From 21f011c407a9b24f28235968c0a9cd1055eb72d1 Mon Sep 17 00:00:00 2001 From: hcornet Date: Wed, 29 Nov 2023 17:05:11 +0100 Subject: [PATCH] Update --- AuthPolicy_steps.ps1 | 73 ++++++++++++++++++ Backup/manifest.xml | 1 + .../Backup.xml | 18 +++++ .../DomainSysvol/GPO/Machine/comment.cmtx | 12 +++ .../DomainSysvol/GPO/Machine/registry.pol | Bin 0 -> 226 bytes .../bkupInfo.xml | 1 + .../gpreport.xml | Bin 0 -> 17334 bytes .../Backup.xml | 18 +++++ .../DomainSysvol/GPO/Machine/comment.cmtx | 12 +++ .../DomainSysvol/GPO/Machine/registry.pol | Bin 0 -> 640 bytes .../bkupInfo.xml | 1 + .../gpreport.xml | Bin 0 -> 25836 bytes Import-GPO.ps1 | 35 +++++++++ Link-GpoToOU.ps1 | 31 ++++++++ New-AuthenticationPolicy.ps1 | 20 +++++ Register-NewScheduledTask.ps1 | 13 ++++ 16 files changed, 235 insertions(+) create mode 100644 AuthPolicy_steps.ps1 create mode 100644 Backup/manifest.xml create mode 100644 Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/Backup.xml create mode 100644 Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/DomainSysvol/GPO/Machine/comment.cmtx create mode 100644 Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/DomainSysvol/GPO/Machine/registry.pol create mode 100644 Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/bkupInfo.xml create mode 100644 Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/gpreport.xml create mode 100644 Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/Backup.xml create mode 100644 Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/DomainSysvol/GPO/Machine/comment.cmtx create mode 100644 Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/DomainSysvol/GPO/Machine/registry.pol create mode 100644 Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/bkupInfo.xml create mode 100644 Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/gpreport.xml create mode 100644 Import-GPO.ps1 create mode 100644 Link-GpoToOU.ps1 create mode 100644 New-AuthenticationPolicy.ps1 create mode 100644 Register-NewScheduledTask.ps1 diff --git a/AuthPolicy_steps.ps1 b/AuthPolicy_steps.ps1 new file mode 100644 index 0000000..06891df --- /dev/null +++ b/AuthPolicy_steps.ps1 @@ -0,0 +1,73 @@ +Throw "this is not a robust file" +$location = Get-Location +$oldVerbosePreference = $VerbosePreference +$VerbosePreference = 'Continue' +Set-Location C:\Tools\AuthPolicy + +#Region ProtectedUsers +$providedgroup = Read-Host "Please provide group that members should be added to other group." +$groupToUpdate = Read-Host "Please provide group that should be updated with new members from '$providedgroup'" +$groupMembers = Get-ADGroupMember -Identity $providedgroup +foreach ($member in $groupMembers){ + Write-Verbose "Updating group '$groupToUpdate' with '$member'" + Add-ADGroupMember -Identity $groupToUpdate -Members $member +} +#endregion + +#region Create Tier 1 Servers Group +$csv = Read-Host -Prompt "Please provide full path to Groups csv file" +.