vars/OUTemplate-Global.ps1
|
$GlobalTemplate = @{ OUs = @( @{ Name=$SensitiveUsersOU Description="Sensitive / Administrative user accounts. Generally domain admins etc." } @{ Name=$UsersOU Description="Default location for user accounts." } @{ Name=$ComputersOU Description="Computer objects not associated with a Component" } @{ Name="Rights" Description="Rights applied domain-wide" } @{ Name="Roles" Description="Roles with broad rights" } ) DefaultRoles = @( @{ nameSuffix = "Admin" Protected = $false Owner = $true Description = "Global Admin. Assumed to have full administrative rights on all systems in child components. Does not have domain admin rights" Rights = @( "App-Admin" "App-Modify" "App-Access" "AddEndpoint" "WindowsAdmin" "LogonRemote" "LogonLocal" "LAPSReadPassword" "GPOEdit" "GPOAudit" "GPOLink" "$($rightsName)s-Admin" "$($RolesName)s-Manage" "SudoManager" "PKI-Enroller" "UserCreate" "UserReset" "UserControl" "AdminCreate" "AdminControl" "sudo_full" ) AuxiliaryGroups = @( "DNSAdmins" #"DHCP Administrators" ) } @{ nameSuffix = "Operator" Owner = $False Description = "Local operator and app-modify rights." Rights = @( "App-Modify" "App-Access" "AddEndpoint" "WindowsOps" "GPOAudit" "LogonRemote" "LogonLocal" "sudo_operate" ) AuxiliaryGroups = @( #"DHCP Users" ) } @{ nameSuffix = "Linux-Admin" Owner = $true Description = "Rights to manage Linux-related AD objects under 'LinuxFeatures'" Rights = @( "SudoManager" "sudo_full" "LogonRemote" ) } @{ nameSuffix = "GPO-Admin" Owner = $false Description = "Permissions to edit, link and troubleshoot GPOs" Rights = @( "GPOEdit" "GPOLink" "GPOAudit" ) } @{ nameSuffix = "OU-Admin" Owner = $false Description = "Rights to create and set permissions on OUs" Rights = @( "OUCreate" "OUManage" ) } @{ nameSuffix = "PKI-Admin" Owner = $false Description = "Certificate Administrator" Rights = @( "PKI-Admin" "PKI-Enroller" ) } @{ nameSuffix = "RBAC-Admin" Owner = $false Description = "Controls group membership" Rights = @( "$($RolesName)s-Manage" "$($rightsName)s-Admin" ) } @{ nameSuffix = "Account-Admin" Owner = $false Description = "Create and reset standard accounts; create sensitive accounts" Rights = @( "UserCreate" "UserReset" "UserControl" "AdminCreate" "AdminControl" ) } ) DefaultRights = @( @{ nameSuffix = "App-Access" Description = "Allowed Log in to applications (typically web interfaces) globally." } @{ nameSuffix = "App-Modify" Description = "Poweruser or modify access to applications (typically web interfaces) globally" } @{ nameSuffix = "App-Admin" Description = "Admin access to applications (typically web interfaces) globally" } @{ nameSuffix = "AddEndpoint" Description = "Allowed to create / join computer objects" } @{ nameSuffix = "GPOAudit" Description = "Allowed to run RSOP and GPO Modelling" } @{ nameSuffix = "GPOLink" Description = "Allowed to link and unlink GPOs in org" } @{ nameSuffix = "GPOEdit" Description = "Edit rights on All GPOs" } @{ nameSuffix = "OUCreate" Description = "Create Organizational Units" } @{ nameSuffix = "OUManage" Description = "Modify properties and permissions on ACLs" } @{ nameSuffix = "$($rightsName)s-Admin" Description = "Create and delete new rights, and modify membership of all groups." } @{ nameSuffix = "$($RolesName)s-Manage" Description = "Create and delete new roles, and modify membership of roles." } @{ nameSuffix = "UserCreate" Description = "Create standard users" } @{ nameSuffix = "UserControl" Description = "Allowed to enable / disable / delete users" } @{ nameSuffix = "UserReset" Description = "Reset passwords for standard users" } @{ nameSuffix = "AdminReset" Description = "Reset passwords for sensitive / Administrative accounts" } @{ nameSuffix = "AdminCreate" Description = "Create sensitive / administrative accounts" } @{ nameSuffix = "AdminControl" Description = "Allowed to enable / disable / Delete sensitive accounts" } @{ nameSuffix = "WindowsAdmin" Description = "Local admin rights on Windows / Linux hosts" } @{ nameSuffix = "WindowsOps" Description = "Limited operator rights on Windows hosts: event log, performance monitoring, network changes" } @{ nameSuffix = "LAPSReadPassword" Description = "Fetch local machine passwords via Windows LAPS" } @{ nameSuffix = "PKI-Admin" Description = "PKI Administrator (issue certs, make certificate templates)" } @{ nameSuffix = "PKI-Enroller" Description = "Cut certificates, but cannot modify templates" } @{ nameSuffix = "LogonBatch" Description = "Rights for batch logon / scheduled task / cron access" info="Default mapped services: crond`r`nWindows: Task Scheduler" } @{ nameSuffix = "LogonLocal" Description = "Rights for Local logon" info="Default mapped services: su, gdm, login`r`nWindows: Task Scheduler" } @{ nameSuffix = "LogonService" Description = "Rights for logon as service in this Org" info="Default mapped services: <not set>`r`nWindows: Services" } @{ nameSuffix = "LogonRemote" Description="Allow log on through Remote Desktop Services /SSH."; info=@("Default mapped services: sshd, cockpit`r`nWindows: Remote Desktop") } @{ nameSuffix = "SudoManager" Description = "Sensitive; Rights to Create and modify Sudoroles and Netgroups. This allows gaining sudo rights on arbitrary systems." } foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { @{ NameSuffix = "sudo{0}_{1}" -f $passwd, $sudoRoleType.name Description = "Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" } } } ) OUDelegations = @( #Region AddEndpoint # These permissions are broader than they should be. Look into restricting, but following properties may be needed: ## Common-name, Sam-Account-name, Description, Display-name, attributeCertificateAttribute, Service-Principal-Name, DNS-Host-name ## See also: https://learn.microsoft.com/en-us/answers/questions/973272/delegate-help-desk-users-permission-to-move-users @{ ADPathLeafOU = "OU=$ComputersOU" PrincipalSuffix = "AddEndpoint" ADRight = "CreateChild, DeleteChild" TargetObject = "Computer" InheritanceType = "All" # Any other inheritance type will cause access errors on attempting to move computer objects } @{ ADPathLeafOU = "OU=$ComputersOU" PrincipalSuffix = "AddEndpoint" ADRight = "Self, WriteProperty, GenericRead" TargetObject = "Computer" InheritanceType = "Descendents" } #endRegion #region GPOGroups @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "GPOAudit" ExtendedRight = "Generate-RSoP-Planning" InheritanceType = "All" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "GPOAudit" ExtendedRight = "Generate-RSoP-Logging" InheritanceType = "All" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "GPOLink" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Link" InheritanceType = "All" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "GPOLink" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Link" InheritanceType = "All" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "GPOEdit" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "All" } #endRegion #region sudoRoles if ($ObjectGUIDs.name.contains("sudoRole")) { @{ ADPath = "OU={0},OU={1},{2}" -f $sudoRolesName,$LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path PrincipalSuffix = "SudoManager" ADRight = "genericAll" TargetObject = "sudoRole" InheritanceType = "All" } } else { write-warning "SudoRole schema object is missing: you may need a schema mod." } @{ ADPath = "OU={0},OU={1},{2}" -f $sudoRolesName,$LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path PrincipalSuffix = "SudoManager" ADRight = "CreateChild, deleteChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } #endRegion #region Netgroups @{ ADPath = "OU={0},OU={1},{2}" -f $NetgroupName,$LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path PrincipalSuffix = "SudoManager" ADRight = "genericAll" TargetObject = "NisNetgroup" InheritanceType = "All" } @{ ADPath = "OU={0},OU={1},{2}" -f $NetgroupName,$LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path PrincipalSuffix = "SudoManager" ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } #endRegion #Region OU rights @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "OUCreate" ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "None" } @{ ADPathLeafOU = "" PrincipalSuffix = "OUCreate" ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "None" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "OUManage" ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "OUManage" ADRight = "WriteDacl" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADPath = "OU={0},{1}" -f $LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path PrincipalSuffix = "OUCreate" ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "None" } @{ ADPath = "OU={0},{1}" -f $LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path PrincipalSuffix = "OUManage" ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADPath = "OU={0},{1}" -f $LinuxFeaturesOUStruct.name,$LinuxFeaturesOUStruct.path PrincipalSuffix = "OUManage" ADRight = "WriteDacl" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } if ($ObjectGUIDs.name.contains("ms-LAPS-EncryptedPassword")) { #Region LAPSReadPassword @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty" TargetObject = "ms-LAPS-PasswordExpirationTime" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-Password" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPassword" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPasswordHistory" AppliesTo = "Computer" InheritanceType = "Descendents" } #endregion } else { write-warning "ms-LAPS-EncryptedPassword schema object is missing: you may need to update-lapsADSchema" } #region UserManager @{ ADPathLeafOU = "OU=$usersOU" PrincipalSuffix = "UserCreate" ADRight = "CreateChild" TargetObject = "User" } #endregion #region User Controller @{ ADPathLeafOU = "OU=$usersOU" PrincipalSuffix = "UserControl" ADRight = "ReadProperty, WriteProperty" TargetObject = "User-Account-Control" AppliesTo = "User" } @{ ADPathLeafOU = "OU=$usersOU" PrincipalSuffix = "UserControl" ADRight = "DeleteChild" TargetObject = "User" } #endRegion #region normal password reset delegation @{ ADPathLeafOU = "OU=$usersOU" PrincipalSuffix = "UserReset" ADRight = "ReadProperty, WriteProperty" TargetObject = "Pwd-Last-Set" AppliesTo = "User" } @{ ADPathLeafOU = "OU=$usersOU" PrincipalSuffix = "UserReset" ADRight = "ReadProperty, WriteProperty" TargetObject = "Lockout-Time" AppliesTo = "User" } @{ ADPathLeafOU = "OU=$usersOU" PrincipalSuffix = "UserReset" ADRight = "ExtendedRight" ExtendedRight = "User-Force-Change-Password" AppliesTo = "User" } #endregion #region Sensitive User Manager @{ ADPathLeafOU = "OU=$SensitiveUsersOU" PrincipalSuffix = "AdminCreate" ADRight = "CreateChild" TargetObject = "User" } #endregion #region Sensitive user control @{ ADPathLeafOU = "OU=$SensitiveUsersOU" PrincipalSuffix = "AdminControl" ADRight = "ReadProperty, WriteProperty" TargetObject = "User-Account-Control" AppliesTo = "User" } @{ ADPathLeafOU = "OU=$SensitiveUsersOU" PrincipalSuffix = "AdminControl" ADRight = "DeleteChild" TargetObject = "User" } #endRegion #region Sensitive password reset delegation @{ ADPathLeafOU = "OU=$SensitiveUsersOU" PrincipalSuffix = "AdminReset" ADRight = "ReadProperty, WriteProperty" TargetObject = "Lockout-Time" AppliesTo = "User" } @{ ADPathLeafOU = "OU=$SensitiveUsersOU" PrincipalSuffix = "AdminReset" ADRight = "ReadProperty, WriteProperty" TargetObject = "Pwd-Last-Set" AppliesTo = "User" } @{ ADPathLeafOU = "OU=$SensitiveUsersOU" PrincipalSuffix = "AdminReset" ADRight = "ExtendedRight" ExtendedRight = "User-Force-Change-Password" AppliesTo = "User" } #endregion #region rightsAdmin @{ ADPathLeafOU = "OU=$($RightsName)s" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RightsName)s" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "ReadProperty, WriteProperty, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADPath = "OU=$($OrgsOUStruct.name),$domainbase" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } #Region RolesManager @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } #EndRegion #Region PKI-Admin if ([bool](test-path "AD:CN=OID,CN=Public Key Services,CN=Services,$SchemaConfigPath" -erroraction silentlyContinue)) { @{ ADPath = "CN=OID,CN=Public Key Services,CN=Services,$SchemaConfigPath" PrincipalSuffix = "PKI-Admin" ADRight = "CreateChild, DeleteChild, ReadProperty, GenericRead, WriteDacl" TargetObject ="ms-PKI-Enterprise-Oid" InheritanceType = "None" } @{ ADPath = "CN=OID,CN=Public Key Services,CN=Services,$SchemaConfigPath" PrincipalSuffix = "PKI-Admin" ADRight = "ReadProperty, WriteProperty, GenericRead, WriteDacl, WriteOwner" AppliesTo ="ms-PKI-Enterprise-Oid" InheritanceType = "Descendents" } @{ ADPath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$SchemaConfigPath" PrincipalSuffix = "PKI-Admin" ADRight = "CreateChild, GenericRead, WriteDacl, WriteOwner" TargetObject ="PKI-Certificate-Template" InheritanceType = "none" } @{ ADPath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$SchemaConfigPath" PrincipalSuffix = "PKI-Admin" ADRight = "ReadProperty, WriteProperty, GenericRead, WriteDacl, WriteOwner" Appliesto ="PKI-Certificate-Template" InheritanceType = "Descendents" } @{ ADPathQuery = @{filter = "objectClass -eq 'pKICertificateTemplate'"; searchBase = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$SchemaConfigPath"} PrincipalSuffix = "PKI-Admin" ADRight = "ReadProperty, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner" } #endregion #region PKI-Enroller @{ ADPathQuery = @{filter = "objectClass -eq 'pKICertificateTemplate'"; searchBase = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$SchemaConfigPath"} PrincipalSuffix = "PKI-Enroller" ADRight = "ReadProperty, ExtendedRight" ExtendedRight ="Certificate-Enrollment" InheritanceType = "None" } #Endregion } else { Write-warning "Cannot find Public key services (OID) OU; you may not have installed an Enterprise CA. Skipping PKI delegations." } ) GPOs = @( @{ Metadata = @{ LinkOrder = 1 NamePrefix = "_HBAC" AlwaysRebuild = $true GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( ) Principals = @( "Right-Global-GPOEdit" ) } } } SecEdit = @{ "Privilege Rights" = @{ SeInteractiveLogonRight = @{ SIDS = @( $SID_Administrators ) Rights = @( "LogonLocal" ) Principals = @() } SeRemoteInteractiveLogonRight = @{ SIDS = @( $SID_Administrators $SID_RemoteDesktop ) Rights = @( "LogonRemote" ) Principals = @() } SeServiceLogonRight = @{ SIDS = @( $SID_NetworkService $SID_ALLSERVICES ) Rights = @( "LogonService" ) Principals = @() } SeBatchLogonRight = @{ SIDS = @( $SID_Administrators $SID_BackupOperators $SID_PerfLogUsers ) Rights = @( "LogonBatch" ) Principals = @() } } "Group Membership" = @{ "*$($SID_Administrators)__Members" = @{ SIDS = @( ) Rights = @( "WindowsAdmin" ) Principals = @() } "*$($SID_NetworkConfigOperators)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) } "*$($SID_PerfLogUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_PerfMonUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_EventLogUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_RemoteMgtUsers)__Members" = @{ SIDS = @() Rights = @( "LogonRemote" ) Principals = @() } "*$($SID_RemoteDesktop)__Members" = @{ SIDS = @() Rights = @( "LogonRemote" ) Principals = @() } } } RegPol = @( @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADPasswordEncryptionPrincipal" ValueType = "REG_SZ" ValueCollection = @{ SIDs = @() Rights = @( "LAPSReadPassword" ) Principals = @() } } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PostAuthenticationResetDelay" ValueType = "REG_DWORD" ValueData = "4" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PostAuthenticationActions" ValueType = "REG_DWORD" ValueData = "1" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PasswordComplexity" ValueType = "REG_DWORD" ValueData = "4" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PasswordLength" ValueType = "REG_DWORD" ValueData = "16" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PasswordAgeDays" ValueType = "REG_DWORD" ValueData = "30" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PwdExpirationProtectionEnabled" ValueType = "REG_DWORD" ValueData = "1" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "BackupDirectory" ValueType = "REG_DWORD" ValueData = "2" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADPasswordEncryptionEnabled" ValueType = "REG_DWORD" ValueData = "1" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADEncryptedPasswordHistorySize" ValueType = "REG_DWORD" ValueData = "2" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADBackupDSRMPassword" ValueType = "REG_DWORD" ValueData = "0" } ) } @{ Metadata = @{ LinkOrder = 2 NamePrefix = "_Settings" AlwaysRebuild = $False GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( "GPOEdit" ) Principals = @() } } } GPPrefRegistryValues = @( @{ Context = 'Computer' Key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\security_mmc.exe' ValueName = 'about' value = 2 type = 'DWORD' Action = 'Update' } ) } ) } |