Update

AuthPolicy_steps.ps1

@@ -0,0 +1,73 @@
+Throw "this is not a robust file" 
+$location = Get-Location
+$oldVerbosePreference = $VerbosePreference
+$VerbosePreference = 'Continue'
+Set-Location C:\Tools\AuthPolicy
+
+#Region ProtectedUsers
+$providedgroup = Read-Host "Please provide group that members should be added to other group."
+$groupToUpdate = Read-Host "Please provide group that should be updated with new members from '$providedgroup'"
+$groupMembers = Get-ADGroupMember -Identity  $providedgroup
+foreach ($member in $groupMembers){
+    Write-Verbose "Updating group '$groupToUpdate' with '$member'"
+    Add-ADGroupMember -Identity $groupToUpdate -Members $member
+}
+#endregion
+
+#region Create Tier 1 Servers Group
+$csv = Read-Host -Prompt "Please provide full path to Groups csv file"
+.\Create-Group.ps1 -CSVfile $csv -Verbose
+$srv = Get-ADComputer -Identity srv01
+$group = Get-ADGroup -Identity 'Tier1Servers'
+Write-Verbose "Adding computer '$($srv.name)' to group '$($group.name)'"
+Add-ADGroupMember -Identity $group -Members $srv
+#endregion
+
+#region import GPO
+$BackupPath = Read-Host -Prompt "Please provide full path to GPO backups"
+.\Import-GPO.ps1 -BackupPath $BackupPath -Verbose
+Set-Location C:\Tools\AuthPolicy
+#endregion
+
+
+#region Link gpo
+$GpoLinks = @(
+    $(New-Object PSObject -Property @{ Name = "KDC Support for claims"; OU = "OU=Domain Controllers"; Order = 2 ;LinkEnabled = 'YES'}),
+    $(New-Object PSObject -Property @{ Name = "Kerberos client support for claims" ; OU = ""; Order = 2 ;LinkEnabled = 'YES'})
+)
+.\Link-GpoToOU.ps1 -GpoLinks $GpoLinks -Verbose
+
+#Region AuthPolicy
+.\New-AuthenticationPolicy -GroupName "Tier1Servers" -PolicyName "Tier1Servers" -Description "Assigned principals can authenticate to tier-0 PAWs only" -UserTGTLifetimeMins 121
+#endregion
+
+#Region ScheduledTask
+.\Register-NewScheduledTask.ps1 -DomainGroup "Tier1PAWMaint" -PolicyName "Tier1Servers"
+Get-ScheduledTask -TaskName "Update_Tier1Servers_Users" | Start-ScheduledTask 
+#endregion
+
+#region EventLog
+$Logs = @(
+    'Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController',
+    'Microsoft-Windows-Authentication/ProtectedUser-Client',
+    'Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController',
+    'Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController'
+)
+foreach ($logname in $logs){
+    Write-Verbose "Enabling logs for '$logname'"
+    $log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
+    $log.IsEnabled=$true
+    $log.SaveChanges()
+}
+#endregion
+
+#region switch Auth Policy to Audit
+Get-ADAuthenticationPolicy -Identity "Tier1Servers" | Set-ADAuthenticationPolicy -Enforce $false
+#endregion
+
+#region switch Auth Policy to Enforce
+Get-ADAuthenticationPolicy -Identity "Tier1Servers" | Set-ADAuthenticationPolicy -Enforce $true
+#endregion
+
+$VerbosePreference = $oldVerbosePreference
+Set-Location $location

Backup/manifest.xml

@@ -0,0 +1 @@
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst><GPOGuid><![CDATA[{69A692F6-134C-4B08-A059-116D0F4DBA71}]]></GPOGuid><GPODomain><![CDATA[azureblog.pl]]></GPODomain><GPODomainGuid><![CDATA[{88ed5944-7d81-4c63-9643-bc4d2b6d95d5}]]></GPODomainGuid><GPODomainController><![CDATA[DC01.azureblog.pl]]></GPODomainController><BackupTime><![CDATA[2020-06-01T17:49:48]]></BackupTime><ID><![CDATA[{8F0D3219-2D5E-44F5-BD27-478395FD744B}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[KDC Support for claims]]></GPODisplayName></BackupInst><BackupInst><GPOGuid><![CDATA[{1421B66F-3379-4CE3-9B1B-2DC0B825EE14}]]></GPOGuid><GPODomain><![CDATA[azureblog.pl]]></GPODomain><GPODomainGuid><![CDATA[{88ed5944-7d81-4c63-9643-bc4d2b6d95d5}]]></GPODomainGuid><GPODomainController><![CDATA[DC01.azureblog.pl]]></GPODomainController><BackupTime><![CDATA[2020-06-01T17:49:38]]></BackupTime><ID><![CDATA[{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Kerberos client support for claims]]></GPODisplayName></BackupInst></Backups>

Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/Backup.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-657827913-1895599540-1755036276-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[AZUREBLOG]]></NetBIOSDomainName><DnsDomainName><![CDATA[azureblog.pl]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@azureblog.pl]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-657827913-1895599540-1755036276-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[AZUREBLOG]]></NetBIOSDomainName><DnsDomainName><![CDATA[azureblog.pl]]></DnsDomainName><UPN><![CDATA[Domain Admins@azureblog.pl]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{1421B66F-3379-4CE3-9B1B-2DC0B825EE14}]]></ID><Domain><![CDATA[azureblog.pl]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Kerberos client support for claims]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[0]]></UserVersionNumber><MachineVersionNumber><![CDATA[65537]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\DC01.azureblog.pl\sysvol\azureblog.pl\Policies\{1421B66F-3379-4CE3-9B1B-2DC0B825EE14}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\DC01.azureblog.pl\sysvol\azureblog.pl\Policies\{1421B66F-3379-4CE3-9B1B-2DC0B825EE14}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\DC01.azureblog.pl\sysvol\azureblog.pl\Policies\{1421B66F-3379-4CE3-9B1B-2DC0B825EE14}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>

Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/DomainSysvol/GPO/Machine/comment.cmtx

@@ -0,0 +1,12 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.Kerberos"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate></admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable></stringTable>
+  </resources>
+</policyComments>

Backup/{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}/bkupInfo.xml

@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{1421B66F-3379-4CE3-9B1B-2DC0B825EE14}]]></GPOGuid><GPODomain><![CDATA[azureblog.pl]]></GPODomain><GPODomainGuid><![CDATA[{88ed5944-7d81-4c63-9643-bc4d2b6d95d5}]]></GPODomainGuid><GPODomainController><![CDATA[DC01.azureblog.pl]]></GPODomainController><BackupTime><![CDATA[2020-06-01T17:49:38]]></BackupTime><ID><![CDATA[{40C19FA1-1F6F-40BE-A36C-4B187C8D57B8}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Kerberos client support for claims]]></GPODisplayName></BackupInst>

Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/Backup.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-657827913-1895599540-1755036276-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[AZUREBLOG]]></NetBIOSDomainName><DnsDomainName><![CDATA[azureblog.pl]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@azureblog.pl]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-657827913-1895599540-1755036276-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[AZUREBLOG]]></NetBIOSDomainName><DnsDomainName><![CDATA[azureblog.pl]]></DnsDomainName><UPN><![CDATA[Domain Admins@azureblog.pl]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{69A692F6-134C-4B08-A059-116D0F4DBA71}]]></ID><Domain><![CDATA[azureblog.pl]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 49 a8 35 27 b4 8d fc 70 74 ba 9b 68 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[KDC Support for claims]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[0]]></UserVersionNumber><MachineVersionNumber><![CDATA[131074]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\DC01.azureblog.pl\sysvol\azureblog.pl\Policies\{69A692F6-134C-4B08-A059-116D0F4DBA71}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\DC01.azureblog.pl\sysvol\azureblog.pl\Policies\{69A692F6-134C-4B08-A059-116D0F4DBA71}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\DC01.azureblog.pl\sysvol\azureblog.pl\Policies\{69A692F6-134C-4B08-A059-116D0F4DBA71}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>

Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/DomainSysvol/GPO/Machine/comment.cmtx

@@ -0,0 +1,12 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.Kerberos"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate></admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable></stringTable>
+  </resources>
+</policyComments>

Backup/{8F0D3219-2D5E-44F5-BD27-478395FD744B}/bkupInfo.xml

@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{69A692F6-134C-4B08-A059-116D0F4DBA71}]]></GPOGuid><GPODomain><![CDATA[azureblog.pl]]></GPODomain><GPODomainGuid><![CDATA[{88ed5944-7d81-4c63-9643-bc4d2b6d95d5}]]></GPODomainGuid><GPODomainController><![CDATA[DC01.azureblog.pl]]></GPODomainController><BackupTime><![CDATA[2020-06-01T17:49:48]]></BackupTime><ID><![CDATA[{8F0D3219-2D5E-44F5-BD27-478395FD744B}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[KDC Support for claims]]></GPODisplayName></BackupInst>