\Create-Group.ps1 -CSVfile $csv -Verbose +$srv = Get-ADComputer -Identity srv01 +$group = Get-ADGroup -Identity 'Tier1Servers' +Write-Verbose "Adding computer '$($srv.name)' to group '$($group.name)'" +Add-ADGroupMember -Identity $group -Members $srv +#endregion + +#region import GPO +$BackupPath = Read-Host -Prompt "Please provide full path to GPO backups" +.\Import-GPO.ps1 -BackupPath $BackupPath -Verbose +Set-Location C:\Tools\AuthPolicy +#endregion + + +#region Link gpo +$GpoLinks = @( + $(New-Object PSObject -Property @{ Name = "KDC Support for claims"; OU = "OU=Domain Controllers"; Order = 2 ;LinkEnabled = 'YES'}), + $(New-Object PSObject -Property @{ Name = "Kerberos client support for claims" ; OU = ""; Order = 2 ;LinkEnabled = 'YES'}) +) +.\Link-GpoToOU.ps1 -GpoLinks $GpoLinks -Verbose + +#Region AuthPolicy +.\New-AuthenticationPolicy -GroupName "Tier1Servers" -PolicyName "Tier1Servers" -Description "Assigned principals can authenticate to tier-0 PAWs only" -UserTGTLifetimeMins 121 +#endregion + +#Region ScheduledTask +.\Register-NewScheduledTask.ps1 -DomainGroup "Tier1PAWMaint" -PolicyName "Tier1Servers" +Get-ScheduledTask -TaskName "Update_Tier1Servers_Users" | Start-ScheduledTask +#endregion + +#region EventLog +$Logs = @( + 'Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController', + 'Microsoft-Windows-Authentication/ProtectedUser-Client', + 'Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController', + 'Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController' +) +foreach ($logname in $logs){ + Write-Verbose "Enabling logs for '$logname'" + $log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName + $log.IsEnabled=$true + $log.SaveChanges() +} +#endregion + +#region switch Auth Policy to Audit +Get-ADAuthenticationPolicy -Identity "Tier1Servers" | Set-ADAuthenticationPolicy -Enforce $false +#endregion + +#region switch Auth Policy to Enforce +Get-ADAuthenticationPolicy -Identity "Tier1Servers" | Set-ADAuthenticationPolicy -Enforce $true +#endregion + +$VerbosePreference = $oldVerbosePreference +Set-Location $location diff --git a/Backup/manifest.xml b/Backup/manifest.xml new file mode 100644 index 0000000..d4b599b --- /dev/null +++ b/Backup/manifest.xml @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/Backup.xml b/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/Backup.xml