diff --git a/scripts/ADDS/payload/scripts/01.Organizational units.yml b/scripts/ADDS/payload/scripts/01.Organizational units.yml index 28b415c..d700eb6 100644 --- a/scripts/ADDS/payload/scripts/01.Organizational units.yml +++ b/scripts/ADDS/payload/scripts/01.Organizational units.yml @@ -7,6 +7,8 @@ OrganizationalUnits: Description: '' - DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts Description: '' +- DistinguishedName: OU=Kiosks,OU=Clients,OU=Computer accounts + Description: '' - DistinguishedName: OU=Servers,OU=Computer accounts Description: '' diff --git a/scripts/ADDS/payload/scripts/04.Delegation of Control.ps1 b/scripts/ADDS/payload/scripts/04.Delegation of Control.ps1 index 5cb1eef..e2f195a 100644 --- a/scripts/ADDS/payload/scripts/04.Delegation of Control.ps1 +++ b/scripts/ADDS/payload/scripts/04.Delegation of Control.ps1 @@ -65,52 +65,61 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) { $GUIDMap['null'] = [Guid]::Empty ForEach ($Entry in $Delegations.DelegationEntries) { - $GetADObjectSplat = @{ - Identity = $Entry.OrganizationalUnit + (($Parameter['addsconfig.domainname'] -split '\.' | ForEach-Object {',DC={0}' -f $_}) -join '') - } - $OU = Get-ADObject @GetADObjectSplat - $GetACLSPlat = @{ - Path = "$($PSDrive.Name):\$($OU.DistinguishedName)" - } - $ACL = Get-ACL @GetACLSPlat - $GetADObjectSplat = @{ Filter = "sAMAccountName -eq '$($Entry.Principal)'" Properties = 'objectSID' } $Principal = Get-ADObject @GetADObjectSplat - ForEach ($Rule in $Entry.AccessRules) { - If ($Rule.ObjectType -eq '') { - $Rule.ObjectType = 'null' + ForEach ($OU in $Entry.OrganizationalUnit) { + $GetADObjectSplat = @{ + Identity = ($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)) + ErrorAction = 'SilentlyContinue' } - If ($Rule.InheritedObjectType -eq '') { - $Rule.InheritedObjectType = 'null' + $OU = Get-ADObject @GetADObjectSplat + If ([boolean]$OU) { + $GetACLSPlat = @{ + Path = "$($PSDrive.Name):\$($OU.DistinguishedName)" + } + $ACL = Get-ACL @GetACLSPlat + } + Else { + # Respective OU was not found in Active Directory; skipping permission assignment + Continue } - $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule( - # An IdentityReference object that identifies the trustee of the access rule. - [System.Security.Principal.IdentityReference]$Principal.objectSID, - # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule. - [System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights, - # One of the AccessControlType enumeration values that specifies the access rule type. - [System.Security.AccessControl.AccessControlType]$Rule.AccessControlType, - # The schema GUID of the object to which the access rule applies. - [Guid]$GUIDMap[$Rule.ObjectType], - # One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule. - [System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance, - # The schema GUID of the child object type that can inherit this access rule. - [Guid]$GUIDMap[$Rule.InheritedObjectType] - ) - $ACL.AddAccessRule($NewACE) - } + ForEach ($Rule in $Entry.AccessRules) { + If ($Rule.ObjectType -eq '') { + $Rule.ObjectType = 'null' + } + If ($Rule.InheritedObjectType -eq '') { + $Rule.InheritedObjectType = 'null' + } + + $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule( + # An IdentityReference object that identifies the trustee of the access rule. + [System.Security.Principal.IdentityReference]$Principal.objectSID, + # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule. + [System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights, + # One of the AccessControlType enumeration values that specifies the access rule type. + [System.Security.AccessControl.AccessControlType]$Rule.AccessControlType, + # The schema GUID of the object to which the access rule applies. + [Guid]$GUIDMap[$Rule.ObjectType], + # One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule. + [System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance, + # The schema GUID of the child object type that can inherit this access rule. + [Guid]$GUIDMap[$Rule.InheritedObjectType] + ) + $ACL.AddAccessRule($NewACE) + } - $SetAclSplat = @{ - Path = "$($PSDrive.Name):\$($OU.DistinguishedName)" - AclObject = $ACL - ErrorAction = 'Continue' + $SetAclSplat = @{ + Path = "$($PSDrive.Name):\$($OU.DistinguishedName)" + AclObject = $ACL + ErrorAction = 'Continue' + } + Set-Acl @SetAclSplat } - Set-Acl @SetAclSplat } If ([boolean]($PSDrive.Name -eq 'ADDS') -eq $True) { diff --git a/scripts/ADDS/payload/scripts/04.Delegation of Control.yml b/scripts/ADDS/payload/scripts/04.Delegation of Control.yml index c2f448e..47b0cdd 100644 --- a/scripts/ADDS/payload/scripts/04.Delegation of Control.yml +++ b/scripts/ADDS/payload/scripts/04.Delegation of Control.yml @@ -1,6 +1,8 @@ DelegationEntries: -- Principal: admJaneD - OrganizationalUnit: CN=Computers # Entries will be concatenated with ',DC=,DC=' automatically +- Principal: admJaneD # Entries will be concatenated with ',DC=,DC=' automatically + OrganizationalUnit: + - CN=Computers + - OU=Kiosks,OU=Clients,OU=Computer accounts AccessRules: - ActiveDirectoryRights: Self # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule. AccessControlType: Allow # One of the AccessControlType enumeration values that specifies the access rule type. @@ -48,7 +50,8 @@ DelegationEntries: ObjectType: Computer InheritedObjectType: '' - Principal: admJaneD - OrganizationalUnit: OU=Clients,OU=Computer accounts + OrganizationalUnit: + - OU=Clients,OU=Computer accounts AccessRules: - ActiveDirectoryRights: CreateChild, DeleteChild AccessControlType: Allow