public/Add-RBAC.ps1
|
Function Add-RBAC { <# .SYNOPSIS Creates basic OU skeleton for RBAC-oriented AD .DESCRIPTION This creates several OUs that will support the RBAC system: * OU=Orgs * --> OU=Global * |--> AdminAccounts * |--> Rights * |--> Roles * |--> NewComputers * |--> Users * OU=LinuxFeatures * --> Sudoroles * --> netgroups It also creates some basic rights and roles (security groups) and GPOs based on the Global template. .EXAMPLE add-rbac .INPUTS none .OUTPUTS none #> [CmdletBinding(SupportsShouldProcess=$true)] Param( [switch]$ResetRoleMembership ) Begin { $shouldProcess = @{ Confirm = [bool]($ConfirmPreference -eq "low") Whatif = [bool]($WhatIfPreference.IsPresent) verbose = [bool]($VerbosePreference -ne "SilentlyContinue") } } PROCESS { $ResetRoleMembershipParam = @{ ResetRoleMembership = [bool]($ResetRoleMembership) } Add-OUStructureFromTemplate @OrgsOUStruct @shouldProcess @ResetRoleMembershipParam Add-OUStructureFromTemplate @LinuxFeaturesOUStruct @shouldProcess @ResetRoleMembershipParam Add-OUStructureFromTemplate @GlobalOUStruct -Template $GlobalTemplate @shouldProcess @ResetRoleMembershipParam # Region Very nasty hack, this needs to be rolled into add-oustructureFromTemplate $GPOSpecList = foreach ($GPO in $GlobalTemplate.GPOs) { [pscustomObject]@{ Org = "Global" GPOTemplate = $GPO } } if ($GPOSpecList) { if($PSCmdlet.ShouldProcess("Creating GPOs")) { $GPOSpecList | CreateOrSetGPO } } if ((test-rbacFeatures).LAPS) { set-LapsADComputerSelfPermission -Identity $GlobalOUStruct.path } $UsersDN = "OU={0},OU={1},{2}" -f $UsersOU,$GlobalOUStruct.name,$GlobalOUStruct.Path $ComputersDN = "OU={0},OU={1},{2}" -f $ComputersOU,$GlobalOUStruct.name,$GlobalOUStruct.Path write-warning "Finished building structure; waiting for AD to settle...." for ($i = 0; $i -lt $sleepTimeout; $i++) { if ([bool](get-adorganizationalUnit $UsersDN)) { break } start-sleep -seconds 1 } if ($PSCmdlet.ShouldProcess($UsersDN,"Redirecting default user container")) { $status = redirusr $UsersDN if ($status -eq "Redirection was successful.") { Write-host ("{0,-42} : {1}" -f "Redirected default user DN to", $usersDN) } else { Write-warning ("{0,-42} : {1}" -f "Failed to redirect default user DN to", $usersDN) write-warning ($status -join "`r`n" -replace "`r`n`r`n","`r`n") } } if ($PSCmdlet.ShouldProcess($ComputersDN,"Redirecting default computer container")){ $status = redircmp $ComputersDN if ($status -eq "Redirection was successful.") { Write-host ("{0,-42} : {1}" -f "Redirected default computer DN to", $ComputersDN) } else { Write-warning ("{0,-42} : {1}" -f "Failed to redirect default computer DN to", $ComputersDN) write-warning ($status -join "`r`n" -replace "`r`n`r`n","`r`n") } } } } |