vars/OUTemplate-Org.ps1

$OrgTemplate = @{
    LDAPContainers           = @(
        @{
            name        = $settings['names']['RightsOU']
            Type        = "Container"
            Description = "Groups granting privileges for GLOBAL aspects of this org, such as GPO linking or OU management. Users should not be members of these groups. Only other groups should be members of 'rights' groups."
        }
        @{
            name        = $settings['names']['RolesOU']
            Type        = "Container"
            description = "Roles associated with multiple 'rights'. Only users should be members of 'role' groups."
        }
        @{
            Name        = $Settings['Names']['ComponentsOU']
            Description = "(Delegation,GPO) A complete application, project, or app stack with a common lifecycle and administrative ownership"
        }
    )
    DefaultRoles  = @(
        @{
            nameSuffix      = $Settings['names']['RolesList']['Owner']
            Owner           = $true
            Description     = "Owner of this Org. Assumed to have full administrative rights on all systems in child components."
            Rights          = @(
                $Settings['Rights']['AppAccess']
                $Settings['Rights']['AppPoweruser']
                $Settings['Rights']['AppAdmin']
                $Settings['Rights']['CreateDeleteComputer']
                $Settings['Rights']['WinAdmin']
                $Settings['Rights']['LogonRemote']
                $Settings['Rights']['LogonLocal']
                $Settings['Rights']['GPOEdit']
                $Settings['Rights']['GPOLink']
                $Settings['Rights']['GPOAudit']
                $Settings['Rights']['OUCreate']
                $Settings['Rights']['OUManage']
                $Settings['Rights']['LAPS']
                $Settings['Rights']['ManageRights']
                $Settings['Rights']['ManageRoles']
                $Settings['Rights']['LinAdmin']
                $Settings['Rights']['ServiceAccountMSA']
                $Settings['Rights']['ServiceAccountLegacy']
            )
            AuxiliaryGroups = @(
                "Group Policy Creator Owners"
            )
        }
        @{
            nameSuffix  = $Settings['names']['RolesList']['Operator']
            Owner       = $False
            Description = "Elevated rights for OS and application."
            Rights      = @(
                $Settings['Rights']['AppAccess']
                $Settings['Rights']['AppPoweruser']
                $Settings['Rights']['CreateDeleteComputer']
                $Settings['Rights']['GPOAudit']
                $Settings['Rights']['GPOEdit']
                $Settings['Rights']['WinOps']
                $Settings['Rights']['LogonRemote']
                $Settings['Rights']['LogonLocal']
                $Settings['Rights']['LAPS']
                $Settings['Rights']['LinOps']
                $Settings['Rights']['ServiceAccountMSA']
            )
        }
        @{
            nameSuffix  = $Settings['names']['RolesList']['User']
            Owner       = $false
            Description = "Act as user for applications under org"
            Rights      = @(
                $Settings['Rights']['AppAccess']
                $Settings['Rights']['AppPoweruser']
            )
        }
    )
    DefaultRights = @(
        @{
            nameSuffix  = $Settings['Rights']['AppAccess']
            Description = "Allowed Log in to applications (typically web interfaces) in this org. Often Necessary for SSO."
            AddParents  = $true
        }
        @{
            nameSuffix  = $Settings['Rights']['AppPoweruser']
            Description = "Poweruser or modify access to applications (typically web interfaces) in this org"
            AddParents  = $true
        }
        @{
            nameSuffix  = $Settings['Rights']['AppAdmin']
            Description = "Admin access to applications (typically web interfaces) in this org"
            AddParents  = $true
        }
        @{
            nameSuffix  = $Settings['Rights']['CreateDeleteComputer']
            Description = "Allowed to create / join computer objects"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['GPOAudit']
            Description = "Allowed to run RSOP and GPO Modelling"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['GPOLink']
            Description = "Allowed to link and unlink GPOs in org"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['GPOEdit']
            Description = "Edit rights on All GPOs"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['OUCreate']
            Description = "Create Organizational Units"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['OUManage']
            Description = "Modify properties and permissions on ACLs"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['ManageRights']
            Description = "Create and delete new rights, and modify membership of all groups."
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['ManageRoles']
            Description = "Create and delete new roles, and modify membership of roles."
