Tips-Of-Mine/AD_Tiering_mode
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
AD_Tiering_mode/Step-07-Set-OUReplicationPermissions.ps1
hcornet ad43503820 update
2023-11-28 17:36:11 +01:00

60 lines
2.7 KiB
PowerShell
Raw Blame History

<#
#>
cls
#throw "This is not a robus script"
$location = Get-Location
Set-Location C:\Tools
Import-Module ActiveDirectory
$Fichier = "OU-Replication-Permissions.csv"
$List = Import-Csv -Path $Fichier -Delimiter ";"
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
$extendedrightsmap = @{ }
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
$location = Get-Location
Set-Location AD:
$configCN = $rootdse.ConfigurationNamingContext
$schemaNC = $rootdse.SchemaNamingContext
$forestDnsZonesDN = "DC=ForestDnsZones," + $rootdse.RootDomainNamingContext
$sitesDN = "CN=Sites," + $configCN
$config = @($configCN, $schemaNC, $forestDnsZonesDN, $sitesDN)
$List | ForEach-Object {
$group = $_.Group
If ($_.OUPrefix -eq "") {
$aclPath = $domain.DistinguishedName
}
Else {
$aclPath = $_.OUPrefix + "," + $domain.DistinguishedName
}
$adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $group).SID
Foreach ($configEntry in $config) {
$acl = Get-ACL -Path($configEntry)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], "Descendents"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], "Descendents"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], "Descendents"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], "Descendents"))
If ($configEntry -like "CN=Configuration*" -or $configEntry -like "CN=Schema*") {
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Monitor active directory Replication"], "Descendents"))
}
Write-Host "Configuring Replication Maintenance Role Delegation on '$configEntry' for group '$group'"
Set-ACL -ACLObject $acl -Path ("AD:\" + $aclPath)
}
}
Set-Location $Location
Reference in New Issue View Git Blame Copy Permalink