2 Workstation Maintenance;Tier2WorkstationMaintenance;Security;Global;Tier 2 Workstation Maintenance;"OU=Groupes,OU=Tier2,OU=Admins,OU=SocieteA";Members of this group perform Workstation Maintenance; +Tier 2 Service Accounts;Tier2serviceaccounts;Security;Global;Tier 2 Service Accounts;"OU=Groupes,OU=Tier2;OU=Admins,OU=SocieteA";Group that contain all Tier 2 svc accouts; diff --git a/Groupes-Standard.csv b/Groupes-Standard.csv index 6941cda..6fe74cd 100644 --- a/Groupes-Standard.csv +++ b/Groupes-Standard.csv @@ -1,5 +1,5 @@ -Name,samAccountName,GroupCategory,GroupScope,DisplayName,OU,Description,Membership -Test Group 1,testgroup1,Security,Global,Test Group 1,"ou=Security Groups,OU=Groups",Group with random members, -Test Group 2,testgroup2,Security,Global,Test Group 2,"ou=Security Groups,OU=Groups",Group with random members, -Test Group 3,testgroup3,Security,Global,Test Group 3,"ou=Security Groups,OU=Groups",Group with random members, -Test Group 4,testgroup4,Security,Global,Test Group 4,"ou=Security Groups,OU=Groups",Group with random members, +Name;samAccountName;GroupCategory;GroupScope;DisplayName;OU;Description;Membership +Test Group 1;testgroup1;Security;Global;Test Group 1;"ou=Groupes Security,OU=Ressources,OU=Groupes,OU=SocieteA";Group with random members; +Test Group 2;testgroup2;Security;Global;Test Group 2;"ou=Groupes Security,OU=Ressources,OU=Groupes,OU=SocieteA";Group with random members; +Test Group 3;testgroup3;Security;Global;Test Group 3;"ou=Groupes Security,OU=Ressources,OU=Groupes,OU=SocieteA";Group with random members; +Test Group 4;testgroup4;Security;Global;Test Group 4;"ou=Groupes Security,OU=Ressources,OU=Groupes,OU=SocieteA";Group with random members; diff --git a/OU-Computer-Permissions.csv b/OU-Computer-Permissions.csv new file mode 100644 index 0000000..4065f6c --- /dev/null +++ b/OU-Computer-Permissions.csv @@ -0,0 +1,4 @@ +Group;OuPrefix +Tier2WorkstationMaintenance;OU=Quarantine,ou=SocieteA +Tier2WorkstationMaintenance;OU=Workstations,ou=SocieteA +Tier1ServerMaintenance;OU=Tier 1 Servers,ou=SocieteA \ No newline at end of file diff --git a/OU-GPO-Permissions.csv b/OU-GPO-Permissions.csv new file mode 100644 index 0000000..996a9f5 --- /dev/null +++ b/OU-GPO-Permissions.csv @@ -0,0 +1,2 @@ +Group;OuPrefix +Tier1ServerMaintenance;OU=Tier 1 Servers,ou=SocieteA diff --git a/OU-Group-Permissions.csv b/OU-Group-Permissions.csv new file mode 100644 index 0000000..4b1d0e4 --- /dev/null +++ b/OU-Group-Permissions.csv @@ -0,0 +1,3 @@ +Group;OuPrefix +Tier1Admins;OU=Groupes,ou=Tier1,ou=Admins,ou=SocieteA +Tier2Admins;OU=Groupes,ou=Tier2,ou=Admins,ou=SocieteA diff --git a/OU-Replication-Permissions.csv b/OU-Replication-Permissions.csv new file mode 100644 index 0000000..eef05d0 --- /dev/null +++ b/OU-Replication-Permissions.csv @@ -0,0 +1,2 @@ +Group +Tier0ReplicationMaintenance diff --git a/OU-Standard.csv b/OU-Standard.csv new file mode 100644 index 0000000..9b650d2 --- /dev/null +++ b/OU-Standard.csv @@ -0,0 +1,59 @@ +Name;ParentOU;Description;IsBlocked +SocieteA;;Base de la sociƩte,No +Admins;SocieteA;;No +Tier 1 Servers;SocieteA;;No +Groupes;SocieteA;;No +WorkStations;SocieteA;;No +Serveurs;SocieteA;;No +Users;SocieteA;;No +Quarantine;SocieteA;;No +Tier0;Admins,ou=SocieteA;;No +Tier1;Admins,ou=SocieteA;;No +Tier2;Admins,ou=SocieteA;;No +Accounts;Tier0,ou=Admins,ou=SocieteA;;No +Groupes;Tier0,ou=Admins,ou=SocieteA;;No +Service Accounts;Tier0,ou=Admins,ou=SocieteA;;No +Devices;Tier0,ou=Admins,ou=SocieteA;;Yes +Tier0 Serveurs;Tier0,ou=Admins,ou=SocieteA;;No +Accounts;Tier1,ou=Admins,ou=SocieteA;;No +Groupes;Tier1,ou=Admins,ou=SocieteA;;No +Service Accounts;Tier1,ou=Admins,ou=SocieteA;;No +Devices;Tier1,ou=Admins,ou=SocieteA;;Yes +Tier1 Serveurs;Tier1,ou=Admins,ou=SocieteA;;No +Accounts;Tier2,ou=Admins,ou=SocieteA;;No +Groupes;Tier2,ou=Admins,ou=SocieteA;;No +Service Accounts;Tier2,ou=Admins,ou=SocieteA;;No +Devices;Tier2,ou=Admins,ou=SocieteA;;Yes +Application;Tier 1 Servers,ou=SocieteA;;No +Collaboration;Tier 1 Servers,ou=SocieteA;;No +Database;Tier 1 Servers,ou=SocieteA;;No +Messaging;Tier 1 Servers,ou=SocieteA;;No +Staging;Tier 1 Servers,ou=SocieteA;;No +Contacts;Groupes,ou=SocieteA;;No +Softwares;Groupes,ou=SocieteA;;No +Partages;Groupes,ou=SocieteA;;No +Providers;Groupes,ou=SocieteA;;No +Ressources;Groupes,ou=SocieteA;;No +Groupes Distribution;Contacts,ou=Groupes,ou=SocieteA;;No +Groupes Security;Contacts,ou=Groupes,ou=SocieteA;;No +Groupes Distribution;Softwares,ou=Groupes,ou=SocieteA;;No +Groupes Security;Softwares,ou=Groupes,ou=SocieteA;;No +Groupes Distribution;Partages,ou=Groupes,ou=SocieteA;;No +Groupes Security;Partages,ou=Groupes,ou=SocieteA;;No +Groupes Distribution;Ressources,ou=Groupes,ou=SocieteA;;No +Groupes Security;Ressources,ou=Groupes,ou=SocieteA;;No +Desktops;WorkStations,ou=SocieteA;;No +Kiosks;WorkStations,ou=SocieteA;;No +Laptops;WorkStations,ou=SocieteA;;No +Staging;WorkStations,ou=SocieteA;;No +Dev;Serveurs,ou=SocieteA;;No +Rec;Serveurs,ou=SocieteA;;No +Staging;Serveurs,ou=SocieteA;;No +Production;Serveurs,ou=SocieteA;;No +_Disabled Users;Users,ou=SocieteA;;No +_To Deleted;Users,ou=SocieteA;;No +_In Arrived;Users,ou=SocieteA;;No +Providers;Users,ou=SocieteA;;No +Service_A;Users,ou=SocieteA;;No +Service_B;Users,ou=SocieteA;;No +Service_C;Users,ou=SocieteA;;No \ No newline at end of file diff --git a/OU-User-Permissions.csv b/OU-User-Permissions.csv new file mode 100644 index 0000000..76c10e4 --- /dev/null +++ b/OU-User-Permissions.csv @@ -0,0 +1,6 @@ +Group;OuPrefix +Tier2ServiceDeskOperators;OU=Users,OU=SocieteA +Tier1Admins;OU=Accounts,ou=Tier1,ou=Admins,ou=SocieteA +Tier1Admins;OU=Service Accounts,ou=Tier1,ou=Admins,ou=SocieteA +Tier2Admins;OU=Accounts,ou=Tier2,ou=Admins,ou=SocieteA +Tier2Admins;OU=Service Accounts,ou=Tier2,ou=Admins,ou=SocieteA \ No newline at end of file diff --git a/OU-Workstation-Permissions.csv b/OU-Workstation-Permissions.csv new file mode 100644 index 0000000..5daca48 --- /dev/null +++ b/OU-Workstation-Permissions.csv @@ -0,0 +1,4 @@ +Group;OuPrefix +Tier2ServiceDeskOperators;OU=Workstations,OU=SocieteA +Tier1Admins;OU=Devices,ou=Tier1,ou=Admins,ou=SocieteA +Tier2Admins;OU=Devices,ou=Tier2,ou=Admins,ou=SocieteA diff --git a/Step-01-Creation-OU.ps1 b/Step-01-Creation-OU.ps1 new file mode 100644 index 0000000..c4652af --- /dev/null +++ b/Step-01-Creation-OU.ps1 @@ -0,0 +1,42 @@ +<# + +#> + +cls + +#throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + +Import-Module ActiveDirectory + +$Fichier = "OU-Standard.csv" + +$OUs = Import-Csv -Path $Fichier -Delimiter ";" + +$dNC = (Get-ADRootDSE).defaultNamingContext + +$OUs | ForEach-Object { + $name = $_.Name + $parentOU = $_.ParentOU + $Description = $_.Description + + If ($ParentOU -eq '') { + $ouPath = "$dNC" + $testOUpath = "OU=$name,$dNC" + } + Else { + $ouPath = "OU=$parentOU,$dNC" + $testOUPath = "OU=$name,OU=$parentOU,$dNC" + } + + $OUTest = (Get-ADOrganizationalUnit -Filter 'DistinguishedName -like $testOUpath' | Measure-Object).Count + + If ($OUtest -eq 0) { + Write-host "Creation nouvelle OU '$testOUPath'" + New-ADOrganizationalUnit $name -Path $OUPath -ProtectedFromAccidentalDeletion:$false -Description $Description + } + Else { + Write-host "OU '$name' existe deja '$ouPath'" + } +} diff --git a/Step-02-Creation-Groupe.ps1 b/Step-02-Creation-Groupe.ps1 new file mode 100644 index 0000000..39657cd --- /dev/null +++ b/Step-02-Creation-Groupe.ps1 @@ -0,0 +1,68 @@ +<# + .Exemple + +#> + +cls + +#throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + +Import-Module ActiveDirectory + +$FichierAdmin = "Groupes-Administrateur.csv" +$FichierStandard = "Groupes-Standard.csv" + +$GroupAdmins = Import-Csv -Path $FichierAdmin -Delimiter ";" +$GroupStandards = Import-Csv -Path $FichierStandard -Delimiter ";" + +$dNC = (Get-ADRootDSE).defaultNamingContext + +Foreach ($group in $GroupAdmins) { + $groupName = $group.Name + $groupOUPrefix = $group.OU + $destOU = $group.OU + "," + $dNC + $groupDN = "CN=" + $groupName + "," + $destOU + + $checkForGroup = Get-ADGroup -filter 'Name -eq $groupName' -ErrorAction SilentlyContinue + + If ($checkForGroup.count -eq 0 ) { + Write-Verbose "Creating new Group '$($Group.samAccountName)' under '$destOU'" + + New-ADGroup -Name $Group.Name -SamAccountName $Group.samAccountName -GroupCategory $Group.GroupCategory -GroupScope $Group.GroupScope -DisplayName $Group.DisplayName -Path $destOU -Description $Group.Description + + If ($Group.Membership -ne "") { + Write-Verbose "Adding Group Membership '$($Group.Membership)' for group '$($Group.samAccountName)'" + Add-ADPrincipalGroupMembership -Identity $Group.samAccountName -MemberOf $Group.Membership + } + $error.Clear() + } + Else { + Write-Verbose "Group '$($Group.samAccountName)'already exists." + } +} + +Foreach ($group in $GroupStandards) { + $groupName = $group.Name + $groupOUPrefix = $group.OU + $destOU = $group.OU + "," + $dNC + $groupDN = "CN=" + $groupName + "," + $destOU + + $checkForGroup = Get-ADGroup -filter 'Name -eq $groupName' -ErrorAction SilentlyContinue + + If ($checkForGroup.count -eq 0 ) { + Write-host "Creating new Group '$($Group.samAccountName)' under '$destOU'" + + New-ADGroup -Name $Group.Name -SamAccountName $Group.samAccountName -GroupCategory $Group.GroupCategory -GroupScope $Group.GroupScope -DisplayName $Group.DisplayName -Path $destOU -Description $Group.Description + + If ($Group.Membership -ne "") { + Write-host "Adding Group Membership '$($Group.Membership)' for group '$($Group.samAccountName)'" + Add-ADPrincipalGroupMembership -Identity $Group.samAccountName -MemberOf $Group.Membership + } + $error.Clear() + } + Else { + Write-host "Group '$($Group.samAccountName)'already exists." + } +} diff --git a/Set-OUUserPermissions.ps1 b/Step-03-Set-OUUserPermissions.ps1 similarity index 86% rename from Set-OUUserPermissions.ps1 rename to Step-03-Set-OUUserPermissions.ps1 index 7e35b7a..55c50a8 100644 --- a/Set-OUUserPermissions.ps1 +++ b/Step-03-Set-OUUserPermissions.ps1 @@ -1,23 +1,27 @@ <# - .Example - $List = @( - $(New-Object PSObject -Property @{Group = "ServiceDeskOperators"; OUPrefix = "OU=User Accounts"}) - ) - .