Skip to content

Instantly share code, notes, and snippets.

@DamianFlynn

DamianFlynn/Add-ADOfficeDelegations.ps1

Last active October 7, 2015 14:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save DamianFlynn/322050495c32d9d6eac2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save DamianFlynn/322050495c32d9d6eac2 to your computer and use it in GitHub Desktop.
Download ZIP
PowerShell Function to Resize the System partition of a VM, using an offline process
Raw
Add-ADOfficeDelegations.ps1
 #region OU Supporting Functions
#Establish the Delegation Group if necessary
function New-ADDelegationGroup {
Param (
[string] $Site,
[string] $DelegationGroupOUPath,
[string] $DelegationRole = "OU Admin"
)
begin {
import-module activedirectory
}
process {
# Try to create the Delegation Group, this may fail if the group already exists
Try {
$delegationGroup = New-ADGroup -Name ("!CORP delegation IT " + $Site + " " + $DelegationRole) -SamAccountName ("!CORP delegation IT " + $Site + " " + $DelegationRole) -GroupCategory Security -GroupScope Universal -DisplayName ("!CORP delegation IT " + $Site + " " + $DelegationRole) -Path $DelegationGroupOUPath -Description "Delegation access for IT to Manage the $SITE site $DelegationRole" -Passthru
}
# If the creation failed, check the error to see if the message was that the group already exists, and if so get the groups details
Catch {
if ($_.Exception.Message -like "The specified group already exists") {
$delegationGroup = Get-ADGroup -identity ("!CORP delegation IT " + $Site + " " + $DelegationRole)
}
if ($_.Exception.Message -like "Access is denied") {
Write-Output "Access is Denied - Aborting"
break;
}
}
#Add-ADGroupMember -Identity $delegationGroup -Members ("!$Site IT (Standard)")
$DelegatedAccount = $DelegationGroup.SAMAccountName
return $DelegationGroup.SAMAccountName
}
}
#Establish the OU if necessary
function New-ADOU {
param (
[string] $Path
)
begin {
import-module activedirectory
}
process {
$OUBranch = $Path -split ","
[array]::reverse($OUBranch)
$LDAPPath = ""
# Traverse each branch of the OU in sequence
foreach ($pathNode in $OUBranch)
{
# Check to see if the current branch is an Organisational Unit
if($pathNode -like "ou=*")
{
$objectinfo = $pathNode.Length
$thisName =$pathNode -replace 'ou=',''
try {
New-ADOrganizationalUnit -Name $thisName -path $LDAPPath
}
catch {
if ($_.Exception.Message -like "An attempt was made to add an object to the directory with a name that is already in use") {
write-Verbose ("OU - Create : Node $pathNode exists $LDAPPath")
}
}
}
if ($LDAPPath -eq "") {
$LDAPPath = $pathNode
} else {
$LDAPPath = $pathNode + "," + $LDAPPath
}
}
}
}
#endregion
#region AD Delegation Function
# Get-ADObjectAcl -Name "ou=Employees,ou=Users,ou=MAD,ou=Office,dc=diginerve,dc=net" | ? {Inherited -eq $false} | ? {$_.NTAccount -like "DIGINERVE\*"} | select InheritedObjectType, ObjectType, ActiveDirectghts, InheritanceType | fl
function Get-ADObjectAcl {
<#
.DESCRIPTION
Gets the ACLs from an LDAP Object
.EXAMPLE
Import-Module ActiveDirectory
Get-ADObjectAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org"
.EXAMPLE
Get-ADObjectAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | ? {$_.IsInherited -eq $false} | ? {$_.NTAccount -like "CORPNET\*"}
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)]
[ValidateNotNullOrEmpty()]
[System.String]
$Name
)
process {
$ADObject = [ADSI]"LDAP://$Name"
$aclObject = $ADObject.psbase.ObjectSecurity
$aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
foreach($acl in $aclList)
{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
$info = @{
'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
'InheritanceType' = $acl.InheritanceType;
'ObjectType' = $acl.ObjectType;
'InheritedObjectType' = $acl.InheritedObjectType;
'ObjectFlags' = $acl.ObjectFlags;
'AccessControlType' = $acl.AccessControlType;
'IdentityReference' = $acl.IdentityReference;
'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
'IsInherited' = $acl.IsInherited;
'InheritanceFlags' = $acl.InheritanceFlags;
'PropagationFlags' = $acl.PropagationFlags;
}
$obj = New-Object -TypeName PSObject -Property $info
$obj.PSObject.typenames.insert(0,'DigiNerve.AD.LDAPAcls')
Write-Output $obj
}
}
}
#Function to Add new Delegation Permission to an OU
function New-ADDelegationAccessRule {
param (
[string] $LDAPPath,
[string] $Identity,
[string] $ActiveDirectoryRights,
[string] $AccessControlType = "Allow",
[GUID] $ObjectType,
[string] $InheritanceType,
[GUID] $InheritedObjectType
)
Process
{
#region sidevaluation
#$Identity = "NT AUTHORITY\NETWORK SERVICE"
#$Identity = "Damian Flynn"
#if ($Identity -like '*\*' -and $Identity -notlike 'BUILTIN*' -and $Identity -notlike 'NT AUTHORITY*') {
# Write-Host $Identity
# $SamAccountName = $Identity.Split('\')[1]
#} else {
# $SamAccountName = $Identity
#}
#Write-Host $SamAccountName
#$ADObject = Get-ADObject -Filter ('SamAccountName -eq "{0}"' -f $SamAccountName)
#Write-Host $ADObject
#endregion
$ADObject = Get-ADGroup $Identity
$ADObjectSID = new-object System.Security.Principal.SecurityIdentifier $ADObject.SID
$ADObject = [ADSI]("LDAP://" + $LDAPPath)
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $ADObjectSID, $ActiveDirectoryRights,$AccessControlType,$ObjectType,$InheritanceType,$InheritedObjectType
$ADObject.ObjectSecurity.AddAccessRule($ace)
$ADObject.CommitChanges()
}
}
#endregion
#region Computer Object Delegations
