vars/OUTemplate-Component.ps1
| $ComponentTemplate = @{ LDAPContainers = @( @{ Name = $Settings['Names']['EndpointsOU'] Description = "Computers, Hosts, Devices within or owned by this component" } @{ name = $settings['names']['RightsOU'] Type = "Container" Description = "Groups granting privileges within or owned by this component. Users should not be members of these groups. Only service accounts or roles should be members of these groups." } @{ name = $settings['names']['RolesOU'] Type = "Container" description = "Roles associated with multiple 'rights'. Only users should be members of 'role' groups." } @{ name = $Settings['Names']['ServiceAcctOU'] description = "Service Accounts within or owned by this component" } ) DefaultRoles = @( @{ nameSuffix = $Settings['names']['RolesList']['Owner'] Owner = $true Description = "Owner of this component. Assumed to have full administrative rights on all systems in child components." Rights = @( $Settings['Rights']['CreateDeleteComputer'] $Settings['Rights']['AppAdmin'] $Settings['Rights']['AppPoweruser'] $Settings['Rights']['AppAccess'] $Settings['Rights']['GPOAudit'] $Settings['Rights']['GPOEdit'] $Settings['Rights']['GPOLink'] $Settings['Rights']['WinAdmin'] $Settings['Rights']['LogonLocal'] $Settings['Rights']['LogonRemote'] $Settings['Rights']['LAPS'] $Settings['Rights']['ManageRights'] $Settings['Rights']['ManageRoles'] $Settings['Rights']['ServiceAccountMSA'] $Settings['Rights']['ServiceAccountLegacy'] $Settings['Rights']['LinAdmin'] ) } @{ nameSuffix = $Settings['names']['RolesList']['Operator'] Owner = $False Description = "Local operator and app-modify rights." Rights = @( $Settings['Rights']['CreateDeleteComputer'] $Settings['Rights']['AppAdmin'] $Settings['Rights']['AppPoweruser'] $Settings['Rights']['AppAccess'] $Settings['Rights']['GPOAudit'] $Settings['Rights']['GPOEdit'] $Settings['Rights']['WinOps'] $Settings['Rights']['LogonLocal'] $Settings['Rights']['LogonRemote'] $Settings['Rights']['LAPS'] $Settings['Rights']['ServiceAccountMSA'] $Settings['Rights']['LinOps'] $Settings['Rights']['LinInstaller'] ) } @{ nameSuffix = $Settings['names']['RolesList']['ServicePrivileged'] Owner = $False Description = "Service Account with remote access rights." Rights = @( $Settings['Rights']['AppAccess'] $Settings['Rights']['GPOAudit'] $Settings['Rights']['LogonLocal'] $Settings['Rights']['LogonRemote'] $Settings['Rights']['LogonService'] $Settings['Rights']['LogonBatch'] $Settings['Rights']['WinAdmin'] $Settings['Rights']['LinAdminNopassword'] $Settings['Rights']['GenerateSecurityAudit'] ) } @{ nameSuffix = $Settings['names']['RolesList']['User'] Owner = $false Description = "Standard user for this component. Assumed to be allowed to log in and make changes to data in the application." Rights = @( $Settings['Rights']['AppAccess'] $Settings['Rights']['AppPoweruser'] ) } ) DefaultRights = @( @{ nameSuffix = $Settings['Rights']['AppAccess'] Description = "Allowed Log in to applications (typically web interfaces) in this component. Often Necessary for SSO." AddParents = $true DoNotPrefixGroupName = $true } @{ nameSuffix = $Settings['Rights']['AppPoweruser'] Description = "Poweruser or modify access to applications (typically web interfaces) in this component" AddParents = $true DoNotPrefixGroupName = $true } @{ nameSuffix = $Settings['Rights']['AppAdmin'] Description = "Admin access to applications (typically web interfaces) in this component" AddParents = $true DoNotPrefixGroupName = $true } @{ nameSuffix = $Settings['Rights']['CreateDeleteComputer'] Description = "Allowed to create / join computer objects" AddParents = $false } @{ nameSuffix = $Settings['Rights']['GenerateSecurityAudit'] Description = "Primarily for use by ADFS and IIS service accounts. Granted via GPO" AddParents = $false } @{ nameSuffix = $Settings['Rights']['GPOAudit'] Description = "Allowed to run RSOP and GPO Modelling" AddParents = $false } @{ nameSuffix = $Settings['Rights']['GPOLink'] Description = "Allowed to link and unlink GPOs in this component" AddParents = $false } @{ nameSuffix = $Settings['Rights']['GPOEdit'] Description = "Edit rights on All GPOs" AddParents = $false } @{ nameSuffix = $Settings['Rights']['ManageRights'] Description = "Create and delete new rights, and modify membership of all groups." AddParents = $false } @{ nameSuffix = $Settings['Rights']['ManageRoles'] Description = "Create and delete new roles, and modify membership of roles." AddParents = $false } @{ nameSuffix = $Settings['Rights']['OUCreate'] Description = "Create Organizational Units" AddParents = $false } @{ nameSuffix = $Settings['Rights']['OUManage'] Description = "Modify properties and permissions on ACLs" AddParents = $false } @{ nameSuffix = $Settings['Rights']['WinAdmin'] Description = "Local admin rights on Windows hosts" AddParents = $false } @{ nameSuffix = $Settings['Rights']['WinOps'] Description = "Limited operator rights on Windows hosts: event log, performance monitoring, network changes" AddParents = $false } @{ nameSuffix = $Settings['Rights']['LAPS'] Description = "Fetch local machine passwords via Windows LAPS" AddParents = $true } @{ nameSuffix = $Settings['Rights']['LogonBatch'] Description = "Rights for batch logon / scheduled task / cron access" AddParents = $false } @{ nameSuffix = $Settings['Rights']['LogonLocal'] Description = "Rights for Local logon" info = "Default mapped services: su, gdm, login`r`nWindows: Task Scheduler" AddParents = $false } @{ nameSuffix = $Settings['Rights']['LogonService'] Description = "Rights for logon as service in this component" AddParents = $false } @{ nameSuffix = $Settings['Rights']['LogonRemote'] Description = "Rights to use Remote Desktop / SSH / Cockpit in this component" AddParents = $false } @{ nameSuffix = $Settings['Rights']['ServiceAccountMSA'] Description = "Create, Delete, and manage sMSA and gMSAs" AddParents = $false } @{ nameSuffix = $Settings['Rights']['ServiceAccountLegacy'] Description = "Create, Delete, and manage legacy service accounts" AddParents = $false } foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { @{ NameSuffix = "sudo{0}_{1}" -f $passwd, $sudoRoleType.name Description = "Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" AddParents = $false DoNotPrefixGroupName = $false } } } ) OUDelegations = @( # "OU={0}" -f $Settings['Names']['EndpointsOU'] @{ ADLeafPathOU = "OU={0}" -f $Settings['Names']['EndpointsOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( # These permissions are broader than they should be. Look into restricting, but following properties may be needed: ## Common-name, Sam-Account-name, Description, Display-name, attributeCertificateAttribute, Service-Principal-Name, DNS-Host-name ## See also: https://learn.microsoft.com/en-us/answers/questions/973272/delegate-help-desk-users-permission-to-move-users @{ PrincipalSuffix = $Settings['Rights']['CreateDeleteComputer'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Computer" InheritanceType = "All" # Any other inheritance type will cause access errors on attempting to move computer objects } @{ ADRight = "Self, WriteProperty, GenericRead" TargetObject = "Computer" InheritanceType = "Descendents" } ) } <# @{ PrincipalSuffix = $Settings['Rights']['CreateDeleteComputer'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Computer" InheritanceType = "Descendents" } ) } @{ PrincipalSuffix = $Settings['Rights']['CreateDeleteComputer'] ACEs = @( @{ ADRight = "WriteProperty" TargetObject = "Common-Name" AppliesTo = "Computer" InheritanceType = "Descendents" } ) } @{ PrincipalSuffix = $Settings['Rights']['CreateDeleteComputer'] ACEs = @( @{ ADRight = "WriteProperty" TargetObject = "Sam-Account-Name" AppliesTo = "Computer" InheritanceType = "Descendents" } ) }#> #endRegion ) } # "OU=$($Settings['Names']['RightsOU'])" @{ ADLeafPathOU = "OU={0}" -f $Settings['Names']['RightsOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['ManageRights'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } @{ ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } ) } ) } @{ ADPathLeafOU = "OU={0}" -f $Settings['Names']['RolesOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['ManageRoles'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } ) } ) } @{ ADPathLeafOU = "OU={0}" -f $settings['Names']['ServiceAcctOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['ServiceAccountMSA'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "ms-DS-Managed-Service-Account" InheritanceType = "All" } @{ ADRight = "CreateChild, DeleteChild" TargetObject = "ms-DS-Group-Managed-Service-Account" InheritanceType = "All" } @{ ADRight = "GenericAll" AppliesTo = "ms-DS-Managed-Service-Account" InheritanceType = "All" } @{ ADRight = "GenericAll" AppliesTo = "ms-DS-Group-Managed-Service-Account" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['ServiceAccountLegacy'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "User" InheritanceType = "All" } @{ ADRight = "GenericAll" AppliesTo = "User" InheritanceType = "All" } ) } ) } # "" @{ ADPathLeafOU = "" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['OUCreate'] ACEs = @( @{ ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "None" } ) } @{ PrincipalSuffix = $Settings['Rights']['GPOAudit'] ACEs = @( @{ ExtendedRight = "Generate-RSoP-Logging" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['GPOLink'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Link" InheritanceType = "None" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "None" } ) } @{ PrincipalSuffix = $Settings['Rights']['GPOEdit'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "None" } ) } if ($ObjectGUIDs.name.contains("ms-LAPS-EncryptedPassword")) { @{ PrincipalSuffix = $Settings['Rights']['LAPS'] ACEs = @( @{ ADRight = "ReadProperty" TargetObject = "ms-LAPS-PasswordExpirationTime" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-Password" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPassword" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPasswordHistory" AppliesTo = "Computer" InheritanceType = "Descendents" } ) } } else { write-loghandler -level "warning" -message "ms-LAPS-EncryptedPassword schema object is missing: you may need to update-lapsADSchema" } ) } ) GPOs = @( @{ Metadata = @{ LinkOrder = 1 NamePrefix = $Settings['names']['GPOs']['PrefixHigh'] AlwaysRebuild = $true GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @() Principals = @() } } } SecEdit = @{ "Privilege Rights" = @{ SeInteractiveLogonRight = @{ SIDS = @( $SID_Administrators ) Rights = @( $Settings['Rights']['LogonLocal'] ) Principals = @() } SeRemoteInteractiveLogonRight = @{ SIDS = @( $SID_Administrators $SID_RemoteDesktop ) Rights = @( $Settings['Rights']['LogonRemote'] ) Principals = @() } SeServiceLogonRight = @{ SIDS = @( $SID_NetworkService $SID_ALLSERVICES ) Rights = @( $Settings['Rights']['LogonService'] ) Principals = @() } SeBatchLogonRight = @{ SIDS = @( $SID_Administrators $SID_BackupOperators $SID_PerfLogUsers ) Rights = @( $Settings['Rights']['LogonBatch'] ) Principals = @() } } "Group Membership" = @{ "*$($SID_Administrators)" = @{ Members = @{ SIDS = @( ) Rights = @( $Settings['Rights']['WinAdmin'] ) Principals = @() } } "*$($SID_NetworkConfigOperators)" = @{ Members = @{ SIDS = @() Rights = @( $Settings['Rights']['WinOps'] ) } } "*$($SID_PerfLogUsers)" = @{ Members = @{ SIDS = @() Rights = @( $Settings['Rights']['WinOps'] ) Principals = @() } } "*$($SID_PerfMonUsers)" = @{ Members = @{ SIDS = @() Rights = @( $Settings['Rights']['WinOps'] ) Principals = @() } } "*$($SID_EventLogUsers)" = @{ Members = @{ SIDS = @() Rights = @( $Settings['Rights']['WinOps'] ) Principals = @() } } "*$($SID_RemoteMgtUsers)" = @{ Members = @{ SIDS = @() Rights = @( $Settings['Rights']['LogonRemote'] ) Principals = @() } } "*$($SID_RemoteDesktop)" = @{ Members = @{ SIDS = @() Rights = @( $Settings['Rights']['LogonRemote'] ) Principals = @() } } } } RegPol = @( @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADPasswordEncryptionPrincipal" ValueType = "REG_SZ" ValueCollection = @{ SIDs = @() Rights = @( $Settings['Rights']['LAPS'] ) Principals = @() } } ) } @{ Metadata = @{ LinkOrder = 2 NamePrefix = $Settings['names']['GPOs']['PrefixLow'] AlwaysRebuild = $False GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( $Settings['Rights']['GPOEdit'] ) Principals = @() } } } } ) } |