\Set-OUUserPermissions.ps1 -list $list -Verbose + #> -[CmdletBinding()] -param( - [Parameter(Mandatory = $True)][PSOBject] $List - -) +cls + +#throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + Import-Module ActiveDirectory +$Fichier = "OU-User-Permissions.csv" + +$List = Import-Csv -Path $Fichier -Delimiter ";" + $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{ } + Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } + $extendedrightsmap = @{ } + Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid } $List | ForEach-Object { @@ -25,7 +29,9 @@ $List | ForEach-Object { $Group = $_.Group $ouPath = "$OUPrefix,$($domain.DistinguishedName)" $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["user"], "ALL")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["user"])) @@ -35,6 +41,7 @@ $List | ForEach-Object { $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"])) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"])) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"])) - Write-Verbose "Configuring User Permissions on '$ouPath' for group '$Group'" + + Write-host "Configuring User Permissions on '$ouPath' for group '$Group'" Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) } diff --git a/Set-OUWorkstationPermissions.ps1 b/Step-04-Set-OUWorkstationPermissions.ps1 similarity index 84% rename from Set-OUWorkstationPermissions.ps1 rename to Step-04-Set-OUWorkstationPermissions.ps1 index ad9e801..072ab52 100644 --- a/Set-OUWorkstationPermissions.ps1 +++ b/Step-04-Set-OUWorkstationPermissions.ps1 @@ -1,26 +1,32 @@ <# - .Example - $List = @( - $(New-Object PSObject -Property @{Group = "ServiceDeskOperators"; OUPrefix = "OU=Workstations"}) - .\Set-OUWorkstationPermissions.ps1 -list $list -Verbose + #> -[CmdletBinding()] -param( - [Parameter(Mandatory = $True)][PSOBject] $List -) +cls + +#throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + Import-Module ActiveDirectory +$Fichier = "OU-Workstation-Permissions.csv" + +$List = Import-Csv -Path $Fichier -Delimiter ";" + $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{ } Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } + $List | ForEach-Object { $ouPrefix = $_.OUPrefix $Group = $_.Group $ouPath = "$OUPrefix,$($domain.DistinguishedName)" $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["Computer"], "All")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["Computer"])) @@ -29,6 +35,7 @@ $List | ForEach-Object { $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-KeyPackage"], "Descendents", $guidmap["msFVE-RecoveryInformation"])) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-RecoveryPassword"], "Descendents", $guidmap["msFVE-RecoveryInformation"])) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["msFVE-VolumeGuid"], "Descendents", $guidmap["msFVE-RecoveryInformation"])) - Write-Verbose "Configuring Workstation Permissions on '$ouPath' for group '$Group'" + + Write-host "Configuring Workstation Permissions on '$ouPath' for group '$Group'" Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) } diff --git a/Set-OUGroupPermissions.ps1 b/Step-05-Set-OUGroupPermissions.ps1 similarity index 80% rename from Set-OUGroupPermissions.ps1 rename to Step-05-Set-OUGroupPermissions.ps1 index 3b23c26..9abd079 100644 --- a/Set-OUGroupPermissions.ps1 +++ b/Step-05-Set-OUGroupPermissions.ps1 @@ -1,18 +1,19 @@ <# - .Example - $List = @( - $(New-Object PSObject -Property @{Group = "Tier1Admins"; OUPrefix = "OU=Groups,ou=Tier1,ou=Admin"}) - ) - .