function New-ADDelegationComputerObjectsWriteSPN {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
$guidWriteSPN = New-Object Guid f3a64788-5306-11d1-a9c5-0000f80367c1
$guidComputerObject = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
# ObjectType : f3a64788-5306-11d1-a9c5-0000f80367c1
# InheritanceType : Descendents
# InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
# ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
# ActiveDirectoryRights : WriteProperty
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidWriteSPN -InheritanceType "Descendents" -InheritedObjectType $guidComputerObject
}
}
function New-ADDelegationComputerObjectsCreateDelete {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidComputerObject = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
# Delegation for Create and Delete Child Computer Objects
# ACL = Allow: This Object and all Decendant objects - Create Computer Object, Delete Computer Object
# ObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
# InheritanceType : All
# InheritedObjectType : 00000000-0000-0000-0000-000000000000
# ActiveDirectoryRights : CreateChild, DeleteChild
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "CreateChild, DeleteChild" -ObjectType $guidComputerObject -InheritanceType "Descendents" -InheritedObjectType $guidNull
}
}
function New-ADDelegationComputerObjectsFullControl {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidComputerObject = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
# Delegation for Full Control Child Computer Objects
# ACL = Allow: Decendant Computer objects - Full Control
# ObjectType : 00000000-0000-0000-0000-000000000000
# InheritanceType : Descendents
# InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : GenericAll
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "GenericAll" -ObjectType $guidNull -InheritanceType "Descendents" -InheritedObjectType $guidComputerObject
}
}
#endregion
#region Computer Object Proxy Delegation
function New-ADDelegationComputerObjectsManagement {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
New-ADDelegationComputerObjectsCreateDelete -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationComputerObjectsFullControl -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
}
}
#endregion
#region Group Object Delegations
function New-ADDelegationGroupObjectsMembership {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
$guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
$guidGroupMembers = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
# Delegation for Full Control Child Computer Objects
# ACL = Allow: Decendant Group objects - Read Membership, Write Membership
# ObjectType : bf9679c0-0de6-11d0-a285-00aa003049e2
# InheritanceType : Descendents
# InheritedObjectType : bf967a9c-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidGroupMembers -InheritanceType "Descendents" -InheritedObjectType $guidGroupObject
}
}
function New-ADDelegationGroupObjectsManager {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
$guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
$guidGroupManagers = new-object Guid 0296c120-40da-11d1-a9c0-0000f80367c1
# Delegation for Full Control Child Computer Objects
# ACL = Allow: Decendant Group objects - Read Membership, Write Membership
# InheritedObjectType : bf967a9c-0de6-11d0-a285-00aa003049e2
# ObjectType : 0296c120-40da-11d1-a9c0-0000f80367c1
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidGroupManagers -InheritanceType "Descendents" -InheritedObjectType $guidGroupObject
}
}
function New-ADDelegationGroupObjectsCreateDelete {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidGroupObject = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2
# Delegation for Create and Delete Child Group Objects
# ACL = Allow: This Object and all Decendant objects - Create Group Object, Delete Group Object
# ObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
# InheritanceType : All
# InheritedObjectType : 00000000-0000-0000-0000-000000000000
# ActiveDirectoryRights : CreateChild, DeleteChild
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "CreateChild, DeleteChild" -ObjectType $guidGroupObject -InheritanceType "Descendents" -InheritedObjectType $guidNull
}
}
function New-ADDelegationGroupObjectsFullControl {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidGroupObject = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2
# Delegation for Full Control Child Computer Objects
# ACL = Allow: Decendant Group objects - Full Control
# ObjectType : 00000000-0000-0000-0000-000000000000
# InheritanceType : Descendents
# InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : GenericAll
#
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "GenericAll" -ObjectType $guidNull -InheritanceType "Descendents" -InheritedObjectType $guidGroupObject
}
}
#endregion
#region Group Object Proxy Delegations
function New-ADDelegationGroupObjectsManagement {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
New-ADDelegationGroupObjectsCreateDelete -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationGroupObjectsFullControl -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
}
}
#endregion
#region User Object Delegations
