Delete commit history (containing proprietary code)

2021-01-23 16:04:42 +01:00
commit 0cf09c5ff9
40 changed files with 2309 additions and 0 deletions
--- a/scripts/ADDS/payload/scripts/12.Restrict
+++ b/scripts/ADDS/payload/scripts/12.Restrict
@ -0,0 +1,83 @@
+#Requires -Modules 'ActiveDirectory','powershell-yaml'
+Param(
+    [Parameter(Mandatory)]
+    [hashtable]$Parameter
+)
+
+# Only executed on primary Domain Controller
+If ((Get-WmiObject -Class 'Win32_ComputerSystem').DomainRole -eq 5) {
+    $PSDrive = Get-PSDrive -Name 'AD'
+    If ([boolean]$PSDrive -eq $False) {
+        $NewPSDriveSplat = @{
+            Name       = 'ADDS'
+            Root       = ''
+            PSProvider = 'ActiveDirectory'
+        }
+        $PSDrive = New-PSDrive @NewPSDriveSplat
+    }
+
+    $GetContentSplat = @{
+        Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.yml')
+        Raw  = $True
+    }
+    $RawContent = Get-Content @GetContentSplat
+    $ConvertFromYamlSplat = @{
+        Yaml         = $RawContent
+        AllDocuments = $True
+    }
+    $WhiteList = ConvertFrom-Yaml @ConvertFromYamlSplat
+
+    $GetADObjectSplat = @{
+        Filter      = '*'
+        SearchBase  = 'DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
+        SearchScope = 'OneLevel'
+    }
+    $WhiteListedOUs = @()
+    ForEach ($OU in $WhiteList.WhiteListedOUs) {
+        $WhiteListedOUs += Get-ADObject @GetADObjectSplat | Where-Object {
+            $_.DistinguishedName -match $OU
+        }
+    }
+    $ParentContainers = Get-ADObject @GetADObjectSplat | Where-Object {
+        ('builtinDomain', 'container', 'organizationalUnit', <#'lostAndFound',#> 'msDS-QuotaContainer', 'msTPM-InformationObjectsContainer') -contains $_.ObjectClass
+    }
+
+    ForEach ($Parent in $ParentContainers) {
+        If ($WhiteListedOUs.DistinguishedName -notcontains $Parent.DistinguishedName) {
+            ForEach ($SecurityPrincipal in $WhiteList.LimitedSecurityPrincipals) {
+                $GetACLSPlat = @{
+                    Path = "$($PSDrive.Name):\$($Parent.DistinguishedName)"
+                }
+                $ACL = Get-ACL @GetACLSPlat
+
+                $GetADObjectSplat = @{
+                    Filter = "sAMAccountName -eq '$($SecurityPrincipal)'"
+                    Properties = 'objectSID'
+                }
+                $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
+                    (Get-ADObject @GetADObjectSplat).objectSID,
+                    [System.DirectoryServices.ActiveDirectoryRights]"GenericAll",
+                    [System.Security.AccessControl.AccessControlType]"Deny",
+                    [System.DirectoryServices.ActiveDirectorySecurityInheritance]"All"
+                )
+                $ACL.AddAccessRule($NewACE)
+
+                $SetAclSplat = @{
+                    Path        = "$($PSDrive.Name):\$($Parent.DistinguishedName)"
+                    AclObject   = $ACL
+                    ErrorAction = 'Continue'
+                }
+                Set-Acl @SetAclSplat
+            }
+        }
+    }
+
+    If ([boolean]$PSDrive.Name -eq 'ADDS') {
+        $RemovePSDriveSplat = @{
+            Name    = 'ADDS'
+            Force   = $True
+            Confirm = $False
+        }
+        Remove-PSDrive @RemovePSDriveSplat | Out-Null
+    }
+}