new file mode 100644 index 0000000..035b3ec --- /dev/null +++ b/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/Backup.xml @@ -0,0 +1,18 @@ + + 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/DomainSysvol/GPO/Machine/comment.cmtx b/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/DomainSysvol/GPO/Machine/comment.cmtx new file mode 100644 index 0000000..a8d4b32 --- /dev/null +++ b/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/DomainSysvol/GPO/Machine/comment.cmtx @@ -0,0 +1,12 @@ + + + + + + + + + + + + \ No newline at end of file diff --git a/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/DomainSysvol/GPO/Machine/registry.pol b/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/DomainSysvol/GPO/Machine/registry.pol new file mode 100644 index 0000000000000000000000000000000000000000..1cf1246e5828dea4706379aaa2cf85f65a228eb8 GIT binary patch literal 226 zcmYk1!3x4K5JaEgUwJCxNrYlS55_}MqZDiku~PhdXBQ7%c6WAWXOi}qA1mNO$HbkP zg-9h6I55y_o_PJZz*)P(O?c5Zu;nd<>5Fbp>Q(zed=cBKKiy>zWBQJd`YbdG?OmU| oT8dp*dK8;oWp1!xC%;INTUKV$+|&3=8tF&nRM)Nls{QNA7u4n{C;$Ke literal 0 HcmV?d00001 diff --git a/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/bkupInfo.xml b/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/bkupInfo.xml new file mode 100644 index 0000000..a6316ac --- /dev/null +++ b/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/bkupInfo.xml @@ -0,0 +1 @@ + diff --git a/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/gpreport.xml b/Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/gpreport.xml new file mode 100644 index 0000000000000000000000000000000000000000..09fbad6cc5f4b964d380780ce2f6fbb86fb7ff38 GIT binary patch literal 17334 zcmeI3TW=dT8isjYVE@CQS1qtU$Vq&P>O!&9)MyeLmQ%MyZxq*dys@p+lCyOe``35- zKK#OP4wN)b6vZh7LDI~S{LUwG$p8PZ>ArP;xC?jgGWW(EyDK+vXRhxq-8b$_*Kmt& zS^t?@F5Quy|EAVUcj{ZO-O!!51@&50pKslk`-l6&HQi&k=XN#5;9d&irmhDX3(S`q zHFU4_Y)PMg`_H0&?+I65_)qn8MOc>wcgg+ap1LQlE8H(d!-ea4YRZt$rUH4v^EME5 zJF|4j%jG*W!3jPtJYM8$IueA0%P&90-@mFO%e& zZb#BW=Cq&ai)Lc`=stO=PnX^UcOxE-#UYgbN7}hBJvH1TX@AvyCp);O&zjrN)qS_^ zI=WlX-6P*;L4DhLx~%(kT|ZEJ$HVxqxLvBnZ`(_>=Os2PK6~y@cP-f;yBE@3U)H%O zDV%$n^YldBOy;KPp2@;41ar&%;5GZg|6)Cv>;@Y#-Di4&<-8W=E7?LOTj0uiA&Cq1 z0AqxR4+i_dXU_!zTiW*011nZF5bmKMUF+T`9^W@Y-S*PxY4ow+9(Wqy1fS)*pzo^x zZK$;&i`bMstn0U-7I2M%5OF*etwb8L{M%u{w!ktPM#Qr(9(uRnVnbZqlT9y*Lu?)U zU)TLF9%B_+#DupWc}qHz`xkTeo||N} zmo;KT@?^w@m+nKsYPsj`YheKgShhvSwq&ubxOwRIMa7}MZCTh8QG%rQ)pn@=L)|mx zp{`r+U<5ipC7iC8!-DLSXoxIUb-gCeSA5)Typ{!V*o6(GFMj1lz<8`J6}-Cf_xUYX}k$k=m}T zF<{&+VJ+e#lD|K`7oq`QSd(A$q+MtucB5Nt0njaFt~|g=ErI5<_!np zkookve7LxZQEW-!j1a;MoOr;zm8h^Q8vZ57N4jQ(q!