## AD Attributes ###########::# PowerShell Function ##########
#
# userPrincipalName
# userAccountControl
# title
# telephoneNumber
# streetAddress
# st
# sn
# postalCode
# mobile
# manager
# mail
# l
# givenName
# facsimileTelephoneNumber
# extensionAttribute1
# extensionAttribute2
# extensionAttribute4
# extensionAttribute14
# displayName
# description :: Read/write Department
# company
# co
# cn
# c
# :: Read/write Web Page Address
# :: Read/write thumbnailPhoto
# :: Read/write thumbnailLogo
# :: Read/write secretary
# :: Read/write roomNumber
# :: Read/write profilePath
# :: Read/write photo
# :: Read/write Notes
# :: Read/write Mobile Number
# :: Read/write Mobile Number (Others)
# :: Read/write lockoutTime
# :: Read/write jpegPhoto
# :: Read/write Home Phone
# :: Read/write Home Phone Number (Others)
# :: Read/write Home Folder
# :: Read/write Home Address
# :: Read/write Fax Number (Others)
# :: Read/write Fax Number
# :: Read/write Comment
# :: Read/write Assistant
# :: Read/write web information
# :: Reset password
# :: Change password
function New-ADDelegationUserObjectsPhoto {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
## Read/write photo
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserPhoto = new-object Guid 9c979768-ba1a-4c08-9632-c6a5c1ed649a
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 9c979768-ba1a-4c08-9632-c6a5c1ed649a
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserPhoto -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsThumbnailLogo {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write User thumbnailLogo
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserthumbnailLogo = new-object Guid bf9679a9-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf9679a9-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserthumbnailLogo -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsThumbnailPhoto {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write thumbnailPhoto
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserthumbnailPhoto = new-object Guid 8d3bca50-1d7e-11d0-a081-00aa006c33ed
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 8d3bca50-1d7e-11d0-a081-00aa006c33ed
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserthumbnailPhoto -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsJPEGPhoto {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write jpegPhoto
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserJPEGPhoto = new-object Guid bac80572-09c4-4fa9-9ae6-7628d7adbe0e
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bac80572-09c4-4fa9-9ae6-7628d7adbe0e
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserJPEGPhoto -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsHomePhone {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Home Phone
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserHomePhone = new-object Guid f0f8ffa1-1191-11d0-a060-00aa006c33ed
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : f0f8ffa1-1191-11d0-a060-00aa006c33ed
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserHomePhone -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsHomePhoneOther {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Home Phone (Other)
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserHomePhoneOther = new-object Guid f0f8ffa2-1191-11d0-a060-00aa006c33ed
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : f0f8ffa2-1191-11d0-a060-00aa006c33ed
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserHomePhoneOther -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsMobileNumber {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Mobile Number
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserMobileNumber = new-object Guid f0f8ffa3-1191-11d0-a060-00aa006c33ed
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : f0f8ffa3-1191-11d0-a060-00aa006c33ed
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserMobileNumber -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsMobileNumberOther {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write User Mobile Other
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserMobileNumberOther = new-object Guid 0296c11e-40da-11d1-a9c0-0000f80367c1
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 0296c11e-40da-11d1-a9c0-0000f80367c1
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserMobileNumberOther -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsFaxNumber {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Fax Number
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserFaxNumber = new-object Guid bf967974-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf967974-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserFaxNumber -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsFaxNumberOther {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Fax Number (Others)
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserFaxNumberOther = new-object Guid 0296c11d-40da-11d1-a9c0-0000f80367c1
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 0296c11d-40da-11d1-a9c0-0000f80367c1
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserFaxNumberOther -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsJobTitle {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write User Assistant
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserTitle = new-object Guid bf967a55-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf967a55-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserTitle -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsDescription {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write User Assistant