\Set-OUGroupPermissions.ps1 -list $list -Verbose + #> -[CmdletBinding()] -param( - [Parameter(Mandatory = $True)][PSOBject] $List - -) +cls + +#throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + Import-Module ActiveDirectory +$Fichier = "OU-Group-Permissions.csv" + +$List = Import-Csv -Path $Fichier -Delimiter ";" + $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{ } @@ -25,11 +26,14 @@ $List | ForEach-Object { $Group = $_.Group $ouPath = "$OUPrefix,$($domain.DistinguishedName)" $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["group"], "ALL")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["group"])) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["group"])) - Write-Verbose "Configuring Group Permissions on '$ouPath' for group '$Group'" + + Write-Host "Configuring Group Permissions on '$ouPath' for group '$Group'" Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) } diff --git a/Set-OUComputerPermissions.ps1 b/Step-06-Set-OUComputerPermissions.ps1 similarity index 63% rename from Set-OUComputerPermissions.ps1 rename to Step-06-Set-OUComputerPermissions.ps1 index 6633812..1a4b7d4 100644 --- a/Set-OUComputerPermissions.ps1 +++ b/Step-06-Set-OUComputerPermissions.ps1 @@ -1,21 +1,19 @@ <# - .Example - $List = @( - $(New-Object PSObject -Property @{Group = "WorkstationMaintenance"; OUPrefix = "OU=Computer Quarantine"}), - $(New-Object PSObject -Property @{Group = "WorkstationMaintenance"; OUPrefix = "OU=Workstations"}), - $(New-Object PSObject -Property @{Group = "PAWMaint"; OUPrefix = "OU=Devices,OU=Tier 0,OU=Admin"}), - $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers"}) - ) - .\Set-OUComputerPermissions.ps1 -list $list -Verbose - + #> -[CmdletBinding()] -param( - [Parameter(Mandatory = $True)][PSOBject] $List -) +cls + +#throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + Import-Module ActiveDirectory +$Fichier = "OU-Computer-Permissions.csv" + +$List = Import-Csv -Path $Fichier -Delimiter ";" + $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{ } @@ -26,11 +24,14 @@ $List | ForEach-Object { $Group = $_.Group $ouPath = "$OUPrefix,$($domain.DistinguishedName)" $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild,DeleteChild", "Allow", $guidmap["Computer"], "All")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["Computer"])) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["Computer"])) - Write-Verbose "Configuring Computer Permissions on '$ouPath' for group '$Group'" + + Write-Host "Configuring Computer Permissions on '$ouPath' for group '$Group'" Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) } diff --git a/Set-OUReplicationPermissions.ps1 b/Step-07-Set-OUReplicationPermissions.ps1 similarity index 81% rename from Set-OUReplicationPermissions.ps1 rename to Step-07-Set-OUReplicationPermissions.ps1 index cb3254f..af05218 100644 --- a/Set-OUReplicationPermissions.ps1 +++ b/Step-07-Set-OUReplicationPermissions.ps1 @@ -1,18 +1,19 @@ <# - .Example - $List = @( - $(New-Object PSObject -Property @{Group = "Tier0ReplicationMaintenance"; OUPrefix = "" }) - ) - .