83 lines
3.0 KiB
PowerShell
83 lines
3.0 KiB
PowerShell
#Requires -Modules 'ActiveDirectory','powershell-yaml'
|
|
Param(
|
|
[Parameter(Mandatory)]
|
|
[hashtable]$Parameter
|
|
)
|
|
|
|
# Only executed on primary or standalone Domain Controller
|
|
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
|
|
$PSDrive = Get-PSDrive -Name 'AD'
|
|
If ([boolean]$PSDrive -eq $False) {
|
|
$NewPSDriveSplat = @{
|
|
Name = 'ADDS'
|
|
Root = ''
|
|
PSProvider = 'ActiveDirectory'
|
|
}
|
|
$PSDrive = New-PSDrive @NewPSDriveSplat
|
|
}
|
|
|
|
$GetContentSplat = @{
|
|
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.yml')
|
|
Raw = $True
|
|
}
|
|
$RawContent = Get-Content @GetContentSplat
|
|
$ConvertFromYamlSplat = @{
|
|
Yaml = $RawContent
|
|
AllDocuments = $True
|
|
}
|
|
$WhiteList = ConvertFrom-Yaml @ConvertFromYamlSplat
|
|
|
|
$GetADObjectSplat = @{
|
|
Filter = '*'
|
|
SearchBase = 'DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
|
|
SearchScope = 'OneLevel'
|
|
}
|
|
$WhiteListedOUs = @()
|
|
ForEach ($OU in $WhiteList.WhiteListedOUs) {
|
|
$WhiteListedOUs += Get-ADObject @GetADObjectSplat | Where-Object {
|
|
$_.DistinguishedName -match $OU
|
|
}
|
|
}
|
|
$ParentContainers = Get-ADObject @GetADObjectSplat | Where-Object {
|
|
('builtinDomain', 'container', 'organizationalUnit', <#'lostAndFound',#> 'msDS-QuotaContainer', 'msTPM-InformationObjectsContainer') -contains $_.ObjectClass
|
|
}
|
|
|
|
ForEach ($Parent in $ParentContainers) {
|
|
If ($WhiteListedOUs.DistinguishedName -notcontains $Parent.DistinguishedName) {
|
|
ForEach ($SecurityPrincipal in $WhiteList.LimitedSecurityPrincipals) {
|
|
$GetACLSPlat = @{
|
|
Path = "$($PSDrive.Name):\$($Parent.DistinguishedName)"
|
|
}
|
|
$ACL = Get-ACL @GetACLSPlat
|
|
|
|
$GetADObjectSplat = @{
|
|
Filter = "sAMAccountName -eq '$($SecurityPrincipal)'"
|
|
Properties = 'objectSID'
|
|
}
|
|
$NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
|
|
(Get-ADObject @GetADObjectSplat).objectSID,
|
|
[System.DirectoryServices.ActiveDirectoryRights]"GenericAll",
|
|
[System.Security.AccessControl.AccessControlType]"Deny",
|
|
[System.DirectoryServices.ActiveDirectorySecurityInheritance]"All"
|
|
)
|
|
$ACL.AddAccessRule($NewACE)
|
|
|
|
$SetAclSplat = @{
|
|
Path = "$($PSDrive.Name):\$($Parent.DistinguishedName)"
|
|
AclObject = $ACL
|
|
ErrorAction = 'Continue'
|
|
}
|
|
Set-Acl @SetAclSplat
|
|
}
|
|
}
|
|
}
|
|
|
|
If ([boolean]$PSDrive.Name -eq 'ADDS') {
|
|
$RemovePSDriveSplat = @{
|
|
Name = 'ADDS'
|
|
Force = $True
|
|
Confirm = $False
|
|
}
|
|
Remove-PSDrive @RemovePSDriveSplat | Out-Null
|
|
}
|
|
} |