vars/OUTemplate-Global.ps1
|
$GlobalTemplate = @{ LDAPContainers = @( @{ Name = $Settings['Names']['PrivilegedUsersOU'] Type = "OrganizationalUnit" Description = "Sensitive / Administrative user accounts. Generally domain admins etc." } @{ Name = $Settings['Names']['DefaultUsersOU'] Type = "OrganizationalUnit" Description = "Default location for user accounts." } @{ Name = $Settings['Names']['EndpointsOU'] Type = "OrganizationalUnit" Description = "Global and unassigned computer endpoints" } @{ Name = $Settings['Names']['DefaultComputersOU'] Type = "OrganizationalUnit" RelativePath= "OU={0}" -f $Settings['Names']['EndpointsOU'] Description = "Computer objects not associated with a Component" } @{ Name = $Settings['Names']['EndpointPAWs'] Type = "OrganizationalUnit" RelativePath= "OU={0}" -f $Settings['Names']['EndpointsOU'] Description = "T0 Privileged Access Workstations" } @{ Name = $Settings['Names']['EndpointPKI'] Type = "OrganizationalUnit" RelativePath= "OU={0}" -f $Settings['Names']['EndpointsOU'] Description = "PKI / certificate systems" } @{ DistinguishedName = $Settings['OUPaths']['LinuxFeaturesBase'] Type = "Container" Description="Linux-related objects such as sudoRoles supported by sssd-ad" } @{ DistinguishedName = $Settings['OUPaths']['LinuxNetgroups'] Type = "Container" Description="Netgroups that group multiple hosts together for assigning sudoRoles. Referenced by ldap_netgroup_search_base" } @{ DistinguishedName = $Settings['OUPaths']['LinuxSudoers'] Type = "Container" Description="LDAP-based sudoers rules. Referenced by ldap_sudo_search_base. Host assignment is done via netgroups." } @{ Name = $Settings['Names']['RightsOU'] Type = "OrganizationalUnit" Description = "Rights applied across entire RAD Tenant" } @{ Name = $Settings['Names']['RolesOU'] Type = "OrganizationalUnit" Description = "Roles with broad rights" } @{ Name = $Settings['Names']['OrgsOU'] Type = "OrganizationalUnit" Description = "Business Units, Tenants, or Teams with a shared leadership" } ) DefaultRoles = @( @{ nameSuffix = $Settings['names']['RolesList']['Admin'] Protected = $True Owner = $true Description = "Global Admin. Assumed to have full administrative rights on all systems in child components. Does not have domain admin rights" Rights = @( $Settings['Rights']['LAPS'] $Settings['Rights']['GPOEdit'] $Settings['Rights']['GPOAudit'] $Settings['Rights']['GPOLink'] $Settings['Rights']['OUCreate'] $Settings['Rights']['OUManage'] $Settings['Rights']['ManageRights'] $Settings['Rights']['ManageRoles'] $Settings['Rights']['SudoManager'] ) AuxiliaryGroups = @( "DNSAdmins" "Group Policy Creator Owners" #"DHCP Administrators" -- https://www.falconitservices.com/dhcp-administrators-group-missing-from-active-directory/ ) } @{ nameSuffix = $Settings['names']['RolesList']['AppAdmin'] Protected = $false Owner = $true Description = "Global Admin within applications. Assumed to have full application rights on all systems in child components." Rights = @( $Settings['Rights']['AppAdmin'] $Settings['Rights']['AppPoweruser'] $Settings['Rights']['AppAccess'] ) } @{ nameSuffix = $Settings['names']['RolesList']['Operator'] Protected = $false Owner = $False Description = "Local operator." Rights = @( $Settings['Rights']['CreateDeleteComputer'] $Settings['Rights']['WinAdmin'] $Settings['Rights']['GPOAudit'] $Settings['Rights']['LogonRemote'] $Settings['Rights']['LogonLocal'] $Settings['Rights']['LinAdmin'] $Settings['Rights']['LAPS'] ) AuxiliaryGroups = @( #"DHCP Users" ) } @{ nameSuffix = $Settings['names']['RolesList']['LinuxAdmin'] Protected = $false Owner = $true Description = "Rights to manage Linux-related AD objects under 'LinuxFeatures'" Rights = @( $Settings['Rights']['SudoManager'] ) } @{ nameSuffix = $Settings['names']['RolesList']['GPOAdmin'] Protected = $false Owner = $false Description = "Permissions to edit, link and troubleshoot GPOs" Rights = @( $Settings['Rights']['GPOEdit'] $Settings['Rights']['GPOLink'] $Settings['Rights']['GPOAudit'] ) AuxiliaryGroups = @( "Group Policy Creator Owners" ) } @{ nameSuffix = $Settings['names']['RolesList']['PKIAdmin'] Protected = $false Owner = $false Description = "Certificate Administrator" Rights = @( $Settings['Rights']['PKIManageCA'] $Settings['Rights']['PKIIssue'] ) } @{ nameSuffix = $Settings['names']['RolesList']['RBACAdmin'] Protected = $false Owner = $false Description = "Create and manage orgs and components globally" Rights = @( $Settings['Rights']['ManageRights'] $Settings['Rights']['ManageRoles'] $Settings['Rights']['OUCreate'] $Settings['Rights']['OUManage'] $Settings['Rights']['GPOEdit'] $Settings['Rights']['GPOLink'] $Settings['Rights']['SudoManager'] $Settings['Rights']['OrgManage'] ) AuxiliaryGroups = @( "Group Policy Creator Owners" ) } @{ nameSuffix = $Settings['names']['RolesList']['AccountAdmin'] Protected = $false Owner = $false Description = "Create and reset standard accounts; create sensitive accounts" Rights = @( $Settings['Rights']['UserCreate'] $Settings['Rights']['UserPasswdReset'] $Settings['Rights']['UserControl'] $Settings['Rights']['AdminUserCreate'] $Settings['Rights']['AdminUserControl'] ) } ) DefaultRights = @( @{ nameSuffix = $Settings['Rights']['AppAccess'] Description = "Allowed Log in to applications (typically web interfaces) globally." } @{ nameSuffix = $Settings['Rights']['AppPoweruser'] Description = "Poweruser or modify access to applications (typically web interfaces) globally" } @{ nameSuffix = $Settings['Rights']['AppAdmin'] Description = "Admin access to applications (typically web interfaces) globally" } @{ nameSuffix = $Settings['Rights']['CreateDeleteComputer'] Description = "Allowed to create / join computer objects" } @{ nameSuffix = $Settings['Rights']['DHCPAdmin'] Description = "Authorize and manage DHCP servers. This includes rights to create dHCPClass objects under CN=NetServices, CN=Services, CN=Configuration..." } @{ nameSuffix = $Settings['Rights']['GPOAudit'] Description = "Allowed to run RSOP and GPO Modelling" } @{ nameSuffix = $Settings['Rights']['GPOLink'] Description = "Allowed to link and unlink GPOs in org" } @{ nameSuffix = $Settings['Rights']['GPOEdit'] Description = "Edit rights on All GPOs" } @{ nameSuffix = $Settings['Rights']['OUCreate'] Description = "Create and update arbitrary Organizational Units" } @{ nameSuffix = $Settings['Rights']['OUManage'] Description = "Manage arbitrary OUs, properties and permissions on ACLs" } @{ nameSuffix = $Settings['Rights']['OrgManage'] Description = "Create and delete Orgs, as well as update their DACLs. Implicit full control of all orgs." } @{ nameSuffix = $Settings['Rights']['OrgDelete'] Description = "Delete orgs and all subordinate objects" } @{ nameSuffix = $Settings['Rights']['ManageRights'] Description = "Create and delete new rights, and modify membership of all groups." } @{ nameSuffix = $Settings['Rights']['ManageRoles'] Description = "Create and delete new roles, and modify membership of roles." } @{ nameSuffix = $Settings['Rights']['UserCreate'] Description = "Create standard users" } @{ nameSuffix = $Settings['Rights']['UserControl'] Description = "Allowed to enable / disable / delete users" } @{ nameSuffix = $Settings['Rights']['UserPasswdReset'] Description = "Reset passwords for standard users" } @{ nameSuffix = $Settings['Rights']['AdminUserPasswdReset'] Description = "Reset passwords for sensitive / Administrative accounts" } @{ nameSuffix = $Settings['Rights']['AdminUserCreate'] Description = "Create sensitive / administrative accounts" } @{ nameSuffix = $Settings['Rights']['AdminUserControl'] Description = "Allowed to enable / disable / Delete sensitive accounts" } @{ nameSuffix = $Settings['Rights']['WinAdmin'] Description = "Local admin rights on Windows / Linux hosts" } @{ nameSuffix = $Settings['Rights']['WinOps'] Description = "Limited operator rights on Windows hosts: event log, performance monitoring, network changes" } @{ nameSuffix = $Settings['Rights']['LAPS'] Description = "Fetch local machine passwords via Windows LAPS" } @{ nameSuffix = $Settings['Rights']['PKIManageCA'] Description = "Manage CA settings, and modify certificate templates)" } @{ nameSuffix = $Settings['Rights']['PKIEnrollmentAgent'] Description = "CEP-CES" } @{ nameSuffix = $Settings['Rights']['PKIIssue'] Description = "Approve and revoke certificates" } @{ nameSuffix = $Settings['Rights']['PKIEnroll'] Description = "Request certificates" } @{ nameSuffix = $Settings['Rights']['LogonBatch'] Description = "Rights for batch logon / scheduled task / cron access" info = "Default mapped services: crond`r`nWindows: Task Scheduler" } @{ nameSuffix = $Settings['Rights']['LogonLocal'] Description = "Rights for Local logon" info = "Default mapped services: su, gdm, login`r`nWindows: Task Scheduler" } @{ nameSuffix = $Settings['Rights']['LogonService'] Description = "Rights for logon as service in this Org" info = "Default mapped services: <not set>`r`nWindows: Services" } @{ nameSuffix = $Settings['Rights']['LogonRemote'] Description = "Allow log on through Remote Desktop Services /SSH."; info = @("Default mapped services: sshd, cockpit`r`nWindows: Remote Desktop") } @{ nameSuffix = $Settings['Rights']['SudoManager'] Description = "Sensitive; Rights to Create and modify Sudoroles and Netgroups. This allows gaining sudo rights on arbitrary systems." } foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { @{ NameSuffix = "sudo{0}_{1}" -f $passwd, $sudoRoleType.name Description = "Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" } } } ) OUDelegations = @( @{ ADPath = $Settings['OUPaths']['TenantRoot'] ApplyDefaultDeny = $true DefaultDenyInheritance = "All" ACLs = @( #region OUManagement @{ PrincipalSuffix = $Settings['Rights']['OUCreate'] ACEs = @( @{ ADRight = "CreateChild" TargetObject = "Organizational-Unit","Container" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = @("Organizational-Unit","Container") InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['OUManage'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "WriteDacl" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "DeleteChild" TargetObject = "Organizational-Unit" InheritanceType = "All" } ) } #endregion #region GPOs @{ PrincipalSuffix = $Settings['Rights']['GPOAudit'] ACEs = @( @{ ExtendedRight = "Generate-RSoP-Planning" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['GPOLink'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Link" InheritanceType = "All" } ) } @{ PrincipalSuffix = $Settings['Rights']['GPOEdit'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "All" } ) } #endRegion #Region RightsManagement @{ PrincipalSuffix = $Settings['Rights']['ManageRights'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } ) } #endregion #Region LAPSReadPassword if ($ObjectGUIDs.name.contains("ms-LAPS-EncryptedPassword")) { @{ PrincipalSuffix = $Settings['Rights']['LAPS'] ACEs = @( @{ ADRight = "ReadProperty" TargetObject = "ms-LAPS-PasswordExpirationTime" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-Password" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPassword" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPasswordHistory" AppliesTo = "Computer" InheritanceType = "Descendents" } ) } @{ # lapspsh.dll SetLapsADComputerSelfPermission Lines 76-79 Principal = "NT Authority\SELF" ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "ms-LAPS-PasswordExpirationTime" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ # lapspsh.dll SetLapsADComputerSelfPermission Lines 80-81 ADRight = "WriteProperty" TargetObject = "ms-LAPS-Password" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ # lapspsh.dll SetLapsADComputerSelfPermission Lines 82-87 ADRight = "ReadProperty, WriteProperty, ExtendedRight" TargetObject = "ms-LAPS-Encrypted-Password-Attributes" AppliesTo = "Computer" InheritanceType = "Descendents" } ) } } else { write-loghandler -level "warning" -message "ms-LAPS-EncryptedPassword schema object is missing: you may need to update-lapsADSchema" } #endregion ) } @{ ADPath = $Settings['OUPaths']['OrgsBase'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['OrgManage'] ACEs = @( @{ ADRight = "CreateChild" TargetObject = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "WriteDacl" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "DeleteChild" TargetObject = "Organizational-Unit" InheritanceType = "All" } ) } ) } @{ ADPath = "CN=NetServices,CN=Services,{0}" -f $Runtime['Domain']['ConfigurationNamingContext'] ApplyDefaultDeny = $false ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['DHCPAdmin'] ACEs = @( @{ ADRight = "CreateChild, deleteChild" TargetObject = "dHCP-Class" InheritanceType = "All" } @{ ADRight = "GenericAll" Appliesto = "dHCP-Class" InheritanceType = "All" } ) } ) } @{ ADPath = "CN=OID,CN=Public Key Services,CN=Services,{0}" -f $Runtime['Domain']['ConfigurationNamingContext'] ApplyDefaultDeny = $false ACLs = @( if ([bool]$FEATURES_ADCS) { @{ PrincipalSuffix = $Settings['Rights']['PKIManageCA'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild, ReadProperty, GenericRead, WriteDacl" TargetObject = "ms-PKI-Enterprise-Oid" InheritanceType = "None" } @{ ADRight = "ReadProperty, WriteProperty, GenericRead, WriteDacl, WriteOwner" AppliesTo = "ms-PKI-Enterprise-Oid" InheritanceType = "Descendents" } ) } } else { write-loghandler -level "warning" -message "ADCS feature not enabled, skipping delegations." } ) } @{ ADPath = $Settings['OUPaths']['LinuxFeaturesBase'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['OUCreate'] ACEs = @( @{ ADRight = "CreateChild" TargetObject = "Organizational-Unit" InheritanceType = "None" } ) } @{ PrincipalSuffix = $Settings['Rights']['OUManage'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADRight = "WriteDacl" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } ) } ) } @{ ADPath = $Settings['OUPaths']['LinuxSudoers'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['SudoManager'] ACEs = @( @{ ADRight = "CreateChild, deleteChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } if ($ObjectGUIDs.name.contains("sudoRole")) { @{ ADRight = "genericAll" TargetObject = "sudoRole" InheritanceType = "All" } } else { write-loghandler -level "warning" -message "SudoRole schema object is missing: you may need a schema mod." } ) } ) } @{ ADPath = $Settings['OUPaths']['LinuxNetgroups'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['SudoManager'] ACEs = @( @{ ADRight = "genericAll" TargetObject = "NisNetgroup" InheritanceType = "All" } @{ ADRight = "CreateChild" TargetObject = "Organizational-Unit" InheritanceType = "All" } ) } ) } @{ ADPath = $Settings['OUPaths']['DefaultUsers'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( #region UserManager @{ PrincipalSuffix = $Settings['Rights']['UserCreate'] ACEs = @( @{ ADRight = "CreateChild" TargetObject = "User" } ) } #endregion #region User Controller @{ PrincipalSuffix = $Settings['Rights']['UserControl'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "User-Account-Control" AppliesTo = "User" } @{ ADRight = "DeleteChild" TargetObject = "User" } ) } #endRegion #region normal password reset delegation @{ PrincipalSuffix = $Settings['Rights']['UserPasswdReset'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Pwd-Last-Set" AppliesTo = "User" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Lockout-Time" AppliesTo = "User" } @{ ADRight = "ExtendedRight" ExtendedRight = "User-Force-Change-Password" AppliesTo = "User" } ) } #endregion ) } # "OU=$SensitiveUsersOU" @{ ADPath = $Settings['OUPaths']['PrivilegedUsers'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( #region Sensitive User Manager @{ PrincipalSuffix = $Settings['Rights']['AdminUserCreate'] ACEs = @( @{ ADRight = "CreateChild" TargetObject = "User" } ) } #endregion #region Sensitive user control @{ PrincipalSuffix = $Settings['Rights']['AdminUserControl'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "User-Account-Control" AppliesTo = "User" } @{ ADRight = "DeleteChild" TargetObject = "User" } ) } #endRegion #region Sensitive password reset delegation @{ PrincipalSuffix = $Settings['Rights']['AdminUserPasswdReset'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Lockout-Time" AppliesTo = "User" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Pwd-Last-Set" AppliesTo = "User" } @{ ADRight = "ExtendedRight" ExtendedRight = "User-Force-Change-Password" AppliesTo = "User" } ) } #endregion ) } # "OU=$ComputersOU" @{ ADPath = $Settings['OUPaths']['DefaultComputers'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( # Todo: tighten up permissions # These permissions are broader than they should be. Look into restricting, but following properties may be needed: ## Common-name, Sam-Account-name, Description, Display-name, attributeCertificateAttribute, Service-Principal-Name, DNS-Host-name ## See also: https://learn.microsoft.com/en-us/answers/questions/973272/delegate-help-desk-users-permission-to-move-users @{ PrincipalSuffix = $Settings['Rights']['CreateDeleteComputer'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Computer" InheritanceType = "All" # Any other inheritance type will cause access errors on attempting to move computer objects } @{ ADRight = "Self, WriteProperty, GenericRead" TargetObject = "Computer" InheritanceType = "Descendents" } ) } ) } @{ ADPathLeafOU = "OU={0}" -f $Settings['Names']['RightsOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( #region rightsAdmin @{ PrincipalSuffix = $Settings['Rights']['ManageRights'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } ) } ) } @{ ADPathLeafOU = "OU={0}" -f $Settings['Names']['RolesOU'] ApplyDefaultDeny = $true DefaultDenyInheritance = "None" ACLs = @( #Region RolesManager @{ PrincipalSuffix = $Settings['Rights']['ManageRoles'] ACEs = @( @{ ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } ) } #EndRegion ) } # PKI if ($(Test-RBACFeatures).PKI) { if ([bool](Test-Path ("CN=Certificate Templates,CN=Public Key Services,CN=Services,{0}" -f $Runtime['Domain']['ConfigurationNamingContext']))) { # "CN=Certificate Templates,CN=Public Key Services,CN=Services,{0}" -f $Runtime['Domain']['ConfigurationNamingContext'] @{ ADPath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,{0}" -f $Runtime['Domain']['ConfigurationNamingContext'] ApplyDefaultDeny = $false ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['PKIManageCA'] ACEs = @( @{ ADRight = "CreateChild, GenericRead, WriteDacl, WriteOwner" TargetObject = "PKI-Certificate-Template" InheritanceType = "none" } @{ ADRight = "ReadProperty, WriteProperty, GenericRead, WriteDacl, WriteOwner" Appliesto = "PKI-Certificate-Template" InheritanceType = "Descendents" } ) } ) } @{ ADPathQuery = @{filter = "objectClass -eq 'pKICertificateTemplate'"; searchBase = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$Runtime['Domain']['ConfigurationNamingContext']" } ApplyDefaultDeny = $false ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['PKIManageCA'] ACEs = @( @{ ADRight = "ReadProperty, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner" } ) } ) } @{ ADPathQuery = @{filter = "objectClass -eq 'pKICertificateTemplate' -and name -like '__*'"; searchBase = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$Runtime['Domain']['ConfigurationNamingContext']" } ApplyDefaultDeny = $false ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['PKIEnroll'] ACEs = @( @{ ADRight = "ReadProperty, ExtendedRight" ExtendedRight = "Certificate-Enrollment" InheritanceType = "None" } ) } ) } if ([bool](Test-path "AD:CN=Enrollment Services,CN=Certificate Templates,CN=Public Key Services,CN=Services,$Runtime['Domain']['ConfigurationNamingContext']")) { @{ ADPathQuery = @{filter = "objectClass -eq 'pKIEnrollmentService'"; searchBase = "CN=Enrollment Services,CN=Certificate Templates,CN=Public Key