=TBUT4(p@v=4peyeJTA?5X% zQMl71CsA-F48~=OpMm6XDe2yfkU;&>DLSyR+v>e3ecP%mn!55fmx68Dwe{zipRvG} zbb2J7$;cgXcdaPBC9k*jA84vSDuo#c^=NDsXn87r2JV$;v9+;0ow2Qq(fl+Yhf=jbJ8)8Myw84CA9F2D;XR%t+Rpjj`M?rg_EKPk? z`=k1WSU%4}^DGp7^LDvp=<6M;l5aP%9DB+X)XyWSJY0WtiVl3}u4JK(@)K3hKNUM! z?K{_(`2_bDstoK+$c^rpt>o9};bNY*;v9Q)9K8E^YkF@4#;@W*uF=9-O>#h}GtE+23*g*7)q^ zZ!N7S4E>rjt2pch3;Sa-tx!_6v7$4d+1bq1)&gXE&_oSoZLNV{9ds)Tt>DC^nH;22c@7+>!IM&lyuej3N9NxK-?|3&? zXJ?ooEoA>b>%(V?v!@z`jSypry0cijOYb8p zuE~$5GG=S|?uz#ODt34Wo!$%I)czgz1z3h@`RuaY*{t*~!yC2hrs;X%)I+S;s}hM-jA08a>(e>k!+W5kx7OL0eX?IA zlb%y+4yHR=tylGY5&I{2tAw`^Pw>bx)p^?pyqV^$r>*~C0b71IMYOpHE#GGnJnV^6 zRkr_SOKV&&y=F5#jdHj5U(pIoDnvo{_pz5R)6OS${@Gd#`@?(s@=ooI;IU3j52D7o zuJGUAB}Jksk(9GiP{5h0D8buGKAg~M%O>$g^1zYc<#%?l1I>2)808V$WPN3#7%NA2 zS>pWIc)Ngmq=QuAK5F>oDXUi1GiN4EG7jg@*fBE{4VHx#^$hLqs3jA}*r%Nq4K`tr z@ze3z#L5kmX(FD13mU-QEe6-sA~2bg^u7MEgUn0Lbi^)lvMQR0)?jfR4;!ilTHw^y z^UUJN62TAISAh2F_+s?Dl-@X*$L^$_^vab{TGbO4jzyuv^69|O!-5yR#Z;|^DhK{8 zpJ$RW9*mu4(okReF!^7~*3Kj)v%wFyuY7z!?lD3Htm7iZ=WJtmFPZS_U3`T9my$IR z(QMniBY0+BRw+qw{t15wIy4_bene?}np5WH;W5^Rn3+HO3MJzsoq0AGh!8|{aFF?k zkHNFy(PC80P33$uDL-{ZNj!y%T-a-iJyLnHgOBS&VI}Lb{}$?lWRY*CQ(2s7U-7#- z%01WBZq{CI*;g)%bf@T;MEkbrLzkx>19hrZkUZmjdO71nY}Jt|T(SS;8Yxs$k0dv= z_DVEV_YYf*QSMX54c=-UTCL6Ur>*zB9AeD~j99DXF{GhaYhwD5%hNN5=DW8)MY@`9 z@+`sjgHG;Oq`KI@I9EtPEcPhED$f}3u5ezw+!jV6kMPDT^4!!Odwk=S{DQacvBj#& zu67(h&1s@~>K?e|UIAww24_5oRa^QWeRAI*#lA&IW!~!WZ8SU+Z@WIiUHNE7v@Gu; SPxlEFz-LNUJhwOLTkbEf@|3Fp literal 0 HcmV?d00001 diff --git a/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/Backup.xml b/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/Backup.xml new file mode 100644 index 0000000..e3bf3b4 --- /dev/null +++ b/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/Backup.xml @@ -0,0 +1,18 @@ + + 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/DomainSysvol/GPO/Machine/comment.cmtx b/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/DomainSysvol/GPO/Machine/comment.cmtx new file mode 100644 index 0000000..a8d4b32 --- /dev/null +++ b/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/DomainSysvol/GPO/Machine/comment.cmtx @@ -0,0 +1,12 @@ + + + + + + + + + + + + \ No newline at end of file diff --git a/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/DomainSysvol/GPO/Machine/registry.pol b/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/DomainSysvol/GPO/Machine/registry.pol new file mode 100644 index 0000000000000000000000000000000000000000..19de178531aab99d345d30bc2dd3a7e1e7031d50 GIT binary patch literal 640 zcmd6l%L>9U6hx2WU%4vkN`+!U7uH2vqZImpSS|j&b5j@HxD;I^_c4>X8IpMCt`p!$ zLd%7Yo(zv8WlKq+yyf=BQV!