Import-GPO.ps1

@@ -0,0 +1,35 @@
+<#
+    .Example
+    $BackupPath = Read-Host -Prompt "Please provide full path to GPO backups"
+    .\Import-GPO.ps1 -BackupPath $BackupPath -Verbose
+
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $True)][string] $BackupPath,
+    [string] $GPOMigrationTable
+)
+
+$backupList = Get-ChildItem -Path $BackupPath
+Set-Location $BackupPath
+$location = Get-Location
+foreach ($item in $backupList) {
+    $backupID = $null
+    $xmlFilePath = $null
+    $gpoName = $null
+    $backupID = $item.name -replace "{", "" -replace "}", ""
+    $xmlFilePath = ".\$($item.name)\gpreport.xml"
+    [xml]$xmlFile = Get-Content -Path $xmlFilePath
+    $gpoName = $xmlFile.GPO.Name
+    Write-Verbose "Importing new GPO '$gpoName' with GUID '$backupID'"
+    Write-Verbose "Please remember to update proper groups in GPO settings"
+    if ($GPOMigrationTable -ne $null) {
+        Import-GPO -BackupId $backupID -TargetName $gpoName -Path $BackupPath -CreateIfNeeded
+    }
+    else {
+        Import-GPO -BackupId $backupID -TargetName $gpoName -Path $BackupPath -MigrationTable $GPOMigrationTable -CreateIfNeeded
+    }
+    Set-Location $location
+
+}

Link-GpoToOU.ps1

@@ -0,0 +1,31 @@
+<#
+    .EXAMPLE
+    $GpoLinks = @(
+        $(New-Object PSObject -Property @{ Name = "POLICYNAME" ; OU = "OUPATH"; Order = 1; LinkEnabled = 'YES'}),
+    )
+    .\Link-GpoToOU.ps1 -GpoLinks $GpoLinks -Verbose
+#>
+
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $True)][PSObject] $GpoLinks
+)
+Import-Module ActiveDirectory
+$DC = (Get-ADDomain).DistinguishedName
+
+$GpoLinks | foreach-Object {
+    $name = $_.Name
+    $OU = $_.ou
+    $order = $_.Order
+    $LinkEnabled = $_.LinkEnabled
+    if ($OU -eq "") {
+        
+        $ouPath = $DC
+    }
+    else {
+        $ouPath = "$OU,$DC"
+    }
+    Write-Verbose "Linking GPO '$name' into OU '$ouPath'"
+    New-GPLink -Name $name -Target $ouPath -LinkEnabled $LinkEnabled -Order $order
+}

New-AuthenticationPolicy.ps1

@@ -0,0 +1,20 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory=$True)] [string] $GroupName,
+    [Parameter(Mandatory=$True)] [string] $PolicyName,
+    [Parameter(Mandatory=$True)] [string] $Description,
+    [Parameter(Mandatory=$True)] [string] $UserTGTLifetimeMins
+)
+
+Write-Verbose "Creating new AuthenticationPolicy '$PolicyName' with UserTGTLifetimeMins '$UserTGTLifetimeMins'"
+New-ADAuthenticationPolicy -Name $PolicyName -Description $Description  -UserTGTLifetimeMins $UserTGTLifetimeMins -ProtectedFromAccidentalDeletion $true -Enforce
+
+$sids = @()
+Get-ADGroupMember -Identity $GroupName | ForEach-Object {
+    $sid = $_.SID.value
+    $sids += "SID($sid)"
+}
+if (($sids | Measure-Object).count -gt 1){$sidsj = $sids -join ", "}else{$sidsj = $sids}
+
+Write-Verbose "Adding members from group '$GroupName' to User Sign On section under Authentication Policy '$PolicyName'"
+Set-ADAuthenticationPolicy -Identity $PolicyName -UserAllowedToAuthenticateFrom "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {$sidsj}))" 

Register-NewScheduledTask.ps1

@@ -0,0 +1,13 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory=$True)] [string] $DomainGroup,
+    [Parameter(Mandatory=$True)] [string] $PolicyName
+)
+
+$taskName = "Update_$($PolicyName)_Users"
+
+$argument = "-NoProfile -command " + '"' + "& Get-ADGroupMember -Recursive -Identity " + "'" + $DomainGroup + "'" + "| ForEach-Object {Set-ADAccountAuthenticationPolicySilo -AuthenticationPolicy " + $PolicyName + " -Identity " + '$_' + ".SamAccountName}" + '"'
+$action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument $argument
+$trigger =  New-ScheduledTaskTrigger -Daily -At 12am 
+$STPrin = New-ScheduledTaskPrincipal -GroupId "System" -RunLevel Highest
+Register-ScheduledTask -Action $action -Trigger $trigger -TaskName $taskName -Principal $STPrin -Description "Update Authentication policy '$PolicyName' users with '$DomainGroup' members"