HelperFunctions/inChangeAdminSDHolderGroupProtection.ps1
function inChangeAdminSDHolderGroupProtection { Param( [switch]$EnableAccountOperators, [switch]$EnableServerOperators, [switch]$EnablePrintOperators, [switch]$EnableBackupOperators, [switch]$DisableAccountOperators, [switch]$DisableServerOperators, [switch]$DisablePrintOperators, [switch]$DisableBackupOperators, [switch]$Confirmed ) $RootDSE = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList "LDAP://RootDSE" $configurationNamingContext = $RootDSE.Properties.Item('configurationNamingContext') $DirectoryService = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList "LDAP://CN=Directory Service,CN=Windows NT,CN=Services,$configurationNamingContext" $dsHeuristics = $DirectoryService.Properties.Item('dsHeuristics').Value $Changed = $false if ($dsHeuristics) { Write-Output -InputObject "`nCurrent dsHeuristics value: $dsHeuristics`n" if ($dsHeuristics.Length -lt 16) { $dsHeuristics += '0000000001000000'.Substring($dsHeuristics.Length) } } else { Write-Output -InputObject "`nCurrent dsHeuristics value: null`n" $dsHeuristics = '0000000001000000' } $bitMask = [convert]::ToInt32($dsHeuristics.Substring(15,1),16) switch ($true) { $DisableAccountOperators { if (-not ($bitMask -band 1)) { $bitMask = $bitMask -bor 1 Write-Output -InputObject "DISABLED: Account Operators" } else { Write-Output 'Account Operators group protection already disabled.' } } $DisableServerOperators { if (-not ($bitMask -band 2)) { $bitMask = $bitMask -bor 2 Write-Output -InputObject "DISABLED: Server Operators" } else { Write-Output 'Server Operators group protection already disabled.' } } $DisablePrintOperators { if (-not ($bitMask -band 4)) { $bitMask = $bitMask -bor 4 Write-Output -InputObject "DISABLED: Print Operators" } else { Write-Output 'Print Operators group protection already disabled.' } } $DisableBackupOperators { if (-not ($bitMask -band 8)) { $bitMask = $bitMask -bor 8 Write-Output -InputObject "DISABLED: Backup Operators" } else { Write-Output 'Backup Operators group protection already disabled.' } } $EnableAccountOperators { if ($bitMask -band 1) { $bitMask = $bitMask -band (-bnot 1) Write-Output -InputObject "ENABLED: Account Operators" } else { Write-Output 'Account Operators group protection already enabled.' } } $EnableServerOperators { if ($bitMask -band 2) { $bitMask = $bitMask -band (-bnot 2) Write-Output -InputObject "ENABLED: Server Operators" } else { Write-Output 'Server Operators group protection already enabled.' } } $EnablePrintOperators { if ($bitMask -band 4) { $bitMask = $bitMask -band (-bnot 4) Write-Output -InputObject "ENABLED: Print Operators" } else { Write-Output 'Print Operators group protection already enabled.' } } $EnableBackupOperators { if ($bitMask -band 8) { $bitMask = $bitMask -band (-bnot 8) Write-Output -InputObject "ENABLED: Backup Operators" } else { Write-Output 'Backup Operators group protection already enabled.' } } default { Write-Output -InputObject "No changes were made.`n" return } } if ($bitMask -ne [convert]::ToInt32($dsHeuristics.Substring(15,1),16)) { $Changed = $true $dsHeuristics = $dsHeuristics.Substring(0,15) + [convert]::ToString($bitMask,16) + $dsHeuristics.Substring(16) } if ($Changed) { Write-Output -InputObject "`nResulting dsHeuristics value: $dsHeuristics`n" if ($Confirmed) { $DirectoryService.Put('dsHeuristics', $dsHeuristics) $DirectoryService.SetInfo() } else { Write-Output -InputObject "WHATIF: No changes were made.`n" } } else { if ($Confirmed) { Write-Output -InputObject "`nNo changes were made.`n" } else { Write-Output -InputObject "`nWHATIF: No changes were made.`n" } } } |