Packer.Images/scripts/ADDS/payload/scripts/12.Restrict OU Permissions.ps1

#Requires -Modules 'ActiveDirectory','powershell-yaml'
Param(
    [Parameter(Mandatory)]
    [hashtable]$Parameter
)

# Only executed on primary or standalone Domain Controller
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
    $PSDrive = Get-PSDrive -Name 'AD'
    If ([boolean]$PSDrive -eq $False) {
        $NewPSDriveSplat = @{
            Name       = 'ADDS'
            Root       = ''
            PSProvider = 'ActiveDirectory'
        }
        $PSDrive = New-PSDrive @NewPSDriveSplat
    }

    $GetContentSplat = @{
        Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.yml')
        Raw  = $True
    }
    $RawContent = Get-Content @GetContentSplat
    $ConvertFromYamlSplat = @{
        Yaml         = $RawContent
        AllDocuments = $True
    }
    $WhiteList = ConvertFrom-Yaml @ConvertFromYamlSplat

    $GetADObjectSplat = @{
        Filter      = '*'
        SearchBase  = 'DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
        SearchScope = 'OneLevel'
    }
    $WhiteListedOUs = @()
    ForEach ($OU in $WhiteList.WhiteListedOUs) {
        $WhiteListedOUs += Get-ADObject @GetADObjectSplat | Where-Object {
            $_.DistinguishedName -match $OU
        }
    }
    $ParentContainers = Get-ADObject @GetADObjectSplat | Where-Object {
        ('builtinDomain', 'container', 'organizationalUnit', <#'lostAndFound',#> 'msDS-QuotaContainer', 'msTPM-InformationObjectsContainer') -contains $_.ObjectClass
    }

    ForEach ($Parent in $ParentContainers) {
        If ($WhiteListedOUs.DistinguishedName -notcontains $Parent.DistinguishedName) {
            ForEach ($SecurityPrincipal in $WhiteList.LimitedSecurityPrincipals) {
                $GetACLSPlat = @{
                    Path = "$($PSDrive.Name):\$($Parent.DistinguishedName)"
                }
                $ACL = Get-ACL @GetACLSPlat

                $GetADObjectSplat = @{
                    Filter = "sAMAccountName -eq '$($SecurityPrincipal)'"
                    Properties = 'objectSID'
                }
                $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                    (Get-ADObject @GetADObjectSplat).objectSID,
                    [System.DirectoryServices.ActiveDirectoryRights]"GenericAll",
                    [System.Security.AccessControl.AccessControlType]"Deny",
                    [System.DirectoryServices.ActiveDirectorySecurityInheritance]"All"
                )
                $ACL.AddAccessRule($NewACE)

                $SetAclSplat = @{
                    Path        = "$($PSDrive.Name):\$($Parent.DistinguishedName)"
                    AclObject   = $ACL
                    ErrorAction = 'Continue'
                }
                Set-Acl @SetAclSplat
            }
        }
    }

    If ([boolean]$PSDrive.Name -eq 'ADDS') {
        $RemovePSDriveSplat = @{
            Name    = 'ADDS'
            Force   = $True
            Confirm = $False
        }
        Remove-PSDrive @RemovePSDriveSplat | Out-Null
    }
}