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserDescription = new-object Guid bf967950-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf967950-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserDescription -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsComment {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
## Read/write Comment
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserComment = new-object Guid bf967a6a-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf967a6a-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserComment -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsNotes {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Comments
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserNotes = new-object Guid bf96793e-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf96793e-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserNotes -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsHomeAddress {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Home Address
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserHomeAddress = new-object Guid 16775781-47f3-11d1-a9c3-0000f80367c1
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 16775781-47f3-11d1-a9c3-0000f80367c1
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserHomeAddress -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsRoomNumber {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write roomNumber
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserRoomNumber = new-object Guid 81d7f8c2-e327-4a0d-91c6-b42d4009115f
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 81d7f8c2-e327-4a0d-91c6-b42d4009115f
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserRoomNumber -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsCompany {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write User Assistant
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserCompany = new-object Guid f0f8ff88-1191-11d0-a060-00aa006c33ed
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : f0f8ff88-1191-11d0-a060-00aa006c33ed
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserCompany -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsDepartment {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write department
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserDepartment = new-object Guid bf96794f-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf96794f-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserDepartment -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsWebInformation {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write web information
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserWebInformation = new-object Guid e45795b3-9455-11d1-aebd-0000f80367c1
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : e45795b3-9455-11d1-aebd-0000f80367c1
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserWebInformation -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsWebPageAddress {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Web Page Address
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserWWWPage = new-object Guid bf967a7a-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf967a7a-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserWWWPage -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsManager {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write User Assistant
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserManager = new-object Guid bf9679b5-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf9679b5-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserManager -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsUserAssistant {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write User Assistant
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserAssistant = new-object Guid 0296c11c-40da-11d1-a9c0-0000f80367c1
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 0296c11c-40da-11d1-a9c0-0000f80367c1
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserAssistant -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsSecretary {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write secretary
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserSecretary = new-object Guid 01072d9a-98ad-4a53-9744-e83e287278fb
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 01072d9a-98ad-4a53-9744-e83e287278fb
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserSecretary -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsHomeFolder {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Home Folder
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserHomeDirectory = new-object Guid bf967985-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf967985-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserHomeDirectory -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsProfilePath {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Profile Path
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserProfilePath = new-object Guid bf967a05-0de6-11d0-a285-00aa003049e2
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bf967a05-0de6-11d0-a285-00aa003049e2
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserProfilePath -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsGroupMembership {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Profile Path
