<#

#>

cls

#throw "This is not a robus script"
$location = Get-Location
Set-Location C:\Tools

Import-Module ActiveDirectory

$Fichier = "OU-Replication-Permissions.csv"

$List = Import-Csv -Path $Fichier -Delimiter ";"

$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
$extendedrightsmap = @{ }
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }

$location = Get-Location
Set-Location AD:
$configCN = $rootdse.ConfigurationNamingContext
$schemaNC = $rootdse.SchemaNamingContext
$forestDnsZonesDN = "DC=ForestDnsZones," + $rootdse.RootDomainNamingContext
$sitesDN = "CN=Sites," + $configCN
$config = @($configCN, $schemaNC, $forestDnsZonesDN, $sitesDN)

$List | ForEach-Object {
    $group = $_.Group

    If ($_.OUPrefix -eq "") {
        $aclPath = $domain.DistinguishedName
    }
    Else {
        $aclPath = $_.OUPrefix + "," + $domain.DistinguishedName
    }

    $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $group).SID

    Foreach ($configEntry in $config) {
        $acl = Get-ACL -Path($configEntry)
        $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents"))
        $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents"))
        $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents"))
        $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents"))
        
        If ($configEntry -like "CN=Configuration*" -or $configEntry -like "CN=Schema*") {
            $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Monitor active directory Replication"], "Descendents"))
        }

        Write-Host "Configuring Replication Maintenance Role Delegation on '$configEntry' for group '$group'"
        Set-ACL -ACLObject $acl -Path ("AD:\" + $aclPath)
    }
}
Set-Location $Location