DryActiveDirectory

1.1.1

Functions/Set-DryADAccessRule.ps1

                                Using NameSpace System.Management.Automation.Runspaces

# DryActiveDirectory is an AD config module for use with DryDeploy, or by itself.

#

# Copyright (C) 2021  Bjørn Henrik Formo (bjornhenrikformo@gmail.com)

# LICENSE: https://raw.githubusercontent.com/bjoernf73/DryActiveDirectory/main/LICENSE

# 

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; either version 2 of the License, or

# (at your option) any later version.

# 

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

# 

# You should have received a copy of the GNU General Public License along

# with this program; if not, write to the Free Software Foundation, Inc.,

# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

Function Set-DryADAccessRule {

    [CmdletBinding(DefaultParameterSetName='Local')] 

    Param ( 

        [Parameter(HelpMessage="Name of user to delegate rights to. 

        Never used by DryDeploy, since rights are always delegated to groups")]

        [String]

        $User,

        [Parameter(HelpMessage="Name of group to delegate rights to")]

        [String]

        $Group,    

        [Parameter(Mandatory,

        HelpMessage="DistinguisheName of container object (ou or cn) to set rights on")]

        [String]

        $Path,

        [Parameter(Mandatory,

        HelpMessage="Array of Active Directory standard or extended rights")]

        [String[]]

        $ActiveDirectoryRights,

        [Parameter(Mandatory,

        HelpMessage="Access Control Type, either 'Allow' or 'Deny'.")]

        [ValidateSet("Allow","Deny")]

        [String]

        $AccessControlType, 

        [Parameter(HelpMessage="Inheritance")]

        [ValidateSet("All","Children", "Descendents", "SelfAndChildren", "None")]

        [String]

        $ActiveDirectorySecurityInheritance, 

        [Parameter(HelpMessage="The AD object type that the right(s) applies to. 

        Like 'user','computer' or 'organizationalunit', or any other AD object type")]

        [String]

        $ObjectType, 

        [Parameter(HelpMessage="The object type by name that should inherit the right(s).")]

        [String]

        $InheritedObjectType,

        [Parameter(Mandatory,ParameterSetName='Remote',

        HelpMessage="PSSession to run the script blocks in")]

        [PSSession] 

        $PSSession,

        [Parameter(Mandatory,ParameterSetName='Local',

        HelpMessage="For 'Local' sessions, specify the Domain Controller to use")]

        [String] 

        $DomainController

    )

    Try {

        If ($Group -and (-not $User)) {

            $TargetName = $Group

            $TargetType = 'group'

        }

        ElseIf ($User -and (-not $Group)) {

            $TargetName = $User

            $TargetType = 'user'

        }

        Else {

            Throw "Specify either a Group or a User to delegate permissions to - and not both"

        }

        ol v @('Target',    "$TargetName")

        ol v @('Type',      "$TargetType")

        ol v @('TargetPath',"$Path")

        If ($PSCmdlet.ParameterSetName -eq 'Remote') {

            $Server        = 'localhost'

            $ExecutionType = 'Remote'

            ol v @('Session Type','Remote')

            ol v @('Remoting to Domain Controller',$PSSession.ComputerName)

        }

        Else {

            $Server        = $DomainController

            $ExecutionType = 'Local'

            ol v @('Session Type','Local')

            ol v @('Using Domain Controller',$Server)

        }

        # Since parameters cannot be splatted, or named in -Argumentslist, make sure all exists

        If (-not $ObjectType)                         { [String]$ObjectType                          = ''}

        If (-not $InheritedObjectType)                { [String]$InheritedObjectType                 = ''}

        If (-not $ActiveDirectorySecurityInheritance) { [String]$ActiveDirectorySecurityInheritance  = ''}

        $ArgumentList = @(

            $Path,

            $TargetName,

            $TargetType,

            $ActiveDirectoryRights,

            $AccessControlType,

            $ObjectType,

            $InheritedObjectType,

            $ActiveDirectorySecurityInheritance,

            $ExecutionType,

            $Server

        )

        $InvokeParams = @{

            ScriptBlock  = $DryAD_SB_ADAccessRule_Set

            ArgumentList = $ArgumentList

        }

        If ($PSCmdlet.ParameterSetName -eq 'Remote') {

            $InvokeParams += @{

                Session = $PSSession

            }

        }

        $Return = $Null; $Return = Invoke-Command @InvokeParams

        # Send every string in $Return[0] to Debug via Out-DryLog

        ForEach ($ReturnString in $Return[0]) {

            ol d "$ReturnString"

        }

        # Test the ReturnValue in $Return[1]

        If ($Return[1] -eq $True) {

            ol s 'AD right set'

            ol v "Successfully configured AD right"

            $True

        } 

        Else {

            ol f 'AD right not set'

            ol w "Failed to configure AD right"

            If ($Null -ne $Return[2]) {

                Throw ($Return[2]).ToString()

            } 

            Else {

                Throw "ReturnValue false, but no ErrorRecord returned - check debug"

            }

        }  

    }

    Catch {

        $PSCmdlet.ThrowTerminatingError($_)

    }

}