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserGroupMembership = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : bc0ac240-79a9-11d0-9020-00c04fc2d4cf
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserGroupMembership -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsLockoutTime {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write lockoutTime
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserLockoutTime = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 28630ebf-41d5-11d1-a9c1-0000f80367c1
# ActiveDirectoryRights : ReadProperty, WriteProperty
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ReadProperty, WriteProperty" -ObjectType $guidUserLockoutTime -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsResetPassword {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/write Reset Password
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserResetPassword = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : 00299570-246d-11d0-a768-00aa006e0529
# ActiveDirectoryRights : ExtendedRight
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ExtendedRight" -ObjectType $guidUserResetPassword -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
function New-ADDelegationUserObjectsChangePassword {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
#Read/Write Change Password
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidUserChangePassword = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
# InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
# ObjectType : ab721a53-1e2f-11d0-9819-00aa0040529b
# ActiveDirectoryRights : ExtendedRight
# InheritanceType : Descendents
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "ExtendedRight" -ObjectType $guidUserChangePassword -InheritanceType "Descendents" -InheritedObjectType $guidUserObject
}
}
#endregion
#region User Object Proxy Delegations
function New-ADDelegationUserObjectsPasswordandLockout {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
New-ADDelegationUserObjectsLockoutTime -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsResetPassword -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsChangePassword -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
}
}
function New-ADDelegationUserObjectsAttributeGroup1 {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
New-ADDelegationUserObjectsPhoto -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsThumbnailLogo -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsThumbnailPhoto -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsJPEGPhoto -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsHomePhone -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsMobileNumber -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsMobileNumberOther -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsComment -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsNotes -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsHomeAddress -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsRoomNumber -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsDepartment -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsWebInformation -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsWebPageAddress -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsUserAssistant -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsSecretary -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsHomeFolder -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsProfilePath -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
}
}
function New-ADDelegationUserObjectsAttributeGroup2 {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
New-ADDelegationUserObjectsManager -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsCompany -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsJobTitle -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsDescription -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsDepartment -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsComment -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationUserObjectsNotes -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
}
}
#endregion
#region Contact Object Delegations
function New-ADDelegationContactObjectsCreateDelete {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidContactObject = new-object Guid 5cb41ed0-0e4c-11d0-a286-00aa003049e2
# Delegation for Create and Delete Child Computer Objects
# ACL = Allow: This Object and all Decendant objects - Create Computer Object, Delete Computer Object
# ObjectType : 5cb41ed0-0e4c-11d0-a286-00aa003049e2
# InheritanceType : All
# InheritedObjectType : 00000000-0000-0000-0000-000000000000
# ActiveDirectoryRights : CreateChild, DeleteChild
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "CreateChild, DeleteChild" -ObjectType $guidContactObject -InheritanceType "Descendents" -InheritedObjectType $guidNull
}
}
function New-ADDelegationContactObjectsFullControl {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
# AD GUID Object IDs
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidContactObject = new-object Guid 5cb41ed0-0e4c-11d0-a286-00aa003049e2
# Delegation for Full Control Child Computer Objects
# ACL = Allow: Decendant Computer objects - Full Control
# ObjectType : 00000000-0000-0000-0000-000000000000
# InheritanceType : Descendents
# InheritedObjectType : 5cb41ed0-0e4c-11d0-a286-00aa003049e2
# ActiveDirectoryRights : GenericAll
New-ADDelegationAccessRule -LDAPPath $LDAPPath -Identity $DelegatedAccount -ActiveDirectoryRights "GenericAll" -ObjectType $guidNull -InheritanceType "Descendents" -InheritedObjectType $guidContactObject
