Allow multiple OU's for Delegation of Control

2021-05-03 14:18:58 +02:00 · 2021-05-03 14:18:58 +02:00 · 483013270d
parent aa2c05df3f
commit 483013270d
3 changed files with 52 additions and 38 deletions
--- a/scripts/ADDS/payload/scripts/01.Organizational
+++ b/scripts/ADDS/payload/scripts/01.Organizational
@ -7,6 +7,8 @@ OrganizationalUnits:
  Description: ''
 - DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts
  Description: ''
+- DistinguishedName: OU=Kiosks,OU=Clients,OU=Computer accounts
+  Description: ''
 - DistinguishedName: OU=Servers,OU=Computer accounts
  Description: ''

--- a/scripts/ADDS/payload/scripts/04.Delegation
+++ b/scripts/ADDS/payload/scripts/04.Delegation
@ -65,52 +65,61 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
    $GUIDMap['null'] = [Guid]::Empty

    ForEach ($Entry in $Delegations.DelegationEntries) {
-        $GetADObjectSplat = @{
-            Identity = $Entry.OrganizationalUnit + (($Parameter['addsconfig.domainname'] -split '\.' | ForEach-Object {',DC={0}' -f $_}) -join '')
-        }
-        $OU = Get-ADObject @GetADObjectSplat
-        $GetACLSPlat = @{
-            Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
-        }
-        $ACL = Get-ACL @GetACLSPlat
-
        $GetADObjectSplat = @{
            Filter = "sAMAccountName -eq '$($Entry.Principal)'"
            Properties = 'objectSID'
        }
        $Principal = Get-ADObject @GetADObjectSplat

-        ForEach ($Rule in $Entry.AccessRules) {
-            If ($Rule.ObjectType -eq '') {
-                $Rule.ObjectType = 'null'
+        ForEach ($OU in $Entry.OrganizationalUnit) {
+            $GetADObjectSplat = @{
+                Identity    = ($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext))
+                ErrorAction = 'SilentlyContinue'
            }
-            If ($Rule.InheritedObjectType -eq '') {
-                $Rule.InheritedObjectType = 'null'
+            $OU = Get-ADObject @GetADObjectSplat
+            If ([boolean]$OU) {
+                $GetACLSPlat = @{
+                    Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
+                }
+                $ACL = Get-ACL @GetACLSPlat
+            }
+            Else {
+                # Respective OU was not found in Active Directory; skipping permission assignment
+                Continue
            }

-            $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
-                # An IdentityReference object that identifies the trustee of the access rule.
-                [System.Security.Principal.IdentityReference]$Principal.objectSID,
-                # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
-                [System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights,
-                # One of the AccessControlType enumeration values that specifies the access rule type.
-                [System.Security.AccessControl.AccessControlType]$Rule.AccessControlType,
-                # The schema GUID of the object to which the access rule applies.
-                [Guid]$GUIDMap[$Rule.ObjectType],
-                # One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule.
-                [System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance,
-                # The schema GUID of the child object type that can inherit this access rule.
-                [Guid]$GUIDMap[$Rule.InheritedObjectType]
-            )
-            $ACL.AddAccessRule($NewACE)
-        }
+            ForEach ($Rule in $Entry.AccessRules) {
+                If ($Rule.ObjectType -eq '') {
+                    $Rule.ObjectType = 'null'
+                }
+                If ($Rule.InheritedObjectType -eq '') {
+                    $Rule.InheritedObjectType = 'null'
+                }
+    
+                $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
+                    # An IdentityReference object that identifies the trustee of the access rule.
+                    [System.Security.Principal.IdentityReference]$Principal.objectSID,
+                    # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
+                    [System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights,
+                    # One of the AccessControlType enumeration values that specifies the access rule type.
+                    [System.Security.AccessControl.AccessControlType]$Rule.AccessControlType,
+                    # The schema GUID of the object to which the access rule applies.
+                    [Guid]$GUIDMap[$Rule.ObjectType],
+                    # One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule.
+                    [System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance,
+                    # The schema GUID of the child object type that can inherit this access rule.
+                    [Guid]$GUIDMap[$Rule.InheritedObjectType]
+                )
+                $ACL.AddAccessRule($NewACE)
+            }

-        $SetAclSplat = @{
-            Path        = "$($PSDrive.Name):\$($OU.DistinguishedName)"
-            AclObject   = $ACL
-            ErrorAction = 'Continue'
+            $SetAclSplat = @{
+                Path        = "$($PSDrive.Name):\$($OU.DistinguishedName)"
+                AclObject   = $ACL
+                ErrorAction = 'Continue'
+            }
+            Set-Acl @SetAclSplat
        }
-        Set-Acl @SetAclSplat
    }

    If ([boolean]($PSDrive.Name -eq 'ADDS') -eq $True) {
--- a/scripts/ADDS/payload/scripts/04.Delegation
+++ b/scripts/ADDS/payload/scripts/04.Delegation
@ -1,6 +1,8 @@
 DelegationEntries:
- Principal: admJaneD
-  OrganizationalUnit: CN=Computers                   # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically
+- Principal: admJaneD                                # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically
+  OrganizationalUnit:
+  - CN=Computers
+  - OU=Kiosks,OU=Clients,OU=Computer accounts
  AccessRules:
  - ActiveDirectoryRights: Self                      # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
    AccessControlType: Allow                         # One of the AccessControlType enumeration values that specifies the access rule type.
@ -48,7 +50,8 @@ DelegationEntries:
    ObjectType: Computer
    InheritedObjectType: ''
 - Principal: admJaneD
-  OrganizationalUnit: OU=Clients,OU=Computer accounts
+  OrganizationalUnit:
+  - OU=Clients,OU=Computer accounts
  AccessRules:
  - ActiveDirectoryRights: CreateChild, DeleteChild
    AccessControlType: Allow