vars/OUTemplate-Component.ps1
|
$ComponentTemplate=@{ OUs = @( @{ Name="Endpoints" Description="Computers, Hosts, Devices within or owned by this component" } @{ name="$($RightsName)s" Description="Groups granting privileges within or owned by this component. Users should not be members of these groups. Only service accounts or roles should be members of these groups." } @{ name = "$($RolesName)s" description = "Roles associated with multiple 'rights'. Only users should be members of 'role' groups." } @{ name="ServiceAccounts" description="Service Accounts within or owned by this component" } ) DefaultRoles = @( @{ nameSuffix = "Owner" Owner = $true Description = "Owner of this component. Assumed to have full administrative rights on all systems in child components." Rights = @( "AddEndpoint" "App-Admin" "App-Modify" "App-Access" "GPOAudit" "GPOEdit" "GPOLink" "WindowsAdmin" "LogonLocal" "LogonRemote" "LAPSReadPassword" "$($rightsName)s-Admin" "$($RolesName)s-Manage" "ServiceAcct-MSA" "sudo_Full" ) } @{ nameSuffix = "Operator" Owner = $False Description = "Local operator and app-modify rights." Rights = @( "AddEndpoint" "App-Admin" "App-Modify" "App-Access" "GPOAudit" "GPOEdit" "WindowsOps" "LogonLocal" "LogonRemote" "LAPSReadPassword" "ServiceAcct-MSA" "sudo_Operate" "sudo_software" ) } @{ nameSuffix = "User" Owner = $false Description = "Standard user for this component. Assumed to be allowed to log in and make changes to data in the application." Rights = @( "App-Access" "App-Modify" ) } ) DefaultRights = @( @{ nameSuffix = "App-Access" Description = "Allowed Log in to applications (typically web interfaces) in this component. Often Necessary for SSO." } @{ nameSuffix = "App-Modify" Description = "Poweruser or modify access to applications (typically web interfaces) in this component" } @{ nameSuffix = "App-Admin" Description = "Admin access to applications (typically web interfaces) in this component" } @{ nameSuffix = "AddEndpoint" Description = "Allowed to create / join computer objects" AddParents = $true } @{ nameSuffix = "GenerateSecurityAudit" Description = "Primarily for use by ADFS and IIS service accounts. Granted via GPO" } @{ nameSuffix = "GPOAudit" Description = "Allowed to run RSOP and GPO Modelling" } @{ nameSuffix = "GPOLink" Description = "Allowed to link and unlink GPOs in this component" } @{ nameSuffix = "GPOEdit" Description = "Edit rights on All GPOs" } @{ nameSuffix = "$($rightsName)s-Admin" Description = "Create and delete new rights, and modify membership of all groups." } @{ nameSuffix = "$($RolesName)s-Manage" Description = "Create and delete new roles, and modify membership of roles." } @{ nameSuffix = "WindowsAdmin" Description = "Local admin rights on Windows hosts" } @{ nameSuffix = "WindowsOps" Description = "Limited operator rights on Windows hosts: event log, performance monitoring, network changes" } @{ nameSuffix = "LAPSReadPassword" Description = "Fetch local machine passwords via Windows LAPS" } @{ nameSuffix = "LogonBatch" Description = "Rights for batch logon / scheduled task / cron access" } @{ nameSuffix = "LogonLocal" Description = "Rights for Local logon" info="Default mapped services: su, gdm, login`r`nWindows: Task Scheduler" } @{ nameSuffix = "LogonService" Description = "Rights for logon as service in this component" } @{ nameSuffix = "LogonRemote" Description = "Rights to use Remote Desktop / SSH / Cockpit in this component" } @{ nameSuffix = "ServiceAcct-MSA" Description = "Create, Delete, and manage sMSA and gMSAs" } @{ nameSuffix = "ServiceAcct-Legacy" Description = "Create, Delete, and manage legacy service accounts" } foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { @{ NameSuffix = "sudo{0}_{1}" -f $passwd, $sudoRoleType.name Description = "Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" } } } ) OUDelegations = @( #Region OUDelegations #Region AddEndpoint # These permissions are broader than they should be. Look into restricting, but following properties may be needed: ## Common-name, Sam-Account-name, Description, Display-name, attributeCertificateAttribute, Service-Principal-Name, DNS-Host-name ## See also: https://learn.microsoft.com/en-us/answers/questions/973272/delegate-help-desk-users-permission-to-move-users @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "AddEndpoint" ADRight = "CreateChild, DeleteChild" TargetObject = "Computer" InheritanceType = "All" # Any other inheritance type will cause access errors on attempting to move computer objects } @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "AddEndpoint" ADRight = "Self, WriteProperty, GenericRead" TargetObject = "Computer" InheritanceType = "Descendents" } <# @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "AddEndpoint" ADRight = "CreateChild, DeleteChild" TargetObject = "Computer" InheritanceType = "Descendents" } @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "AddEndpoint" ADRight = "WriteProperty" TargetObject = "Common-Name" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "AddEndpoint" ADRight = "WriteProperty" TargetObject = "Sam-Account-Name" AppliesTo = "Computer" InheritanceType = "Descendents" }#> #endRegion #region Service Accounts @{ ADPathLeafOU = "OU=ServiceAccounts" PrincipalSuffix = "ServiceAcct-MSA" ADRight = "CreateChild, DeleteChild" TargetObject = "ms-DS-Managed-Service-Account" InheritanceType = "All" } @{ ADPathLeafOU = "OU=ServiceAccounts" PrincipalSuffix = "ServiceAcct-MSA" ADRight = "CreateChild, DeleteChild" TargetObject = "ms-DS-Group-Managed-Service-Account" InheritanceType = "All" } @{ ADPathLeafOU = "OU=ServiceAccounts" PrincipalSuffix = "ServiceAcct-MSA" ADRight = "GenericAll" AppliesTo = "ms-DS-Managed-Service-Account" InheritanceType = "All" } @{ ADPathLeafOU = "OU=ServiceAccounts" PrincipalSuffix = "ServiceAcct-MSA" ADRight = "GenericAll" AppliesTo = "ms-DS-Group-Managed-Service-Account" InheritanceType = "All" } @{ ADPathLeafOU = "OU=ServiceAccounts" PrincipalSuffix = "ServiceAcct-Legacy" ADRight = "CreateChild, DeleteChild" TargetObject = "User" InheritanceType = "All" } @{ ADPathLeafOU = "OU=ServiceAccounts" PrincipalSuffix = "ServiceAcct-Legacy" ADRight = "GenericAll" AppliesTo = "User" InheritanceType = "All" } #endregion #region Add Delegation for OU creator @{ ADPathLeafOU = "" Principal = "Right-Global-OUCreate" ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "None" } #endRegion #region GPOGroups @{ ADPathLeafOU = "" PrincipalSuffix = "GPOAudit" ExtendedRight = "Generate-RSoP-Planning" InheritanceType = "All" } @{ ADPathLeafOU = "" PrincipalSuffix = "GPOAudit" ExtendedRight = "Generate-RSoP-Logging" InheritanceType = "All" } @{ ADPathLeafOU = "" PrincipalSuffix = "GPOLink" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Link" InheritanceType = "None" } @{ ADPathLeafOU = "" PrincipalSuffix = "GPOLink" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "None" } @{ ADPathLeafOU = "" PrincipalSuffix = "GPOEdit" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "None" } #endRegion #Region LAPSReadPassword if ($ObjectGUIDs.name.contains("ms-LAPS-EncryptedPassword")) { @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty" TargetObject = "ms-LAPS-PasswordExpirationTime" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-Password" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPassword" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPathLeafOU = "OU=Endpoints" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPasswordHistory" AppliesTo = "Computer" InheritanceType = "Descendents" } } else { write-warning "ms-LAPS-EncryptedPassword schema object is missing: you may need to update-lapsADSchema" } #endregion #region rightsAdmin @{ ADPathLeafOU = "OU=$($RightsName)s" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RightsName)s" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RightsName)s" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } #endRegion #Region RolesManager @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } #EndRegion #endRegion ) GPOs = @( @{ Metadata = @{ LinkOrder = 1 NamePrefix = "_HBAC" AlwaysRebuild = $true GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( ) Principals = @( "Right-Global-GPOEdit" ) } } } SecEdit = @{ "Privilege Rights" = @{ SeInteractiveLogonRight = @{ SIDS = @( $SID_Administrators ) Rights = @( "LogonLocal" ) Principals = @() } SeRemoteInteractiveLogonRight = @{ SIDS = @( $SID_Administrators $SID_RemoteDesktop ) Rights = @( "LogonRemote" ) Principals = @() } SeServiceLogonRight = @{ SIDS = @( $SID_NetworkService $SID_ALLSERVICES ) Rights = @( "LogonService" ) Principals = @() } SeBatchLogonRight = @{ SIDS = @( $SID_Administrators $SID_BackupOperators $SID_PerfLogUsers ) Rights = @( "LogonBatch" ) Principals = @() } } "Group Membership" = @{ "*$($SID_Administrators)__Members" = @{ SIDS = @( ) Rights = @( "WindowsAdmin" ) Principals = @() } "*$($SID_NetworkConfigOperators)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) } "*$($SID_PerfLogUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_PerfMonUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_EventLogUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_RemoteMgtUsers)__Members" = @{ SIDS = @() Rights = @( "LogonRemote" ) Principals = @() } "*$($SID_RemoteDesktop)__Members" = @{ SIDS = @() Rights = @( "LogonRemote" ) Principals = @() } } } RegPol = @( @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADPasswordEncryptionPrincipal" ValueType = "REG_SZ" ValueCollection = @{ SIDs = @() Rights = @( "LAPSReadPassword" ) Principals = @() } } ) } @{ Metadata = @{ LinkOrder = 2 NamePrefix = "_Settings" AlwaysRebuild = $False GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( "GPOEdit" ) Principals = @() } } } } ) } |