}
}
#endregion
#region Contact Object Proxy Delegation
function New-ADDelegationContactObjectsManagement {
param (
[string] $LDAPPath,
[string] $DelegatedAccount
)
process
{
New-ADDelegationContactObjectsCreateDelete -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
New-ADDelegationContactObjectsFullControl -LDAPPath $LDAPPath -DelegatedAccount $DelegatedAccount
}
}
#endregion
#region Define the OU Structure and Delegations
function New-ADDelegatedOfficeOU {
param (
[string][Parameter(Mandatory=$true)] $Site = "WAL",
[string] $BaseOUPath = "ou=!Offices,dc=corpnet,dc=liox,dc=org",
[string] $DelegationGroupOUPath = "ou=Administration,ou=Delegations,dc=corpnet,dc=liox,dc=org"
)
#region Load PowerShell Modules
#endregion
$HelpdeskTeam = "!corp it helpdesk"
$OfficeITTeam = New-ADDelegationGroup -Site $Site -DelegationGroupOUPath $DelegationGroupOUPath
# OU Structure | Site IT Delegation | Helpdesk Delegation
#
# OU = Site
# OU = Computers
# OU = Disabled | Computer Objects: Create, Delete, Full Control | Computer Objects: Create, Delete, Full Control
# OU = Mobile | Computer Objects: Create, Delete, Full Control | Computer Objects: Create, Delete, Full Control
# OU = Workstations | Computer Objects: Create, Delete, Full Control | Computer Objects: Create, Delete, Full Control
# OU = Servers | Computer Objects: Create, Delete, Full Control | Computer Objects: Create, Delete, Full Control
# OU = Groups
# OU = Local | Group Objects: Create, Delete, Full Control |
# OU = Standard | Group Objects: Manage Membership, Assign Manager |
# OU = Users
# OU = Disabled | No Permissions | User Objects: Delete
# OU = Contacts | Contact Objects: Create, Delete, Full Control |
# OU = Employees | User Objects: Management of [*Attributes Group 1] |
# OU = Services | User Objects: Management of [*Attributes Group 1] |
# OU = Mailboxes | User Objects: Management of [*Attributes Group 2] |
#
#
# Attributes Group 1
# User Objects: Photo, ThumbnailLogo, ThumbnailPhoto, JPEGPhoto, HomePhone, MobileNumber, MobileNumberOther, Comments, Notes, HomeAddress, RoomNumber, Department,
# WebInformation, WebPageAddress, UserAssistant, Secretary, HomeFolder, ProfilePath, LockoutTime, ResetPassword, ChangePassword
#
# Attributes Group 2
# User Objects: Manager, Company, JobTitle, Decription, Department, Comments, Notes
$ConfigurationData = @{
AllNodes = @(
#Computer OU
@{OUName = 'ou=Disabled,ou=Computers'; Roles=@( @{Group=$OfficeITTeam; Permission=@('ComputersCreateDelete','ComputersFullControl')}
@{Group=$HelpdeskTeam; Permission=@('ComputersCreateDelete','ComputersFullControl')} )},
@{OUName = 'ou=Servers,ou=Computers'; Roles=@( @{Group=$OfficeITTeam; Permission=@('ComputersCreateDelete','ComputersFullControl')}
@{Group=$HelpdeskTeam; Permission=@('ComputersCreateDelete','ComputersFullControl')} )},
@{OUName = 'ou=Workstations,ou=Computers'; Roles=@( @{Group=$OfficeITTeam; Permission=@('ComputersCreateDelete','ComputersFullControl')}
@{Group=$HelpdeskTeam; Permission=@('ComputersCreateDelete','ComputersFullControl')} )},
@{OUName = 'ou=Mobile,ou=Computers'; Roles=@( @{Group=$OfficeITTeam; Permission=@('ComputersCreateDelete','ComputersFullControl')}
@{Group=$HelpdeskTeam; Permission=@('ComputersCreateDelete','ComputersFullControl')} )},
#Group OU
@{OUName = 'ou=Local,ou=Groups'; Roles=@( @{Group=$OfficeITTeam; Permission=@('GroupsCreateDelete','GroupsFullControl')}
@{Group=$HelpdeskTeam; Permission=@('GroupsCreateDelete','GroupsFullControl')} )},
@{OUName = 'ou=Standard,ou=Groups'; Roles=@( @{Group=$OfficeITTeam; Permission=@('GroupsManageMembership','GroupsManager')}
@{Group=$HelpdeskTeam; Permission=@('GroupsCreateDelete','GroupsFullControl')} )},
#Users OU
@{OUName = 'ou=Disabled,ou=Users'; Roles=@( @{Group=$OfficeITTeam; Permission=@('None')}
@{Group=$HelpdeskTeam; Permission=@('None')} )},
@{OUName = 'ou=Contacts,ou=Users'; Roles=@( @{Group=$OfficeITTeam; Permission=@('ContactsCreateDelete','ContactsFullControl')}
@{Group=$HelpdeskTeam; Permission=@('ContactsCreateDelete','ContactsFullControl')} )},
@{OUName = 'ou=Employees,ou=Users'; Roles=@( @{Group=$OfficeITTeam; Permission=@('UsersEditAttributesGroup1','UsersPasswordandLockout')}
@{Group=$HelpdeskTeam; Permission=@('UsersEditAttributesGroup1','UsersPasswordandLockout')} )},
@{OUName = 'ou=Services,ou=Users'; Roles=@( @{Group=$OfficeITTeam; Permission=@('UsersEditAttributesGroup1','UsersPasswordandLockout')}
@{Group=$HelpdeskTeam; Permission=@('UsersEditAttributesGroup1','UsersPasswordandLockout')} )},
@{OUName = 'ou=Mailboxes,ou=Users'; Roles=@( @{Group=$OfficeITTeam; Permission=@('UsersEditAttributesGroup2')}
@{Group=$HelpdeskTeam; Permission=@('UsersEditAttributesGroup2','UsersPasswordandLockout')} )}
)
}
#endregion
#region Create Stucture and Apply Delegations
# Process OU Structure
foreach ($OU in $ConfigurationData.AllNodes) {
#Each OU will have Roles defined
$currentOU = $OU.OUName + ",ou=" + $Site + "," + $BaseOUPath
Write-Output "OU - Create : $currentOU"
New-ADOU -Path $currentOU
Foreach ($delegation in $ou.Roles) {
#Each Role will contain one or more Group/Premission sets
Foreach ($thisRole in $delegation.Permission) {
#Each Permission may have one or more ACLs to apply
$thisOUPath = $OU.OUName + ",ou=" + $Site + "," + $BaseOUPath
$thisDelegate = $delegation.group