Services,CN=Services,$Runtime['Domain']['ConfigurationNamingContext']" } ApplyDefaultDeny = $false ACLs = @( @{ PrincipalSuffix = $Settings['Rights']['PKIEnroll'] ACEs = @( @{ ADRight = "ExtendedRight" ExtendedRight = "Certificate-Enrollment" InheritanceType = "None" } ) } ) } } else { write-loghandler -level "warning" -message "Path not found, skipping delegations: CN=Enrollment Services,CN=Certificate Templates,CN=Public Key Services,CN=Services,{0}" -f $Runtime['Domain']['ConfigurationNamingContext'] } } else { write-loghandler -level "warning" -message "Path not found, skipping delegations: CN=Certificate Templates,CN=Public Key Services,CN=Services,{0}" -f $Runtime['Domain']['ConfigurationNamingContext'] } } else { write-loghandler -level "warning" -message "Cannot find Public key services OU; you may not have installed an Enterprise CA. Skipping PKI delegations." } ) GPOs = @( @{ Metadata = @{ LinkOrder = 1 NamePrefix = $Settings['names']['GPOs']['PrefixHigh'] AlwaysRebuild = $true GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( $Settings['Rights']['GPOEdit'] ) Principals = @() } } } SecEdit = @{ "Privilege Rights" = @{ SeInteractiveLogonRight = @{ SIDS = @( $SID_Administrators ) Rights = @( $Settings['Rights']['LogonLocal'] ) Principals = @() } SeRemoteInteractiveLogonRight = @{ SIDS = @( $SID_Administrators $SID_RemoteDesktop ) Rights = @( $Settings['Rights']['LogonRemote'] ) Principals = @() } SeServiceLogonRight = @{ SIDS = @( $SID_NetworkService $SID_ALLSERVICES ) Rights = @( $Settings['Rights']['LogonService'] ) Principals = @() } SeBatchLogonRight = @{ SIDS = @( $SID_Administrators $SID_BackupOperators $SID_PerfLogUsers ) Rights = @( $Settings['Rights']['LogonBatch'] ) Principals = @() } } "Group Membership" = @{ $Settings['Rights']['WinAdmin'] = @{ ResolveKeyName = $true MemberOf = @{ SIDS = @($SID_Administrators) } } $Settings['Rights']['WinOps'] = @{ ResolveKeyName = $True MemberOf = @{ SIDS = @( $SID_NetworkConfigOperators $SID_PerfLogUsers $SID_PerfMonUsers $SID_EventLogUsers ) } } $Settings['Rights']['LogonRemote'] = @{ ResolveKeyName = $true MemberOf = @{ SIDS = @( $SID_RemoteMgtUsers $SID_RemoteDesktop ) } } } } RegPol = @( @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADPasswordEncryptionPrincipal" ValueType = "REG_SZ" ValueCollection = @{ SIDs = @() Rights = @( $Settings['Rights']['LAPS'] ) Principals = @() } } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PostAuthenticationResetDelay" ValueType = "REG_DWORD" ValueData = "4" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PostAuthenticationActions" ValueType = "REG_DWORD" ValueData = "1" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PasswordComplexity" ValueType = "REG_DWORD" ValueData = "4" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PasswordLength" ValueType = "REG_DWORD" ValueData = "16" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PasswordAgeDays" ValueType = "REG_DWORD" ValueData = "30" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "PwdExpirationProtectionEnabled" ValueType = "REG_DWORD" ValueData = "1" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "BackupDirectory" ValueType = "REG_DWORD" ValueData = "2" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADPasswordEncryptionEnabled" ValueType = "REG_DWORD" ValueData = "1" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADEncryptedPasswordHistorySize" ValueType = "REG_DWORD" ValueData = "2" } @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADBackupDSRMPassword" ValueType = "REG_DWORD" ValueData = "0" } ) } @{ Metadata = @{ LinkOrder = 2 NamePrefix = $Settings['names']['GPOs']['PrefixLow'] AlwaysRebuild = $False GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( $Settings['Rights']['GPOEdit'] ) Principals = @() } } } GPPrefRegistryValues = @( @{ Context = 'Computer' Key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\security_mmc.exe' ValueName = 'about' value = 2 type = 'DWORD' Action = 'Update' } ) } ) } |