From 27dc4dda5e43c2e84c8ac794182f26a42ee4d363 Mon Sep 17 00:00:00 2001
From: hcornet <hcornet@tips-of-mine.fr>
Date: Wed, 29 Nov 2023 17:05:25 +0100
Subject: [PATCH] Update

---
 CopyTo-Sysvol.ps1 | 73 +++++++++++++++++++++++++++++++++++++++++++++++
 LAPS_steps.ps1    | 73 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 146 insertions(+)
 create mode 100644 CopyTo-Sysvol.ps1
 create mode 100644 LAPS_steps.ps1

diff --git a/CopyTo-Sysvol.ps1 b/CopyTo-Sysvol.ps1
new file mode 100644
index 0000000..a05f3e7
--- /dev/null
+++ b/CopyTo-Sysvol.ps1
@@ -0,0 +1,73 @@
+<#
+    .SYNOPSIS 
+    Run get-help -example CopyTo-Sysvol.ps1 for examples
+
+    .EXAMPLE
+        .\CopyTo-Sysvol.ps1 -FilesPath C:\LAPS -DefaultSysvolPlacement -Verbose
+        VERBOSE: Declared SYSVOL path: 'C:\Windows\Sysvol\'
+        VERBOSE: Folder :'C:\Windows\Sysvol\\Sysvol\azureblog.pl\scripts' already exists
+        VERBOSE: Copying files from path 'C:\LAPS' to 'C:\Windows\Sysvol\Sysvol\azureblog.pl\scripts' using Recurse mode
+
+
+        Directory: C:\Windows\Sysvol\Sysvol\azureblog.pl\scripts
+
+
+        Mode                LastWriteTime         Length Name                                                                                                                                
+        ----                -------------         ------ ----                                                                                                                                
+        d-----       02.02.2020     13:02                LAPS   
+    
+    .EXAMPLE
+        .\CopyTo-Sysvol.ps1 -filesPath C:\LAPS -CustomSysvolPlacement -CustomSysvolPath C:\test -Verbose
+        VERBOSE: Declared SYSVOL path: 'C:\test'
+        VERBOSE: Folder :'C:\test\Sysvol\azureblog.pl\scripts' already exists
+        VERBOSE: Copying files from path 'C:\LAPS' to 'C:\test\Sysvol\azureblog.pl\scripts' using Recurse mode
+
+
+            Directory: C:\LAPS
+
+
+        Mode                LastWriteTime         Length Name                                                                                                                                                                                                                              
+        ----                -------------         ------ ----                                                                                                                                                                                                                              
+        -a----       05.12.2019     19:56        1019904 LAPS.x64.msi                                                                                                                                                                                                                      
+        -a----       05.12.2019     19:56         991232 LAPS.x86.msi                                                                                                                                                                                                                      
+
+#>
+[CmdletBinding(DefaultParametersetName = "DefaultSysvolPath")]
+param (
+    [parameter(Mandatory = $true)]
+    [ValidateScript( { Test-Path $_ })]
+    [string]$FilesPath,
+    [parameter(ParameterSetName = "DefaultSysvolPath")]
+    [switch]$DefaultSysvolPlacement,    
+    [parameter(ParameterSetName = "CustomSysvolPath")]
+    [switch]$CustomSysvolPlacement,
+    [parameter(ParameterSetName = "CustomSysvolPath", Mandatory = $true)]
+    [ValidateScript( { Test-Path $_ })]
+    [string]$CustomSysvolPath
+)
+
+$domain = $env:USERDNSDOMAIN
+switch ($PsCmdlet.ParameterSetName) {
+    "DefaultSysvolPath" {
+        $sysvolPath = "C:\Windows\Sysvol"
+    }
+    "CustomSysvolPath" {
+        $sysvolPath = $CustomSysvolPath
+    }
+}
+Write-Verbose "Declared SYSVOL path: '$sysvolPath'"
+
+$scriptsPath = "$sysvolPath\Sysvol\$domain\scripts"
+$scriptsTest = Test-Path -Path $scriptsPath
+if ($scriptstest -eq $false) {
+    Write-Error "There is no such a folder: '$scriptsPath'"
+}
+$filesPathTest = Test-Path -Path $scriptsPath
+if ($filesPathTest -eq $true) {
+    Write-Verbose "Folder :'$scriptsPath' already exists"
+}
+
+Write-Verbose "Copying files from path '$FilesPath' to '$scriptsPath' using Recurse mode"
+Copy-Item -Path $FilesPath -Destination $scriptsPath -Recurse -Force
+
+Get-ChildItem -Path $FilesPath
diff --git a/LAPS_steps.ps1 b/LAPS_steps.ps1
new file mode 100644
