Tips-Of-Mine/AuthPolicy
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
AuthPolicy/AuthPolicy_steps.ps1
hcornet 21f011c407 Update
2023-11-29 17:05:11 +01:00

74 lines
2.8 KiB
PowerShell
Raw Blame History

Throw "this is not a robust file"
$location = Get-Location
$oldVerbosePreference = $VerbosePreference
$VerbosePreference = 'Continue'
Set-Location C:\Tools\AuthPolicy
#Region ProtectedUsers
$providedgroup = Read-Host "Please provide group that members should be added to other group."
$groupToUpdate = Read-Host "Please provide group that should be updated with new members from '$providedgroup'"
$groupMembers = Get-ADGroupMember -Identity $providedgroup
foreach ($member in $groupMembers){
Write-Verbose "Updating group '$groupToUpdate' with '$member'"
Add-ADGroupMember -Identity $groupToUpdate -Members $member
}
#endregion
#region Create Tier 1 Servers Group
$csv = Read-Host -Prompt "Please provide full path to Groups csv file"
.\Create-Group.ps1 -CSVfile $csv -Verbose
$srv = Get-ADComputer -Identity srv01
$group = Get-ADGroup -Identity 'Tier1Servers'
Write-Verbose "Adding computer '$($srv.name)' to group '$($group.name)'"
Add-ADGroupMember -Identity $group -Members $srv
#endregion
#region import GPO
$BackupPath = Read-Host -Prompt "Please provide full path to GPO backups"
.\Import-GPO.ps1 -BackupPath $BackupPath -Verbose
Set-Location C:\Tools\AuthPolicy
#endregion
#region Link gpo
$GpoLinks = @(
$(New-Object PSObject -Property @{ Name = "KDC Support for claims"; OU = "OU=Domain Controllers"; Order = 2 ;LinkEnabled = 'YES'}),
$(New-Object PSObject -Property @{ Name = "Kerberos client support for claims" ; OU = ""; Order = 2 ;LinkEnabled = 'YES'})
)
.\Link-GpoToOU.ps1 -GpoLinks $GpoLinks -Verbose
#Region AuthPolicy
.\New-AuthenticationPolicy -GroupName "Tier1Servers" -PolicyName "Tier1Servers" -Description "Assigned principals can authenticate to tier-0 PAWs only" -UserTGTLifetimeMins 121
#endregion
#Region ScheduledTask
.\Register-NewScheduledTask.ps1 -DomainGroup "Tier1PAWMaint" -PolicyName "Tier1Servers"
Get-ScheduledTask -TaskName "Update_Tier1Servers_Users" | Start-ScheduledTask
#endregion
#region EventLog
$Logs = @(
'Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController',
'Microsoft-Windows-Authentication/ProtectedUser-Client',
'Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController',
'Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController'
)
foreach ($logname in $logs){
Write-Verbose "Enabling logs for '$logname'"
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
$log.IsEnabled=$true
$log.SaveChanges()
}
#endregion
#region switch Auth Policy to Audit
Get-ADAuthenticationPolicy -Identity "Tier1Servers" | Set-ADAuthenticationPolicy -Enforce $false
#endregion
#region switch Auth Policy to Enforce
Get-ADAuthenticationPolicy -Identity "Tier1Servers" | Set-ADAuthenticationPolicy -Enforce $true
#endregion
$VerbosePreference = $oldVerbosePreference
Set-Location $location
Reference in New Issue View Git Blame Copy Permalink