Private/Confirm-ADSOrganizationalStructureACL.ps1

Function Confirm-ADSOrganizationalStructureACL
{
    [CmdLetBinding(SupportsShouldProcess = $True)]
    Param
    (
        [Parameter(Mandatory = $True)]
        [String] $DistinguishedName,
        [Parameter(Mandatory = $True)]
        $Structure,
        [Parameter(Mandatory = $False)]
        $Variables
    )

    Begin
    {
        Write-Verbose "[$($DistinguishedName)] Start $($MyInvocation.InvocationName)"

        $ErrorActionPreference = 'Stop'
    }

    Process
    {
        If (-not $Structure.Permission)
        {
            Return
        }

        $ADPath = "AD:\$($DistinguishedName)"
        $CurrentACLs = Get-Acl -Path $ADPath | Select-Object -ExpandProperty Access
        $NewACLs = Get-Acl -Path $ADPath 
        $SetAcl = $False

        ForEach ($permission in $Structure.Permission)
        {
            $identityDistinguishedName = Get-ADSIdentityDistinguishedName -DistinguishedName $DistinguishedName -Permission $permission -Variables $Variables

            [System.Security.Principal.SecurityIdentifier]$identity = $Null
            Try
            {
                If ($($permission.Identity) -like 'S-1-5-*')
                {
                    $identity = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $($permission.Identity)
                }
                Else
                {
                    $sid = (Get-ADObject -Identity $($identityDistinguishedName) -Properties objectSID).objectSID
                    $identity = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $sid
                }
            }

            Catch
            {
                If ([String]::IsNullOrEmpty($permission.Optional) -or -not [Bool]$permission.Optional)
                {
                    Write-Error "[$($DistinguishedName)]->$($permission.Identity): Failed to find identity with DN '$($identityDistinguishedName)' and not marked as optional"
                }
                
                # If the permission is optional then skip setting it if the group does not exist
                Continue
            }

            Write-Verbose "[$($DistinguishedName)]->$($permission.Identity) identified as '$($identity.Value)' with resolved name of '$($identityDistinguishedName)'"

            $permissions = Get-ADSPermissions -GroupName $($permission.Permission)
            Write-Verbose "[$($DistinguishedName)]->$($permission.Identity): processing $($newPermission.AccessRules.AccessRule.Length) permissions"

            ForEach ($newPermission in $permissions.AccessRules.AccessRule)
            {
                Write-Verbose "[$($DistinguishedName)]->$($permission.Identity)->$($newPermission.Description): Processing"

                $existingAcl = $CurrentACLs | Where-Object { 
                    $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq $($identity.Value) -and
                    $_.ActiveDirectoryRights -eq $($newPermission.ActiveDirectoryRights) -and
                    $_.InheritanceType -eq $($newPermission.InheritanceType) -and
                    $_.ObjectType -eq $($newPermission.ObjectType) -and
                    $_.InheritedObjectType -eq $($newPermission.InheritedObjectType) -and
                    $_.AccessControlType -eq 'Allow'
                }

                If ($Null -eq $existingAcl)
                {
                    Write-Host "[$($DistinguishedName)]->$($permission.Identity)->$($newPermission.Description): permission not found. Creating" -ForegroundColor Green

                    Write-Verbose "[$($DistinguishedName)]->$($permission.Identity)->$($newPermission.Description)->ActiveDirectoryRights: $($newPermission.ActiveDirectoryRights)"
                    Write-Verbose "[$($DistinguishedName)]->$($permission.Identity)->$($newPermission.Description)->ObjectType: $($newPermission.ObjectType)"
                    Write-Verbose "[$($DistinguishedName)]->$($permission.Identity)->$($newPermission.Description)->InheritanceType: $($newPermission.InheritanceType)"
                    Write-Verbose "[$($DistinguishedName)]->$($permission.Identity)->$($newPermission.Description)->InheritedObjectType: $($newPermission.InheritedObjectType)"

                    $parameters = @(
                        $identity
                        $($newPermission.ActiveDirectoryRights)
                        'Allow' # $($newPermission.InheritanceType)
                        ([GUID]$($newPermission.ObjectType)).Guid
                        $($newPermission.InheritanceType)
                        ([GUID]$($newPermission.InheritedObjectType)).Guid
                    )

                    $accessRule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Parameters
                    $NewACLs.AddAccessRule($accessRule) | Out-Null
                    $SetAcl = $True
                }

                Write-Verbose "[$($DistinguishedName)]->$($permission.Identity)->$($newPermission.Description): Finished processing"
            }

            If ($SetAcl)
            {
                If ($PSCmdlet.ShouldProcess("-Path $ADPath -AclObject $NewACLs", 'Set-Acl'))
                {
                    Write-Verbose "[$($DistinguishedName)]->$($permission.Identity) Updating ACL for object"
                    Set-Acl -Path $ADPath -AclObject $NewACLs | Out-Null
                }
            }
        }
    }

    End
    {
        Write-Verbose "[$($DistinguishedName)] End $($MyInvocation.InvocationName)"
    }
}