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['WinAdmin']
            Description = "Local admin rights on Windows / Linux hosts"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['WinOps']
            Description = "Limited operator rights on Windows hosts: event log, performance monitoring, network changes"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['LAPS']
            Description = "Fetch local machine passwords via Windows LAPS"
            AddParents  = $true
        }
        @{
            nameSuffix  = $Settings['Rights']['LogonBatch']
            Description = "Rights for batch logon / scheduled task / cron access"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['LogonLocal']
            Description = "Rights for Local logon"
            info        = "Default mapped services: su, gdm, login`r`nWindows: Task Scheduler"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['LogonService']
            Description = "Rights for logon as service in this Org"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['LogonRemote']
            Description = "Rights to use Remote Desktop / SSH / Cockpit in this Org"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['ServiceAccountMSA']
            Description = "Create, Delete, and manage sMSA and gMSAs"
            AddParents  = $false
        }
        @{
            nameSuffix  = $Settings['Rights']['ServiceAccountLegacy']
            Description = "Create, Delete, and manage legacy service accounts"
            AddParents  = $false
        }
        foreach ($sudoRoleType in $SUDO_ROLE_DEFS) {
            foreach ($passwd in $SUDO_PASSWD_TYPES) {
                @{
                    NameSuffix  = "sudo{0}_{1}" -f $passwd, $sudoRoleType.name
                    Description = "Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)"
                    AddParents = $false
                }
            }
        }
    )

    OUDelegations = @(
        # ""
        @{
            ADPathLeafOU = ""
            ApplyDefaultDeny = $true
            DefaultDenyInheritance = "None"
            ACLs         = @(
                #Region GPOs
                @{
                    PrincipalSuffix = $Settings['Rights']['GPOAudit']
                    ACEs            = @(
                        @{
                            ExtendedRight   = "Generate-RSoP-Planning"
                            InheritanceType = "All"
                        }
                    )
                }
                @{
                    PrincipalSuffix = $Settings['Rights']['GPOLink']
                    ACEs            = @(
                        @{
                            ADRight         = "ReadProperty, WriteProperty"
                            TargetObject    = "GP-Link"
                            InheritanceType = "None"
                        }
                        @{
                            ADRight         = "ReadProperty, WriteProperty"
                            TargetObject    = "GP-Options"
                            InheritanceType = "None"
                        }
                    )
                }
                @{
                    PrincipalSuffix = $Settings['Rights']['GPOEdit']
                    ACEs            = @(
                        @{
                            ADRight         = "ReadProperty, WriteProperty"
                            TargetObject    = "GP-Options"
                            InheritanceType = "All"
                        }
                    )
                }
                #endRegion
                #Region LAPSReadPassword
                if ((test-rBACFeatures).LAPS) {
                    write-loghandler -level "warning" -message "Enabling LAPS features"
                    @{
                        PrincipalSuffix = $Settings['Rights']['LAPS']
                        ACEs            = @(
                            @{
                                ADRight         = "ReadProperty"
                                TargetObject    = "ms-LAPS-PasswordExpirationTime"
                                AppliesTo       = "Computer"
                                InheritanceType = "Descendents"
                            }
                            @{
                                ADRight         = "ReadProperty, ExtendedRight"
                                TargetObject    = "ms-LAPS-Password"
                                AppliesTo       = "Computer"
                                InheritanceType = "Descendents"
                            }
                            @{
                                ADRight         = "ReadProperty, ExtendedRight"
                                TargetObject    = "ms-LAPS-EncryptedPassword"
                                AppliesTo       = "Computer"
                                InheritanceType = "Descendents"
                            }
                            @{
                                ADRight         = "ReadProperty, ExtendedRight"
                                TargetObject    = "ms-LAPS-EncryptedPasswordHistory"
                                AppliesTo       = "Computer"
                                InheritanceType = "Descendents"
                            }
                        )
                    }
                }
                else {
                    write-loghandler -level "warning" -message "ms-LAPS-EncryptedPassword schema object is missing: you may need to update-lapsADSchema"
                }
                #endregion

            )
        }
        @{
            ADPathLeafOU = "OU={0}" -f $Settings['Names']['ComponentsOU']
            ApplyDefaultDeny = $true
            DefaultDenyInheritance = "None"
            ACLs         = @(
                @{
                    PrincipalSuffix = $Settings['Rights']['CreateDeleteComputer']
                    ACEs            = @(
                        @{
                            ADRight         = "CreateChild, DeleteChild"
