ad-rbac

1.1.0

public/Remove-RBAC.ps1

                                Function Remove-RBAC {

    <#

        .SYNOPSIS

        Removes basic OU skeleton for component-oriented AD

        .DESCRIPTION

        This Removes several OUs that will support the RBAC system:

         * OU=Orgs

         * OU=LinuxFeatures

         *  --> Sudoroles

         *  --> netgroups

         * OU=Global

         *  --> UnprivilegedUsers

         *  --> Rights

        .INPUTS

        none

        .OUTPUTS

        none

    #>

    [CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact="High")]

    Param()

    Begin {

        $Domain = get-addomain

        $defaultUsersDN = "CN=Users,$($domain.distinguishedName)"

        $defaultComputersDN = "CN=Computers,$($domain.distinguishedName)"

        $shouldProcess = @{

            Confirm = [bool]($ConfirmPreference -eq "low")

            Whatif = [bool]($WhatIfPreference.IsPresent)

            verbose = [bool]($VerbosePreference -ne "SilentlyContinue")

        }

        $OldUsersDN = "OU={0},OU={1},{2}" -f $UsersOU,$GlobalOUStruct.name,$GlobalOUStruct.Path

        $OldComputersDN = "OU={0},OU={1},{2}" -f $ComputersOU,$GlobalOUStruct.name,$GlobalOUStruct.Path

        $OrgsBase = "OU=$($OrgsOUStruct.name),$($OrgsOUStruct.path)"

    }

    PROCESS {

        if ($PSCmdlet.ShouldProcess($defaultUsersDN,"Redirecting default user container")) {

            redirusr $defaultUsersDN

        }

        if ($PSCmdlet.ShouldProcess($OrgsBase,"Migrating all contained users --> $defaultUsersDN")) {

            try {

                get-aduser -searchBase $OrgsBase -filter * | move-adobject -targetPath $DefaultUsersDN @shouldProcess

            } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {

                if ($_.CategoryInfo.activity -ne "Get-aduser") {

                    throw $_

                }

            }

        }

        if ($PSCmdlet.ShouldProcess($defaultUsersDN,"Redirecting default Computer container and migrating computer objects there")) {

            redircmp $defaultComputersDN

        }

        if ($PSCmdlet.ShouldProcess($OrgsBase,"Migrating all contained Computers --> $defaultComputersDN")) {

            try {

                $ComputersMoved = get-adComputer -searchBase $OrgsBase -filter * | move-adobject -targetPath $DefaultComputersDN @shouldProcess -passthru

                write-host ("Moved {0} computers to default OU ({1})" -f $ComptersMoved.count, $OldComputersDN)

            } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {

                #we can ignore errors in getting computers from the searchbase

                if ($_.CategoryInfo.activity -ne "Get-adComputer") {

                    throw $_

                }

            }

            write-verbose "Waiting for changes to process...."

            start-sleep -seconds 2

        }

        $DeleteOUs = @(

            $OrgsOUStruct

            $LinuxFeaturesOUStruct

            $GlobalOUStruct

        )

        foreach ($OUStruct in $DeleteOUs) {

            $path = $OrgsBase

            if ($PSCmdlet.ShouldProcess($Path,"Deleting OU Subtree")) {

                Write-warning "!!! Deleting OU Subtree: $Path"

                DeleteOUSubtreeWithConfirm -path $Path @shouldProcess

            }

        }

    }

}