}hoK^SgrYyLNVf;pC_ljQqQg|aYR;+?bDa7~*PsL7E zt!m9u3dXaUnR+f@rU7$SQpw1r;l#_87erxxBz`S*A9%CTZf;J0>gSV(jr={ds*#Vu S)AXlq>@{=UYxo1-c&8Vn?{jnj literal 0 HcmV?d00001 diff --git a/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/bkupInfo.xml b/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/bkupInfo.xml new file mode 100644 index 0000000..a54665a --- /dev/null +++ b/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/bkupInfo.xml @@ -0,0 +1 @@ + diff --git a/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/gpreport.xml b/Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/gpreport.xml new file mode 100644 index 0000000000000000000000000000000000000000..8459b9e9f98a48eace7c3dfba735851260bd11d8 GIT binary patch literal 25836 zcmeI5YfoIq8OP^!rGAH%UnNp8_!8R?N<;v=D6z3v9NH>xFa}J+#bF_~Q}wI2{r~3S z$;_NHyL%uQh_yoN-92Y!p8Iv?tpE4l`S4Bn5DvpZ=!IXxPB;mJupf@YQTS`P6Yhn( zVMgyg-8l-|y8cFYkHTKOdlpW^ZkW=jM;h}@SO|X(e+u*AS$G-NG{@FG(u#BXJkVU$ ze5+Zf;hnBc>+gO1yQ_a62-dOS@9FA&L7maM)8X&odH6o`1^caVI1F16o94>AxlO*{~S@y&s%7~&MZYPu{zo_5R6l;d8Y4%+32xp)ul-FmS*p0-HnI?7-O5fru0JU z*y)B|k7dyhCF?o8?nPL`R!A_O3s*dfX?S-iPa>?@2xa&h3C_A`*t!4}vvK_=lJz6e zH>icT=LiZNK*V3xh`0u*@MIW|A)2`m1=-(;5c4Z$A&aM27Z|Xa9zSif(-_~$EZ*rY}JfetfA~Z^_)351*H_{e zHiaE=ZAN1r#qrn}7B$+`vVv_s6re9oBR(K>jPj1jNx@X5zySGLguftd4nLmv$ zxgXSCdM^D>wR>fhu0_4_II#2ZppYc*&0~x^o1x4B|X&mzK`e*!{HmnV;c&1gThIRx2 zs7=Y2983|ToLe7t)3L>BsbLWz(c*shI`n|}_d=O}Pnq8yOd>5%D9@Ijvc_#OqR<*C^|Xzz=-DoHWF) z;NNO`;xnMGsb>lPsF@3*??8XY%8$_L(PL{cnB{oXv7iH$TNgFoXj`%ob!dyRw_&}n zEoJNb!rtoRI&`y!4N*uveIOeyyBOu28qBnUSK#;q>Q=nMnsE4+R^HZUIwYl!VD&Du zE)JL84DcaGs9rlXO6>QUl5GS8a)H?;Yi&5ID`Y;XV>sR$1W=OdCA+luSn`7 z>RfGYldkodQ+!4P7bVke(M&{M5p`$s(hIVB>;HgL_gOW_tk4a|`2v^cqGu3(5-u~* zW^+8#y(UDn)7%f$Y#kkH&n*2{*LiL?In4IzjIxmyF|I2bw^x<)g}>b64APL zCu_0&HdS_BVN$!Leq>Lb`E=rQQp1(|q{I9|8Taa=EaSMj-s9EPaJO~etyaU)Pp4mT zqTL+!T#0w=&2>4Mk#fpOEjNjLlgRhEM7~KaH@cQ1>UXK#*e&GzKKmBx_%aZUgvi>7hn-)IaXF%;>s`j#C6UM&@nGh z0(70@8RWdqgm6aaU99AYWeI1?Dt-`*^c2*xV7smIYzBMf)^{C0&SBQp?Q5lhXd^$Y zuUL*K*CG--KRB0>_pF-tnlnE{4s!y}POLenOFkIRD>~JJJksb~59h+qIz4^0=lIZ> z{HdtvxOcxNTseCM|L;UwXrHwKm$}yH=6b_U-ONW?c}`&uEXJUDXFWZ~Gmu`5 zdya?wp6zojJl1&5rSv4vT5rK*#9bTpUDQrapWD-B+~Fh|x@mp`%WGnn>wwc>61I`n z=R?v9@zg}pt+ZM`X54z{4NpngIhO_Xvff4s_H;Gz*Y>%Rw4ue%H4Vg(j~aWX_fx$a z$BuMTXJ5Y2p2%W6J8AhjVfc!_ggdMSpL~U;Z1QKT5{EA;8Gll1S@>d=#Di_Y%ujf5 z5-rCoK^rg6o~T9Ji3vSDF9t=W{D36 z-+ZR6MNbUbmX>fExNYY`>s)jz;<=0Wdg1kZ`b6wG&?lt8mBg)GeTP=pM%RRk$%wsQ zJFm1Q3G?Z$pbWQ|x6-6DVT8{>56~q%j!A~AW-n$-UF-u}vpMGJogT9#bPwO_QcuvV z`{^Ev=U#K}l$MVE+FdZtZ5C?L(6*M64Glz{#r>Y>#+I4e(`v`UsqPh$gi0KcU-CBS zGb5Y$_?k^00$ik%V2{%9%lLSsuj$W+*|15c^oLH*9i1#P{**X!I)?apEPWx*#3%hx z_<$|qr+5;)7d0c7-%dQkiCv%-*u`6E&M%Qhw8m{S*SxxlC(*0NBIm<`l;r! zf=d@#JWl#bxkRC$X^sAzacL1|_2xz3ARdh~vHOv>Tr=7}ZCIbPCk<Ss__08YpdNkhtnjA-)uTL*L z_I8a5JXLPLn}O9JSMW8vYD=xOg3r%-vV89QeuOC>^$ zK!o5dUa4bv2lpj+w6b*|$N|C1Gez?Sqb<=fMlX2Q;7+t>A{kbme0nM6@tiO{FhAn@ zb`?