ad-rbac

1.1.3

public/Add-RBACComponent.ps1

                                Function Add-RBACComponent {

    <#

        .SYNOPSIS

        Adds a "component" OU structure from a predefined template under the specified 'org'

        .DESCRIPTION

        This creates a regular OU structure in Active Directory representing a software stack or project sharing a common ownership, and lifecycle.

        .PARAMETER Component

        The name of the 'component' 

        .PARAMETER Description

        The description for the Component OU

        .PARAMETER Org

        The name of the parent 'org' owning this component 

        .EXAMPLE

        add-rbacComponent -Component "Splunk" -description "Splunk Log Aggregation" -Org "Developers"

        This creates an OU tree at "OU=Splunk,OU=Components,OU=Developers,OU=Orgs,DC=Contoso,DC=Local"

        It should contain the following children OUs (defined by template):

        * Endpoints         -- For Computer objects

        * Rights            -- DomainLocal groups granting access to elements inside this software stack

        * ServiceAccounts   -- Service accounts including gMSAs 

        .INPUTS

        System.String

        .OUTPUTS

        $null

    #>

    [CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact='low')]

    Param

    (

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=0)]

        [ValidateLength(1,15)]

        [Alias("Name")]

        [String]$Component,

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=1)]

        [String]$Description,

        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=2)]

        [ValidateScript({[bool](get-rbacOrg -org $_)})]

        [ArgumentCompleter( {(get-rbacOrg).Org})]

        [String]$Org,

        [switch]$ResetRoleMembership

    )

    BEGIN {

        $shouldProcess = @{

            Confirm = [bool]($ConfirmPreference -eq "low")

            Whatif = [bool]($WhatIfPreference.IsPresent)

            verbose = [bool]($VerbosePreference -ne "SilentlyContinue")

        }

    }

    PROCESS {

        $ResetRoleMembershipParam = @{

            ResetRoleMembership = [bool]($ResetRoleMembership)

        }

        if ($PsItem.org) { $Org = $_.Org}

        if ($PsItem.Component) {$Component = $_.Component}

        if ($PsItem.Description) {$Description = $_.Description}

        $OrgPath = "OU={0},OU={1},{2}" -f $Org, $OrgsOUStruct.Name, $OrgsOUStruct.Path

        $ComponentBasePath = "OU={0},{1}" -f $ComponentsOUStruct.Name, $OrgPath

        Add-OUStructureFromTemplate -name $Component -Description $Description -path $componentBasePath -Template $ComponentTemplate -parentOrg $org @shouldProcess @ResetRoleMembershipParam

        Write-verbose "Add Child owner roles to parent"

        $OrgOwnerNames = $OrgTemplate.DefaultRoles | where-object { $_.owner } | foreach-object {

            "$RolesName-$org-{0}" -f $_.nameSuffix

        }

        $ComponentOwnerNames = $ComponentTemplate.DefaultRoles | where-object { $_.Owner } | foreach-object { 

            "$RolesName-$org-$component-{0}" -f $_.nameSuffix

        }

        foreach ($ownerName in $ComponentOwnerNames) {

            add-adgroupmember -identity $ownerName -members $OrgOwnerNames

        }

       start-sleep -seconds 5

        $GPOSpecList = foreach ($GPO in $componentTemplate.GPOs) {

            [pscustomObject]@{

                Org = $Org

                Component = $Component

                GPOTemplate = $GPO

            }

        }

        if ($GPOSpecList) {

            if($PSCmdlet.ShouldProcess("Creating GPOs")) {

                $GPOSpecList | CreateOrSetGPO

            }

        }

    }

}