Allow multiple OU's for Delegation of Control
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
aa2c05df3f
commit
483013270d
@ -7,6 +7,8 @@ OrganizationalUnits:
|
||||
Description: ''
|
||||
- DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts
|
||||
Description: ''
|
||||
- DistinguishedName: OU=Kiosks,OU=Clients,OU=Computer accounts
|
||||
Description: ''
|
||||
- DistinguishedName: OU=Servers,OU=Computer accounts
|
||||
Description: ''
|
||||
|
||||
|
@ -65,52 +65,61 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
||||
$GUIDMap['null'] = [Guid]::Empty
|
||||
|
||||
ForEach ($Entry in $Delegations.DelegationEntries) {
|
||||
$GetADObjectSplat = @{
|
||||
Identity = $Entry.OrganizationalUnit + (($Parameter['addsconfig.domainname'] -split '\.' | ForEach-Object {',DC={0}' -f $_}) -join '')
|
||||
}
|
||||
$OU = Get-ADObject @GetADObjectSplat
|
||||
$GetACLSPlat = @{
|
||||
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
|
||||
}
|
||||
$ACL = Get-ACL @GetACLSPlat
|
||||
|
||||
$GetADObjectSplat = @{
|
||||
Filter = "sAMAccountName -eq '$($Entry.Principal)'"
|
||||
Properties = 'objectSID'
|
||||
}
|
||||
$Principal = Get-ADObject @GetADObjectSplat
|
||||
|
||||
ForEach ($Rule in $Entry.AccessRules) {
|
||||
If ($Rule.ObjectType -eq '') {
|
||||
$Rule.ObjectType = 'null'
|
||||
ForEach ($OU in $Entry.OrganizationalUnit) {
|
||||
$GetADObjectSplat = @{
|
||||
Identity = ($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext))
|
||||
ErrorAction = 'SilentlyContinue'
|
||||
}
|
||||
If ($Rule.InheritedObjectType -eq '') {
|
||||
$Rule.InheritedObjectType = 'null'
|
||||
$OU = Get-ADObject @GetADObjectSplat
|
||||
If ([boolean]$OU) {
|
||||
$GetACLSPlat = @{
|
||||
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
|
||||
}
|
||||
$ACL = Get-ACL @GetACLSPlat
|
||||
}
|
||||
Else {
|
||||
# Respective OU was not found in Active Directory; skipping permission assignment
|
||||
Continue
|
||||
}
|
||||
|
||||
$NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
|
||||
# An IdentityReference object that identifies the trustee of the access rule.
|
||||
[System.Security.Principal.IdentityReference]$Principal.objectSID,
|
||||
# A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
|
||||
[System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights,
|
||||
# One of the AccessControlType enumeration values that specifies the access rule type.
|
||||
[System.Security.AccessControl.AccessControlType]$Rule.AccessControlType,
|
||||
# The schema GUID of the object to which the access rule applies.
|
||||
[Guid]$GUIDMap[$Rule.ObjectType],
|
||||
# One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule.
|
||||
[System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance,
|
||||
# The schema GUID of the child object type that can inherit this access rule.
|
||||
[Guid]$GUIDMap[$Rule.InheritedObjectType]
|
||||
)
|
||||
$ACL.AddAccessRule($NewACE)
|
||||
}
|
||||
ForEach ($Rule in $Entry.AccessRules) {
|
||||
If ($Rule.ObjectType -eq '') {
|
||||
$Rule.ObjectType = 'null'
|
||||
}
|
||||
If ($Rule.InheritedObjectType -eq '') {
|
||||
$Rule.InheritedObjectType = 'null'
|
||||
}
|
||||
|
||||
$SetAclSplat = @{
|
||||
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
|
||||
AclObject = $ACL
|
||||
ErrorAction = 'Continue'
|
||||
$NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
|
||||
# An IdentityReference object that identifies the trustee of the access rule.
|
||||
[System.Security.Principal.IdentityReference]$Principal.objectSID,
|
||||
# A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
|
||||
[System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights,
|
||||
# One of the AccessControlType enumeration values that specifies the access rule type.
|
||||
[System.Security.AccessControl.AccessControlType]$Rule.AccessControlType,
|
||||
# The schema GUID of the object to which the access rule applies.
|
||||
[Guid]$GUIDMap[$Rule.ObjectType],
|
||||
# One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule.
|
||||
[System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance,
|
||||
# The schema GUID of the child object type that can inherit this access rule.
|
||||
[Guid]$GUIDMap[$Rule.InheritedObjectType]
|
||||
)
|
||||
$ACL.AddAccessRule($NewACE)
|
||||
}
|
||||
|
||||
$SetAclSplat = @{
|
||||
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
|
||||
AclObject = $ACL
|
||||
ErrorAction = 'Continue'
|
||||
}
|
||||
Set-Acl @SetAclSplat
|
||||
}
|
||||
Set-Acl @SetAclSplat
|
||||
}
|
||||
|
||||
If ([boolean]($PSDrive.Name -eq 'ADDS') -eq $True) {
|
||||
|
@ -1,6 +1,8 @@
|
||||
DelegationEntries:
|
||||
- Principal: admJaneD
|
||||
OrganizationalUnit: CN=Computers # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically
|
||||
- Principal: admJaneD # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically
|
||||
OrganizationalUnit:
|
||||
- CN=Computers
|
||||
- OU=Kiosks,OU=Clients,OU=Computer accounts
|
||||
AccessRules:
|
||||
- ActiveDirectoryRights: Self # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
|
||||
AccessControlType: Allow # One of the AccessControlType enumeration values that specifies the access rule type.
|
||||
@ -48,7 +50,8 @@ DelegationEntries:
|
||||
ObjectType: Computer
|
||||
InheritedObjectType: ''
|
||||
- Principal: admJaneD
|
||||
OrganizationalUnit: OU=Clients,OU=Computer accounts
|
||||
OrganizationalUnit:
|
||||
- OU=Clients,OU=Computer accounts
|
||||
AccessRules:
|
||||
- ActiveDirectoryRights: CreateChild, DeleteChild
|
||||
AccessControlType: Allow
|
||||
|
Loading…
Reference in New Issue
Block a user