>|v<}QljLh20oCq$aNDB`+|TuN zi7$1#tnmkaOuPej>$cSPh{>8PlOa~v=(+5fhACYwE7+v@mcd`tx^wSfFmvC4)mmLg z=d1J$DO=$;FpxW50o!)WYZ1(~W?kN7Nh6cpkcH+5^EU z>%wAF)C zqTgsIzfOMTsy%(~)$G)F@*?9ifxOzm7Z0yH+w?cBD$oDu=hM^hs8QD*(-ok)-i?n3 ziOU-i-?E#)Iu^CcEYrDEuRn;*^fr!_aa)Ftz3pkOt`Q2jpHoN5a!Y8UBTTeRGOEkc zJ2cH)gy_1eRj9_O{iv-|jb_iz;is&6C8m$p0leUFjwc-`>me`$3#;C-O?>I_z9v4{ zwAgx8K=qu;vPE#dSO#lexQi{B7CSdB7o{rvBBPu!_%A5FXckn~f9{j5KgP}#afhna z>eKNuA=gEUmf4eU^BZ7bWn(*5@r-b|-8*OU`G}2qc8!?kLw)NyJ8Cjy(Voj1zd!2R+ zq^hEC=8*)haz@p1xAqDpKXS>#_dU_bwe~#lr?zAl*=)?amUS*RC5$f_%}+eb>*ycN zC!1DyXD8R?B;AYfHSPK}ck+^581MaG-#=~lfB3ZmB!@<#!F(QHsZw=8WpgB5R`b-& zJL}prNqE=r7>D~(w2K`{76|P0+aA32`KBdlew!}AXpbKUVL9r>JFP<}`AEM=fluRC zN`}pZzs}ni!VjHX5EjWF!KLf*MBS^nGLPr?UlZ376^t{eFifjoOsmqom(oHa?snAm8Yf)y#*eJ?s_h%gx`&)^a$2J4 zV>gtGSgtcV7sKk)SqG0b#7S~aqN|;cAS3o@`d*)GKbu%YFV#Ae%^ru_`t9>9mp=_* zRWRHsD;YS))q0g^+$4I|_eZdsvNx4y$F}l#Y38*;X(KLy{FFsEDY9m>%T2D4>HyD+ zo1Jws5UVpi^TY$U<4l(hxNB0%$7(rKJJ+%dGp`j~!#$g7dJp(^Q(3xG+4gveZp(^O zm!#C1>pSgG>K7dr_YcNl_Yj^>j`9?LWF4db(HHfp+JJt}*N~H$Zd;9QJ^-(gcxB$i ze5rHFcGAXzN7@#AwO&!)bWw2<0Q(uMY~s@aLm=9s38fQuZ_ zQ + +[CmdletBinding()] +param( + [Parameter(Mandatory = $True)][string] $BackupPath, + [string] $GPOMigrationTable +) + +$backupList = Get-ChildItem -Path $BackupPath +Set-Location $BackupPath +$location = Get-Location +foreach ($item in $backupList) { + $backupID = $null + $xmlFilePath = $null + $gpoName = $null + $backupID = $item.name -replace "{", "" -replace "}", "" + $xmlFilePath = ".\$($item.name)\gpreport.xml" + [xml]$xmlFile = Get-Content -Path $xmlFilePath + $gpoName = $xmlFile.GPO.Name + Write-Verbose "Importing new GPO '$gpoName' with GUID '$backupID'" + Write-Verbose "Please remember to update proper groups in GPO settings" + if ($GPOMigrationTable -ne $null) { + Import-GPO -BackupId $backupID -TargetName $gpoName -Path $BackupPath -CreateIfNeeded + } + else { + Import-GPO -BackupId $backupID -TargetName $gpoName -Path $BackupPath -MigrationTable $GPOMigrationTable -CreateIfNeeded + } + Set-Location $location + +} diff --git a/Link-GpoToOU.ps1 b/Link-GpoToOU.ps1 new file mode 100644 index 0000000..f710fa5 --- /dev/null +++ b/Link-GpoToOU.ps1 @@ -0,0 +1,31 @@ +<# + .EXAMPLE + $GpoLinks = @( + $(New-Object PSObject -Property @{ Name = "POLICYNAME" ; OU = "OUPATH"; Order = 1; LinkEnabled = 'YES'}), + ) + .