Allow multiple OU's for Delegation of Control
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
aa2c05df3f
commit
483013270d
@ -7,6 +7,8 @@ OrganizationalUnits:
|
|||||||
Description: ''
|
Description: ''
|
||||||
- DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts
|
- DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts
|
||||||
Description: ''
|
Description: ''
|
||||||
|
- DistinguishedName: OU=Kiosks,OU=Clients,OU=Computer accounts
|
||||||
|
Description: ''
|
||||||
- DistinguishedName: OU=Servers,OU=Computer accounts
|
- DistinguishedName: OU=Servers,OU=Computer accounts
|
||||||
Description: ''
|
Description: ''
|
||||||
|
|
||||||
|
|||||||
@ -65,52 +65,61 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
|||||||
$GUIDMap['null'] = [Guid]::Empty
|
$GUIDMap['null'] = [Guid]::Empty
|
||||||
|
|
||||||
ForEach ($Entry in $Delegations.DelegationEntries) {
|
ForEach ($Entry in $Delegations.DelegationEntries) {
|
||||||
$GetADObjectSplat = @{
|
|
||||||
Identity = $Entry.OrganizationalUnit + (($Parameter['addsconfig.domainname'] -split '\.' | ForEach-Object {',DC={0}' -f $_}) -join '')
|
|
||||||
}
|
|
||||||
$OU = Get-ADObject @GetADObjectSplat
|
|
||||||
$GetACLSPlat = @{
|
|
||||||
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
|
|
||||||
}
|
|
||||||
$ACL = Get-ACL @GetACLSPlat
|
|
||||||
|
|
||||||
$GetADObjectSplat = @{
|
$GetADObjectSplat = @{
|
||||||
Filter = "sAMAccountName -eq '$($Entry.Principal)'"
|
Filter = "sAMAccountName -eq '$($Entry.Principal)'"
|
||||||
Properties = 'objectSID'
|
Properties = 'objectSID'
|
||||||
}
|
}
|
||||||
$Principal = Get-ADObject @GetADObjectSplat
|
$Principal = Get-ADObject @GetADObjectSplat
|
||||||
|
|
||||||
ForEach ($Rule in $Entry.AccessRules) {
|
ForEach ($OU in $Entry.OrganizationalUnit) {
|
||||||
If ($Rule.ObjectType -eq '') {
|
$GetADObjectSplat = @{
|
||||||
$Rule.ObjectType = 'null'
|
Identity = ($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext))
|
||||||
|
ErrorAction = 'SilentlyContinue'
|
||||||
}
|
}
|
||||||
If ($Rule.InheritedObjectType -eq '') {
|
$OU = Get-ADObject @GetADObjectSplat
|
||||||
$Rule.InheritedObjectType = 'null'
|
If ([boolean]$OU) {
|
||||||
|
$GetACLSPlat = @{
|
||||||
|
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
|
||||||
|
}
|
||||||
|
$ACL = Get-ACL @GetACLSPlat
|
||||||
|
}
|
||||||
|
Else {
|
||||||
|
# Respective OU was not found in Active Directory; skipping permission assignment
|
||||||
|
Continue
|
||||||
}
|
}
|
||||||
|
|
||||||
$NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
|
ForEach ($Rule in $Entry.AccessRules) {
|
||||||
# An IdentityReference object that identifies the trustee of the access rule.
|
If ($Rule.ObjectType -eq '') {
|
||||||
[System.Security.Principal.IdentityReference]$Principal.objectSID,
|
$Rule.ObjectType = 'null'
|
||||||
# A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
|
}
|
||||||
[System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights,
|
If ($Rule.InheritedObjectType -eq '') {
|
||||||
# One of the AccessControlType enumeration values that specifies the access rule type.
|
$Rule.InheritedObjectType = 'null'
|
||||||
[System.Security.AccessControl.AccessControlType]$Rule.AccessControlType,
|
}
|
||||||
# The schema GUID of the object to which the access rule applies.
|
|
||||||
[Guid]$GUIDMap[$Rule.ObjectType],
|
$NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
|
||||||
# One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule.
|
# An IdentityReference object that identifies the trustee of the access rule.
|
||||||
[System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance,
|
[System.Security.Principal.IdentityReference]$Principal.objectSID,
|
||||||
# The schema GUID of the child object type that can inherit this access rule.
|
# A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
|
||||||
[Guid]$GUIDMap[$Rule.InheritedObjectType]
|
[System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights,
|
||||||
)
|
# One of the AccessControlType enumeration values that specifies the access rule type.
|
||||||
$ACL.AddAccessRule($NewACE)
|
[System.Security.AccessControl.AccessControlType]$Rule.AccessControlType,
|
||||||
}
|
# The schema GUID of the object to which the access rule applies.
|
||||||
|
[Guid]$GUIDMap[$Rule.ObjectType],
|
||||||
|
# One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule.
|
||||||
|
[System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance,
|
||||||
|
# The schema GUID of the child object type that can inherit this access rule.
|
||||||
|
[Guid]$GUIDMap[$Rule.InheritedObjectType]
|
||||||
|
)
|
||||||
|
$ACL.AddAccessRule($NewACE)
|
||||||
|
}
|
||||||
|
|
||||||
$SetAclSplat = @{
|
$SetAclSplat = @{
|
||||||
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
|
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
|
||||||
AclObject = $ACL
|
AclObject = $ACL
|
||||||
ErrorAction = 'Continue'
|
ErrorAction = 'Continue'
|
||||||
|
}
|
||||||
|
Set-Acl @SetAclSplat
|
||||||
}
|
}
|
||||||
Set-Acl @SetAclSplat
|
|
||||||
}
|
}
|
||||||
|
|
||||||
If ([boolean]($PSDrive.Name -eq 'ADDS') -eq $True) {
|
If ([boolean]($PSDrive.Name -eq 'ADDS') -eq $True) {
|
||||||
|
|||||||
@ -1,6 +1,8 @@
|
|||||||
DelegationEntries:
|
DelegationEntries:
|
||||||
- Principal: admJaneD
|
- Principal: admJaneD # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically
|
||||||
OrganizationalUnit: CN=Computers # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically
|
OrganizationalUnit:
|
||||||
|
- CN=Computers
|
||||||
|
- OU=Kiosks,OU=Clients,OU=Computer accounts
|
||||||
AccessRules:
|
AccessRules:
|
||||||
- ActiveDirectoryRights: Self # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
|
- ActiveDirectoryRights: Self # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
|
||||||
AccessControlType: Allow # One of the AccessControlType enumeration values that specifies the access rule type.
|
AccessControlType: Allow # One of the AccessControlType enumeration values that specifies the access rule type.
|
||||||
@ -48,7 +50,8 @@ DelegationEntries:
|
|||||||
ObjectType: Computer
|
ObjectType: Computer
|
||||||
InheritedObjectType: ''
|
InheritedObjectType: ''
|
||||||
- Principal: admJaneD
|
- Principal: admJaneD
|
||||||
OrganizationalUnit: OU=Clients,OU=Computer accounts
|
OrganizationalUnit:
|
||||||
|
- OU=Clients,OU=Computer accounts
|
||||||
AccessRules:
|
AccessRules:
|
||||||
- ActiveDirectoryRights: CreateChild, DeleteChild
|
- ActiveDirectoryRights: CreateChild, DeleteChild
|
||||||
AccessControlType: Allow
|
AccessControlType: Allow
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user