Packer.Images/scripts/ADDS/payload/scripts/04.Delegation of Control.yml

DelegationEntries:
- Principal: admJaneD                                # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically
  OrganizationalUnit:
  - CN=Computers
  - OU=Kiosks,OU=Clients,OU=Computer accounts
  AccessRules:
  - ActiveDirectoryRights: Self                      # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
    AccessControlType: Allow                         # One of the AccessControlType enumeration values that specifies the access rule type.
    ActiveDirectorySecurityInheritance: Descendents  # One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule.
    ObjectType: Validated write to DNS host name     # The object type to which the access rule applies.
    InheritedObjectType: Computer                    # The child object type that can inherit this access rule.
  - ActiveDirectoryRights: Self
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: Validated write to service principal name
    InheritedObjectType: Computer
  - ActiveDirectoryRights: WriteProperty, WriteDacl
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: ''
    InheritedObjectType: Computer
  - ActiveDirectoryRights: ExtendedRight
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: Reset Password
    InheritedObjectType: Computer
  - ActiveDirectoryRights: ExtendedRight
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: Change Password
    InheritedObjectType: Computer
  - ActiveDirectoryRights: ReadProperty
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: ''
    InheritedObjectType: Computer
  - ActiveDirectoryRights: WriteProperty
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: ''
    InheritedObjectType: Computer
  - ActiveDirectoryRights: CreateChild, DeleteChild
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: All
    ObjectType: Computer
    InheritedObjectType: ''
  - ActiveDirectoryRights: GenericAll
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: Computer
    InheritedObjectType: ''
- Principal: admJaneD
  OrganizationalUnit:
  - OU=Clients,OU=Computer accounts
  AccessRules:
  - ActiveDirectoryRights: CreateChild, DeleteChild
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: All
    ObjectType: User
    InheritedObjectType: ''
  - ActiveDirectoryRights: GenericAll
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: ''
    InheritedObjectType: ''
  - ActiveDirectoryRights: WriteProperty, ReadProperty
    AccessControlType: Allow
    ActiveDirectorySecurityInheritance: Descendents
    ObjectType: Member
    InheritedObjectType: Group

# ---
# Variables:
# - Name: foo
#   Expression: |
#     Write-Host 'bar'