\Link-GpoToOU.ps1 -GpoLinks $GpoLinks -Verbose +#> + + +[CmdletBinding()] +param( + [Parameter(Mandatory = $True)][PSObject] $GpoLinks +) +Import-Module ActiveDirectory +$DC = (Get-ADDomain).DistinguishedName + +$GpoLinks | foreach-Object { + $name = $_.Name + $OU = $_.ou + $order = $_.Order + $LinkEnabled = $_.LinkEnabled + if ($OU -eq "") { + + $ouPath = $DC + } + else { + $ouPath = "$OU,$DC" + } + Write-Verbose "Linking GPO '$name' into OU '$ouPath'" + New-GPLink -Name $name -Target $ouPath -LinkEnabled $LinkEnabled -Order $order +} diff --git a/New-AuthenticationPolicy.ps1 b/New-AuthenticationPolicy.ps1 new file mode 100644 index 0000000..f0fcb99 --- /dev/null +++ b/New-AuthenticationPolicy.ps1 @@ -0,0 +1,20 @@ +[CmdletBinding()] +param( + [Parameter(Mandatory=$True)] [string] $GroupName, + [Parameter(Mandatory=$True)] [string] $PolicyName, + [Parameter(Mandatory=$True)] [string] $Description, + [Parameter(Mandatory=$True)] [string] $UserTGTLifetimeMins +) + +Write-Verbose "Creating new AuthenticationPolicy '$PolicyName' with UserTGTLifetimeMins '$UserTGTLifetimeMins'" +New-ADAuthenticationPolicy -Name $PolicyName -Description $Description -UserTGTLifetimeMins $UserTGTLifetimeMins -ProtectedFromAccidentalDeletion $true -Enforce + +$sids = @() +Get-ADGroupMember -Identity $GroupName | ForEach-Object { + $sid = $_.SID.value + $sids += "SID($sid)" +} +if (($sids | Measure-Object).count -gt 1){$sidsj = $sids -join ", "}else{$sidsj = $sids} + +Write-Verbose "Adding members from group '$GroupName' to User Sign On section under Authentication Policy '$PolicyName'" +Set-ADAuthenticationPolicy -Identity $PolicyName -UserAllowedToAuthenticateFrom "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {$sidsj}))" diff --git a/Register-NewScheduledTask.ps1 b/Register-NewScheduledTask.ps1 new file mode 100644 index 0000000..d7423b1 --- /dev/null +++ b/Register-NewScheduledTask.ps1 @@ -0,0 +1,13 @@ +[CmdletBinding()] +param( + [Parameter(Mandatory=$True)] [string] $DomainGroup, + [Parameter(Mandatory=$True)] [string] $PolicyName +) + +$taskName = "Update_$($PolicyName)_Users" + +$argument = "-NoProfile -command " + '"' + "& Get-ADGroupMember -Recursive -Identity " + "'" + $DomainGroup + "'" + "| ForEach-Object {Set-ADAccountAuthenticationPolicySilo -AuthenticationPolicy " + $PolicyName + " -Identity " + '$_' + ".SamAccountName}" + '"' +$action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument $argument +$trigger = New-ScheduledTaskTrigger -Daily -At 12am +$STPrin = New-ScheduledTaskPrincipal -GroupId "System" -RunLevel Highest +Register-ScheduledTask -Action $action -Trigger $trigger -TaskName $taskName -Principal $STPrin -Description "Update Authentication policy '$PolicyName' users with '$DomainGroup' members"