Write-Output "OU - Delegate : $thisOUPath >> Delegating '$thisRole' to '$thisDelegate'"
switch -CaseSensitive ($thisRole)
{
'ComputersCreateDelete' { New-ADDelegationComputerObjectsCreateDelete -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'ComputersFullControl' { New-ADDelegationComputerObjectsFullControl -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'GroupsCreateDelete' { New-ADDelegationGroupObjectsCreateDelete -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'GroupsFullControl' { New-ADDelegationGroupObjectsFullControl -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'GroupsManageMembership' { New-ADDelegationGroupObjectsMembership -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'GroupsManager' { New-ADDelegationGroupObjectsManager -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'ContactsCreateDelete' { New-ADDelegationContactObjectsCreateDelete -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'ContactsFullControl' { New-ADDelegationContactObjectsFullControl -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'UsersEditAttributesGroup1' { New-ADDelegationUserObjectsAttributeGroup2 -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'UsersEditAttributesGroup2' { New-ADDelegationUserObjectsAttributeGroup1 -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'UsersPasswordandLockout' { New-ADDelegationUserObjectsPasswordandLockout -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
#default { }
}
}
}
}
#endregion
}
function New-ADDelegatedContractorOU {
param (
[string][Parameter(Mandatory=$true)] $Site = "WAL",
[string] $BaseOUPath = "ou=!Offices,dc=corpnet,dc=liox,dc=org",
[string] $DelegationGroupOUPath = "ou=Administration,ou=Delegations,dc=corpnet,dc=liox,dc=org"
)
$HelpdeskTeam = "!corp it helpdesk"
$OfficeITTeam = New-ADDelegationGroup -Site $Site -DelegationGroupOUPath $DelegationGroupOUPath
# OU Structure | Site IT Delegation | Helpdesk Delegation
#
# OU = Site | User Objects: Management of [*Attributes Group 1] |
#
# Attributes Group 1
# User Objects: Photo, ThumbnailLogo, ThumbnailPhoto, JPEGPhoto, HomePhone, MobileNumber, MobileNumberOther, Comments, Notes, HomeAddress, RoomNumber, Department,
# WebInformation, WebPageAddress, UserAssistant, Secretary, HomeFolder, ProfilePath, LockoutTime, ResetPassword, ChangePassword
#
# Attributes Group 2
# User Objects: Manager, Company, JobTitle, Decription, Department, Comments, Notes
$ConfigurationData = @{
AllNodes = @(
@{OUName = "ou=$Site"; Roles=@( @{Group=$OfficeITTeam; Permission=@('UsersEditAttributesGroup1','UsersPasswordandLockout')}
@{Group=$HelpdeskTeam; Permission=@('UsersEditAttributesGroup1','UsersPasswordandLockout')} )}
)
}
#endregion
#region Create Stucture and Apply Delegations
# Process OU Structure
foreach ($OU in $ConfigurationData.AllNodes) {
#Each OU will have Roles defined
$currentOU = $OU.OUName + "," + $BaseOUPath
Write-Output "OU - Create : $currentOU"
New-ADOU -Path $currentOU
Foreach ($delegation in $ou.Roles) {
#Each Role will contain one or more Group/Premission sets
Foreach ($thisRole in $delegation.Permission) {
#Each Permission may have one or more ACLs to apply
$thisOUPath = $OU.OUName + "," + $BaseOUPath
$thisDelegate = $delegation.group
Write-Output "OU - Delegate : $thisOUPath >> Delegating '$thisRole' to '$thisDelegate'"
switch -CaseSensitive ($thisRole)
{
'ComputersCreateDelete' { New-ADDelegationComputerObjectsCreateDelete -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'ComputersFullControl' { New-ADDelegationComputerObjectsFullControl -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'GroupsCreateDelete' { New-ADDelegationGroupObjectsCreateDelete -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'GroupsFullControl' { New-ADDelegationGroupObjectsFullControl -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'GroupsManageMembership' { New-ADDelegationGroupObjectsMembership -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'GroupsManager' { New-ADDelegationGroupObjectsManager -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'ContactsCreateDelete' { New-ADDelegationContactObjectsCreateDelete -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'ContactsFullControl' { New-ADDelegationContactObjectsFullControl -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'UsersEditAttributesGroup1' { New-ADDelegationUserObjectsAttributeGroup2 -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'UsersEditAttributesGroup2' { New-ADDelegationUserObjectsAttributeGroup1 -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
'UsersPasswordandLockout' { New-ADDelegationUserObjectsPasswordandLockout -LDAPPath $thisOUPath -DelegatedAccount $thisDelegate }
#default { }
}
}
}
}
#endregion
}
function New-ADDelegatedSiteStandardGroups {
param (
[string][Parameter(Mandatory=$true)] $Site = "WAL",
[string] $BaseOUPath = "ou=!Offices,dc=corpnet,dc=liox,dc=org"
)
begin {
# Go through the list of Exchange servers and find one we can connect to
$ExchangeServerList = "BIL-EXC10-02,BIL-EXC10-03"
$ExchangeServerList = ($ExchangeServerList).Split(",;")
For ( $i = 0 ; -not $MailSession -and $i -lt $ExchangeServerList.Count ; $i++ )
{
$MailSession = New-PSSession -ConnectionURI "http://$($ExchangeServerList[$i])/powershell/" `
-ConfigurationName Microsoft.Exchange `
-Credential $ExchangeCred `
-ErrorAction Continue
}
If ( -not $MailSession )
{
throw "Could not connect PSSession to any Exchange servers."
