vars/OUTemplate-Org.ps1
|
$OrgTemplate = @{ LDAPContainers = @( @{ name = $settings['names']['RightsOU'] Type = "Container" Description = "Groups granting privileges for GLOBAL aspects of this org, such as GPO linking or OU management. Users should not be members of these groups. Only other groups should be members of 'rights' groups." } @{ name = $settings['names']['RolesOU'] Type = "Container" description = "Roles associated with multiple 'rights'. Only users should be members of 'role' groups." } @{ Name = $Settings['Names']['ComponentsOU'] Description = "(Delegation,GPO) A complete application, project, or app stack with a common lifecycle and administrative ownership" } ) DefaultRoles = @( @{ nameSuffix = $Settings['names']['RolesList']['Owner'] Owner = $true Description = "Owner of this Org. Assumed to have full administrative rights on all systems in child components." Rights = @( $Settings['Rights']['AppAccess'] $Settings['Rights']['AppPoweruser'] $Settings['Rights']['AppAdmin'] $Settings['Rights']['CreateDeleteComputer'] $Settings['Rights']['WinAdmin'] $Settings['Rights']['LogonRemote'] $Settings['Rights']['LogonLocal'] $Settings['Rights']['GPOEdit'] $Settings['Rights']['GPOLink'] $Settings['Rights']['GPOAudit'] $Settings['Rights']['OUCreate'] $Settings['Rights']['OUManage'] $Settings['Rights']['LAPS'] $Settings['Rights']['ManageRights'] $Settings['Rights']['ManageRoles'] $Settings['Rights']['LinAdmin'] $Settings['Rights']['ServiceAccountMSA'] $Settings['Rights']['ServiceAccountLegacy'] ) AuxiliaryGroups = @( "Group Policy Creator Owners" ) } @{ nameSuffix = $Settings['names']['RolesList']['Operator'] Owner = $False Description = "Elevated rights for OS and application." Rights = @( $Settings['Rights']['AppAccess'] $Settings['Rights']['AppPoweruser'] $Settings['Rights']['CreateDeleteComputer'] $Settings['Rights']['GPOAudit'] $Settings['Rights']['GPOEdit'] $Settings['Rights']['WinOps'] $Settings['Rights']['LogonRemote'] $Settings['Rights']['LogonLocal'] $Settings['Rights']['LAPS'] $Settings['Rights']['LinOps'] $Settings['Rights']['ServiceAccountMSA'] ) } @{ nameSuffix = $Settings['names']['RolesList']['User'] Owner = $false Description = "Act as user for applications under org" Rights = @( $Settings['Rights']['AppAccess'] $Settings['Rights']['AppPoweruser'] ) } ) DefaultRights = @( @{ nameSuffix = $Settings['Rights']['AppAccess'] Description = "Allowed Log in to applications (typically web interfaces) in this org. Often Necessary for SSO." AddParents = $true } @{ nameSuffix = $Settings['Rights']['AppPoweruser'] Description = "Poweruser or modify access to applications (typically web interfaces) in this org" AddParents = $true } @{ nameSuffix = $Settings['Rights']['AppAdmin'] Description = "Admin access to applications (typically web interfaces) in this org" AddParents = $true } @{ nameSuffix = $Settings['Rights']['CreateDeleteComputer'] Description = "Allowed to create / join computer objects" AddParents = $false } @{ nameSuffix = $Settings['Rights']['GPOAudit'] Description = "Allowed to run RSOP and GPO Modelling" AddParents = $false } @{ nameSuffix = $Settings['Rights']['GPOLink'] Description = "Allowed to link and unlink GPOs in org" AddParents = $false } @{ nameSuffix = $Settings['Rights']['GPOEdit'] Description = "Edit rights on All GPOs" AddParents = $false } @{ nameSuffix = $Settings['Rights']['OUCreate'] Description = "Create Organizational Units" AddParents = $false } @{ nameSuffix = $Settings['Rights']['OUManage'] Description = "Modify properties and permissions on ACLs" AddParents = $false } @{ nameSuffix = $Settings['Rights']['ManageRights'] Description = "Create and delete new rights, and modify membership of all groups." AddParents = $false } @{ nameSuffix = $Settings['Rights']['ManageRoles'] Description = "Create and delete new roles, and modify membership of roles." AddParents = $false } @{ nameSuffix = $Settings['Rights']['WinAdmin'] Description = "Local admin rights on Windows / Linux hosts" AddParents = $false } @{ nameSuffix = $Settings['Rights']['WinOps'] Description = "Limited operator rights on Windows hosts: event log, performance monitoring, network changes" AddParents = $false } @{ nameSuffix = $Settings['Rights']['LAPS'] Description = "Fetch local machine passwords via Windows LAPS" AddParents = $true } @{ nameSuffix = $Settings['Rights']['LogonBatch'] Description = "Rights for batch logon / scheduled task / cron access" AddParents = $false } @{ nameSuffix = $Settings['Rights']['LogonLocal'] Description = "Rights for Local logon" info = "Default mapped services: su, gdm, login`r`nWindows: Task Scheduler" AddParents = $false } @{ nameSuffix = $Settings['Rights']['LogonService'] Description = "Rights for logon as service in this Org" AddParents = $false } @{ nameSuffix = $Settings['Rights']['LogonRemote'] Description = "Rights to use Remote Desktop / SSH / Cockpit in this Org" AddParents = $false } @{ nameSuffix = $Settings['Rights']['ServiceAccountMSA'] Description = "Create, Delete, and manage sMSA and gMSAs" AddParents = $false } @{ nameSuffix = $Settings['Rights']['ServiceAccountLegacy'] Description = "Create, Delete, and manage legacy service accounts" AddParents = $false } foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { @{ NameSuffix = "sudo{0}_{1}" -f $passwd, $sudoRoleType.name Description = "Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" AddParents = $false } } } ) OUDelegations = @( # "" @{ ADPathLeafOU = "" ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( #Region GPOs @{ PrincipalSuffix = $Settings['Rights']['GPOAudit'] ACEs = @( @{ ExtendedRight = "Generate-RSoP-Planning" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['GPOLink'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Link" InheritanceType = "None" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "None" } ) } @{ PrincipalSuffix = $Settings['Rights']['GPOEdit'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "All" } ) } #endRegion #Region LAPSReadPassword if ((test-rBACFeatures).LAPS) { write-loghandler -level "warning" -message "Enabling LAPS features" @{ PrincipalSuffix = $Settings['Rights']['LAPS'] ACEs = @( @{ ADRight = "ReadProperty" TargetObject = "ms-LAPS-PasswordExpirationTime" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-Password" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPassword" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPasswordHistory" AppliesTo = "Computer" InheritanceType = "Descendents" } ) } } else { write-loghandler -level "warning" -message "ms-LAPS-EncryptedPassword schema object is missing: you may need to update-lapsADSchema" } #endregion ) } @{ ADPathLeafOU = "OU={0}" -f $Settings['Names']['ComponentsOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['CreateDeleteComputer'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Computer" InheritanceType = "All" # Any other inheritance type will cause access errors on attempting to move computer objects } @{ ADRight = "Self, WriteProperty, GenericRead" TargetObject = "Computer" InheritanceType = "Descendents" } ) } @{ PrincipalSuffix = $Settings['Rights']['OUCreate'] ACEs = @( @{ ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "CreateChild" TargetObject = "Container" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "CreateChild" TargetObject = "Container" AppliesTo = "Container" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['OUManage'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "WriteDacl" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = "Container" InheritanceType = "All" } @{ ADRight = "WriteDacl" TargetObject = "Container" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "WriteDacl" TargetObject = "Container" AppliesTo = "Container" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['ManageRights'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty, DeleteChild, CreateChild" TargetObject = "Group" InheritanceType = "All" } @{ ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['ServiceAccountMSA'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "ms-DS-Managed-Service-Account" InheritanceType = "Descendents" } @{ ADRight = "CreateChild, DeleteChild" TargetObject = "ms-DS-Group-Managed-Service-Account" InheritanceType = "All" } @{ ADRight = "GenericAll" AppliesTo = "ms-DS-Managed-Service-Account" InheritanceType = "All" } @{ ADRight = "GenericAll" AppliesTo = "ms-DS-Group-Managed-Service-Account" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['ServiceAccountLegacy'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "User" InheritanceType = "Descendents" } @{ ADRight = "GenericAll" AppliesTo = "User" InheritanceType = "All" } ) } @{ Principal = "Everyone" ACEs = @( @{ ADRight = "CreateChild" TargetObject = "Computer" Action = "Deny" InheritanceType = "none" } ) } ) } @{ ADPathLeafOU = "OU={0}" -f $Settings['Names']['RightsOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['ManageRights'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } @{ ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } ) } ) } @{ ADPathLeafOU = "OU={0}" -f $Settings['Names']['RolesOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['ManageRoles'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } ) } ) } ) GPOs = @( @{ Metadata = @{ LinkOrder = 1 NamePrefix = $Settings['names']['GPOs']['PrefixHigh'] AlwaysRebuild = $true GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @() Principals = @() } } } SecEdit = @{ "Privilege Rights" = @{ SeInteractiveLogonRight = @{ SIDS = @( $SID_Administrators ) Rights = @( $Settings['Rights']['LogonLocal'] ) Principals = @() } SeRemoteInteractiveLogonRight = @{ SIDS = @( $SID_Administrators $SID_RemoteDesktop ) Rights = @( $Settings['Rights']['LogonRemote'] ) Principals = @() } SeServiceLogonRight = @{ SIDS = @( $SID_NetworkService $SID_ALLSERVICES ) Rights = @( $Settings['Rights']['LogonService'] ) Principals = @() } SeBatchLogonRight = @{ SIDS = @( $SID_Administrators $SID_BackupOperators $SID_PerfLogUsers ) Rights = @( $Settings['Rights']['LogonBatch'] ) Principals = @() } } "Group Membership" = @{ $Settings['Rights']['WinAdmin'] = @{ ResolveKeyName = $true MemberOf = @{ SIDS = @($SID_Administrators) } } $Settings['Rights']['WinOps'] = @{ ResolveKeyName = $True MemberOf = @{ SIDS = @( $SID_NetworkConfigOperators $SID_PerfLogUsers $SID_PerfMonUsers $SID_EventLogUsers ) } } $Settings['Rights']['LogonRemote'] = @{ ResolveKeyName = $true MemberOf = @{ SIDS = @( $SID_RemoteMgtUsers $SID_RemoteDesktop ) } } } } RegPol = @( @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADPasswordEncryptionPrincipal" ValueType = "REG_SZ" ValueCollection = @{ SIDs = @() Rights = @( $Settings['Rights']['LAPS'] ) Principals = @() } } ) } @{ Metadata = @{ LinkOrder = 2 NamePrefix = $Settings['names']['GPOs']['PrefixLow'] AlwaysRebuild = $False GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( $Settings['Rights']['GPOEdit'] ) Principals = @() } } } } ) } |