index 0000000..cd89862
--- /dev/null
+++ b/LAPS_steps.ps1
@@ -0,0 +1,73 @@
+Throw "this is not a robust file"
+$location = Get-Location
+Set-Location C:\Tools\LAPS
+$dsnAME = (Get-ADDomain).DistinguishedName
+$domain = $env:USERDNSDOMAIN
+
+Throw "Please download LAPS from aka.ms/laps and put the msi files into the C:\Tools\LAPS\LAPS"
+
+#Copy LAPS msi files to sysvol
+    .\CopyTo-Sysvol.ps1 -FilesPath C:\ADSecurity\LAPS\LAPS -Verbose
+
+#schema extension with LAPS     #64 on DC LAB
+        $lapsPath = "\\$Domain\SysVol\$Domain\Scripts\LAPS\LAPS.x64.msi"
+        $expression = "C:\Windows\System32\msiexec.exe /i $lapsPath ADDLOCAL=CSE,Management,Management.UI,Management.PS,Management.ADMX /quiet"
+        Invoke-Expression $expression
+<#
+    #64 on PAW
+        $lapsPath = "\\$Domain\SysVol\$Domain\Scripts\LAPS.x64.msi"
+        $expression = "C:\Windows\System32\msiexec.exe /i $LapsPath ADDLOCAL=CSE,Management.PS /quiet"
+        Invoke-Expression $expression
+    #32 on PAW
+        $lapsPath = "\\$Domain\SysVol\$Domain\Scripts\LAPS.x32.msi"
+        $expression = "C:\Windows\System32\msiexec.exe /i $LapsPath ADDLOCAL=CSE,Management.PS /quiet"
+        Invoke-Expression $expression
+#>
+#run as a member of schema admins group
+    Import-module AdmPwd.PS  
+    Update-AdmPwdADSchema 
+
+#Allow computers  to store passwords
+    Import-module AdmPwd.PS  
+    Set-AdmPwdComputerSelfPermission -Identity "OU=Devices,OU=Tier0,OU=Admin,$dsname"
+    Set-AdmPwdComputerSelfPermission -Identity "OU=Tier0 Servers,OU=Tier0,OU=Admin,$dsname"
+    Set-AdmPwdComputerSelfPermission -Identity "OU=Devices,OU=Tier1,OU=Admin,$dsname"
+    Set-AdmPwdComputerSelfPermission -Identity "OU=Tier 1 Servers,$dsname"
+    Set-AdmPwdComputerSelfPermission -Identity "OU=Workstations,$dsname"
+    Set-AdmPwdComputerSelfPermission -Identity "OU=Quarantine,$dsname"
+
+#Allow users to read passwords
+    Import-module AdmPwd.PS  
+    Set-AdmPwdReadPasswordPermission -Identity "OU=Devices,OU=Tier0,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins"
+    Set-AdmPwdReadPasswordPermission -Identity "OU=Tier0 Servers,OU=Tier0,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins"
+    Set-AdmPwdReadPasswordPermission -Identity "OU=Devices,OU=Tier1,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
+    Set-AdmPwdReadPasswordPermission -Identity "OU=Tier 1 Servers,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
+    Set-AdmPwdReadPasswordPermission -Identity "OU=Workstations,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
+    Set-AdmPwdReadPasswordPermission -Identity "OU=Quarantine,$dsname" -AllowedPrincipals "Domain Admins","tier2admins"
+
+#Alow users to reset passwords
+    Import-module AdmPwd.PS  
+    Set-AdmPwdResetPasswordPermission -Identity "OU=Devices,OU=Tier0,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins"
+    Set-AdmPwdResetPasswordPermission -Identity "OU=Tier0 Servers,OU=Tier0,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins"
+    Set-AdmPwdResetPasswordPermission -Identity "OU=Devices,OU=Tier1,OU=Admin,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
+    Set-AdmPwdResetPasswordPermission -Identity "OU=Tier 1 Servers,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
+    Set-AdmPwdResetPasswordPermission -Identity "OU=Workstations,$dsname" -AllowedPrincipals "Domain Admins","tier1admins"
+    Set-AdmPwdResetPasswordPermission -Identity "OU=Quarantine,$dsname" -AllowedPrincipals "Domain Admins","tier2admins"
+
+#LAPS Installation GPO
+	Name: LAPSInstallation-v1.0
+    Source Starter GPO: (none)
+    GPO Status: User configuration settings disabled
+    Category 	 	 	 	Package Placement	 	 	 	 	 	 	 	Deploy Software	Additional Info
+    Software Installation	\\$domain\sysvol\$domain\scripts\LAPS\LAPS.x64.msi   Assigned	
+    Category 	 	 	 	Package Placement	 	 	 	 	 	 	 	Deploy Software	Additional Info
+    Software Installation	\\$domain\sysvol\$domainscripts\LAPS\LAPS.x86.msi    Assigned		Uncheck Make this 32-bit x86 appliction available to Win64 machines
+
+#LAPS Configuration Policy
+    Name: LAPSConfiguration-v1.0
+    Source Starter GPO: (none)
+    GPO Status: User configuration settings disabled
+    Category					Subcategory		Policy	 								Setting
+
+    Administrative Templates 	LAPS			Password Settings						Enabled
+                                                                                        Password Complexity: Large letters + small letters + numbers + specials