                            TargetObject    = "Computer"
                            InheritanceType = "All" # Any other inheritance type will cause access errors on attempting to move computer objects
                        }
                        @{
                            ADRight         = "Self, WriteProperty, GenericRead"
                            TargetObject    = "Computer"
                            InheritanceType = "Descendents"
                        }
                    )
                }
                @{
                    PrincipalSuffix = $Settings['Rights']['OUCreate']
                    ACEs            = @(
                        @{
                            ADRight         = "CreateChild"
                            TargetObject    = "Organizational-Unit"
                            AppliesTo       = "Organizational-Unit"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "CreateChild"
                            TargetObject    = "Container"
                            AppliesTo       = "Organizational-Unit"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "CreateChild"
                            TargetObject    = "Container"
                            AppliesTo       = "Container"
                            InheritanceType = "All"
                        }
                    )
                }
                @{
                    PrincipalSuffix = $Settings['Rights']['OUManage']
                    ACEs            = @(
                        @{
                            ADRight         = "ReadProperty, WriteProperty"
                            TargetObject    = "Description"
                            AppliesTo       = "Organizational-Unit"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "WriteDacl"
                            TargetObject    = "Organizational-Unit"
                            AppliesTo       = "Organizational-Unit"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "ReadProperty, WriteProperty"
                            TargetObject    = "Description"
                            AppliesTo       = "Container"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "WriteDacl"
                            TargetObject    = "Container"
                            AppliesTo       = "Organizational-Unit"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "WriteDacl"
                            TargetObject    = "Container"
                            AppliesTo       = "Container"
                            InheritanceType = "All"
                        }
                    )
                }
                @{
                    PrincipalSuffix = $Settings['Rights']['ManageRights']
                    ACEs            = @(
                        @{
                            ADRight         = "ReadProperty, WriteProperty, DeleteChild, CreateChild"
                            TargetObject    = "Group"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "WriteProperty"
                            TargetObject    = "Description"
                            AppliesTo       = "Group"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "ReadProperty, WriteProperty"
                            TargetObject    = "Member"
                            AppliesTo       = "Group"
                            InheritanceType = "All"
                        }
                    )
                }
                @{
                    PrincipalSuffix = $Settings['Rights']['ServiceAccountMSA']
                    ACEs            = @(
                        @{
                            ADRight         = "CreateChild, DeleteChild"
                            TargetObject    = "ms-DS-Managed-Service-Account"
                            InheritanceType = "Descendents"
                        }
                        @{
                            ADRight         = "CreateChild, DeleteChild"
                            TargetObject    = "ms-DS-Group-Managed-Service-Account"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "GenericAll"
                            AppliesTo       = "ms-DS-Managed-Service-Account"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "GenericAll"
                            AppliesTo       = "ms-DS-Group-Managed-Service-Account"
                            InheritanceType = "All"
                        }
                    )
                }
                @{
                    PrincipalSuffix = $Settings['Rights']['ServiceAccountLegacy']
                    ACEs            = @(
                        @{
                            ADRight         = "CreateChild, DeleteChild"
                            TargetObject    = "User"
                            InheritanceType = "Descendents"
                        }
                        @{
                            ADRight         = "GenericAll"
                            AppliesTo       = "User"
                            InheritanceType = "All"
                        }
                    )
                }
                @{
                    Principal = "Everyone"
                    ACEs      = @(
                        @{
                            ADRight         = "CreateChild"
                            TargetObject    = "Computer"
                            Action          = "Deny"
                            InheritanceType = "none"
                        }
                    )
                }
            )

        }
        @{
            ADPathLeafOU = "OU={0}" -f $Settings['Names']['RightsOU']
            ApplyDefaultDeny = $true
            DefaultDenyInheritance = "None"
            ACLs         = @(
                @{
                    PrincipalSuffix = $Settings['Rights']['ManageRights']
                    ACEs            = @(
                        @{
                            ADRight         = "CreateChild, DeleteChild"
                            TargetObject    = "Group"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "ReadProperty, WriteProperty"