\Set-OUReplicationPermissions.ps1 -list $list -Verbose + #> -[CmdletBinding()] -param( - [Parameter(Mandatory = $True)][PSOBject] $List - -) +cls + +#throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + Import-Module ActiveDirectory +$Fichier = "OU-Replication-Permissions.csv" + +$List = Import-Csv -Path $Fichier -Delimiter ";" + $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{ } @@ -27,25 +28,31 @@ $schemaNC = $rootdse.SchemaNamingContext $forestDnsZonesDN = "DC=ForestDnsZones," + $rootdse.RootDomainNamingContext $sitesDN = "CN=Sites," + $configCN $config = @($configCN, $schemaNC, $forestDnsZonesDN, $sitesDN) + $List | ForEach-Object { $group = $_.Group - if ($_.OUPrefix -eq ""){ + + If ($_.OUPrefix -eq "") { $aclPath = $domain.DistinguishedName } - else { + Else { $aclPath = $_.OUPrefix + "," + $domain.DistinguishedName } + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $group).SID - foreach ($configEntry in $config) { + + Foreach ($configEntry in $config) { $acl = Get-ACL -Path($configEntry) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents")) - if ($configEntry -like "CN=Configuration*" -or $configEntry -like "CN=Schema*") { + + If ($configEntry -like "CN=Configuration*" -or $configEntry -like "CN=Schema*") { $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Monitor active directory Replication"], "Descendents")) } - Write-Verbose "Configuring Replication Maintenance Role Delegation on '$configEntry' for group '$group'" + + Write-Host "Configuring Replication Maintenance Role Delegation on '$configEntry' for group '$group'" Set-ACL -ACLObject $acl -Path ("AD:\" + $aclPath) } } diff --git a/Set-OUGPOPermissions.ps1 b/Step-08-Set-OUGPOPermissions.ps1 similarity index 78% rename from Set-OUGPOPermissions.ps1 rename to Step-08-Set-OUGPOPermissions.ps1 index 5f742d8..40c7f2a 100644 --- a/Set-OUGPOPermissions.ps1 +++ b/Step-08-Set-OUGPOPermissions.ps1 @@ -1,19 +1,19 @@ <# - .Example - $List = @( - $(New-Object PSObject -Property @{Group = "Tier1ServerMaintenance"; OUPrefix = "OU=Tier 1 Servers"}) - ) - .\Set-OUGPOPermissions.ps1 -list $list -Verbose - #> -[CmdletBinding()] -param( - [Parameter(Mandatory = $True)][PSOBject] $List -) +cls + +#throw "This is not a robus script" +$location = Get-Location +Set-Location C:\Tools + Import-Module ActiveDirectory +$Fichier = "OU-GPO-Permissions.csv" + +$List = Import-Csv -Path $Fichier -Delimiter ";" + $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{ } @@ -26,10 +26,13 @@ $List | ForEach-Object { $Group = $_.Group $ouPath = "$OUPrefix,$($domain.DistinguishedName)" $ou = Get-ADOrganizationalUnit -Identity $OUPAth + $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID + $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty,WriteProperty", "Allow", $guidmap["gplink"], "All")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["gpoptions"], "All")) - Write-Verbose "Configuring GPO Permissions on '$ouPath' for group '$Group'" + + Write-Host "Configuring GPO Permissions on '$ouPath' for group '$Group'" Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) }