                            TargetObject    = "Member"
                            AppliesTo       = "Group"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "WriteProperty"
                            TargetObject    = "Description"
                            AppliesTo       = "Group"
                            InheritanceType = "All"
                        }
                    )
                }
            )

        }
        @{
            ADPathLeafOU = "OU={0}" -f $Settings['Names']['RolesOU']
            ApplyDefaultDeny = $true
            DefaultDenyInheritance = "None"
            ACLs         = @(
                @{
                    PrincipalSuffix = $Settings['Rights']['ManageRoles']
                    ACEs            = @(
                        @{
                            ADRight         = "CreateChild, DeleteChild"
                            TargetObject    = "Group"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "WriteProperty"
                            TargetObject    = "Description"
                            AppliesTo       = "Group"
                            InheritanceType = "All"
                        }
                        @{
                            ADRight         = "ReadProperty, WriteProperty"
                            TargetObject    = "Member"
                            AppliesTo       = "Group"
                            InheritanceType = "All"
                        }
                    )
                }
            )
        }
    )
    GPOs          = @(
        @{
            Metadata = @{
                LinkOrder     = 1
                NamePrefix    = $Settings['names']['GPOs']['PrefixHigh']
                AlwaysRebuild = $true
                GPPermissions = @{
                    GPOEdit = @{
                        SIDs       = @()
                        Rights     = @()
                        Principals = @()
                    }
                }
            }
            SecEdit  = @{
                "Privilege Rights" = @{
                    SeInteractiveLogonRight       = @{
                        SIDS       = @(
                            $SID_Administrators
                        )
                        Rights     = @(
                            $Settings['Rights']['LogonLocal']
                        )
                        Principals = @()
                    }
                    SeRemoteInteractiveLogonRight = @{
                        SIDS       = @(
                            $SID_Administrators
                            $SID_RemoteDesktop
                        )
                        Rights     = @(
                            $Settings['Rights']['LogonRemote']
                        )
                        Principals = @()
                    }
                    SeServiceLogonRight           = @{
                        SIDS       = @(
                            $SID_NetworkService
                            $SID_ALLSERVICES
                        )
                        Rights     = @(
                            $Settings['Rights']['LogonService']
                        )
                        Principals = @()
                    }
                    SeBatchLogonRight             = @{
                        SIDS       = @(
                            $SID_Administrators
                            $SID_BackupOperators
                            $SID_PerfLogUsers
                        )
                        Rights     = @(
                            $Settings['Rights']['LogonBatch']
                        )
                        Principals = @()
                    }
                }
                "Group Membership" = @{
                    $Settings['Rights']['WinAdmin'] = @{
                        ResolveKeyName = $true
                        MemberOf       = @{
                            SIDS = @($SID_Administrators)
                        }
                    }
                    $Settings['Rights']['WinOps']   = @{
                        ResolveKeyName = $True
                        MemberOf       = @{
                            SIDS = @(
                                $SID_NetworkConfigOperators
                                $SID_PerfLogUsers
                                $SID_PerfMonUsers
                                $SID_EventLogUsers
                            )
                        }
                    }
                    $Settings['Rights']['LogonRemote']  = @{
                        ResolveKeyName = $true
                        MemberOf       = @{
                            SIDS = @(
                                $SID_RemoteMgtUsers
                                $SID_RemoteDesktop
                            )
                        }
                    }
                }
            }
            RegPol   = @(
                @{
                    KeyName         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS"
                    ValueName       = "ADPasswordEncryptionPrincipal"
                    ValueType       = "REG_SZ"
                    ValueCollection = @{
                        SIDs       = @()
                        Rights     = @(
                            $Settings['Rights']['LAPS']
                        )
                        Principals = @()
                    }
                }
            )
        }

        @{
            Metadata = @{
                LinkOrder     = 2
                NamePrefix    = $Settings['names']['GPOs']['PrefixLow']
                AlwaysRebuild = $False
                GPPermissions = @{
                    GPOEdit = @{
                        SIDs       = @()
                        Rights     = @(
                            $Settings['Rights']['GPOEdit']
                        )
                        Principals = @()
                    }
                }
            }
        }
    )
}