}
# Importing PSSession with Exchange server to use Exchange server commands
$Import = Import-PSSession -Session $MailSession -AllowClobber -Verbose:$False
}
process {
$DomainController = ( Get-ADDomainController -Discover ).HostName[0]
$BaseOUPath = "ou=!Offices,dc=corpnet,dc=liox,dc=org"
$LDAPPath = "ou=Standard,ou=Groups,ou=" + $Site + "," + $BaseOUPath
$ConfigurationData = @{
AllNodes = @(
@{Name = "!$Site IT (Standard)" ; Alias = "$Site.IT" ; Description = "All staff in the office working in the Information Technology Group" ; ManagedBy = "!Corp IT Helpdesk Admins" ; MemberOf = @("!IT (All)","!CORP delegation IT $Site OU Admin") },
@{Name = "!$Site policy Disable USB Mass-storage (Standard)" ; Alias = "$Site.gpoUSBStorage" ; Description = "All devices in the office blocked for USB Mass Storge Support" ; ManagedBy = "!$Site IT (Standard)"; MemberOf = @("!CorpIT GPO Scope Disable USB") },
@{Name = "!$Site HR (Standard)" ; Alias = "$Site.HR" ; Description = "All Staff in the office working in Human Resources" ; ManagedBy = "!Corp IT Helpdesk Admins" ; MemberOf = @("!HR (All)") },
@{Name = "!$Site Testing (Standard)" ; Alias = "$Site.Testing" ; Description = "All Staff in the office working in Testing" ; ManagedBy = "!$Site IT (Standard)" },
@{Name = "!$Site Experts - Translation Workspace (Standard)" ; Alias = "$Site.Experts-TranslationWorkspace" ; Description = "All Staff in the office regarded as Experts on Translation Workspace" ; ManagedBy = "!$Site IT (Standard)" },
@{Name = "!$Site Experts - Logoport (Standard)" ; Alias = "$Site.Experts-Logoport" ; Description = "All Staff in the office regarded as Experts on Logoport" ; ManagedBy = "!$Site IT (Standard)" },
@{Name = "!$Site Experts - Linguistic Toolbox (Standard)" ; Alias = "$Site.Experts-LinguisticToolbox" ; Description = "All Staff in the office regarded as Experts on Linguistic Toolbox" ; ManagedBy = "!$Site IT (Standard)" },
@{Name = "!$Site Sales (Standard)" ; Alias = "$Site.Sales" ; Description = "All Staff in the office working in Sales" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site PMs (Standard)" ; Alias = "$Site.PMs" ; Description = "All Staff in the office working as Project Managers" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site Ops CAT (Standard)" ; Alias = "$Site.OpsCAT" ; Description = "All Staff in the office participating on Computer Aided Translation" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site Notebook Users (Standard)" ; Alias = "$Site.NotebookUsers" ; Description = "All Staff in the office using Mobile Computers" ; ManagedBy = "!$Site IT (Standard)" },
@{Name = "!$Site Management (Standard)" ; Alias = "$Site.Management" ; Description = "All Staff in the office regarded as part of the Office Management Team" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site Rainbow Admins (Standard)" ; Alias = "$Site.RainbowAdmins" ; Description = "All Staff in the office regarded as Rainbow Admins" ; ManagedBy = "!$Site IT (Standard)" },
@{Name = "!$Site Intercompany Projects (Standard)" ; Alias = "$Site.IntercompanyProjects" ; Description = "All Staff in the office working on Intercompany Projects" ; ManagedBy = "!$Site IT (Standard)" },
@{Name = "!$Site GT (Standard)" ; Alias = "$Site.GT" ; Description = "All Staff in the office working in Globalisation Technologies" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site Finance (Standard)" ; Alias = "$Site.Finance" ; Description = "All Staff in the office working in Finance" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site Everybody (Standard)" ; Alias = "$Site.Everybody" ; Description = "All Employees and Contractors in the office" ; ManagedBy = "!Corp IT Helpdesk Admins" ; MemberOf = @("!Lionbridge Everybody (All)") },
@{Name = "!$Site Engineering (Standard)" ; Alias = "$Site.Engineering" ; Description = "All Staff in the office working in Engineering" ; ManagedBy = "!$Site HR (Standard)" ; MemberOf = @("!GLT ENG (All)") },
@{Name = "!$Site Employees (Standard)" ; Alias = "$Site.Employees" ; Description = "All TEMP and FULL TIME Staff in the office" ; ManagedBy = "!$Site HR (Standard)" ; MemberOf = @("!Lionbridge Employees (All)","!$Site Everybody (Standard)") },
@{Name = "!$Site DTP (Standard)" ; Alias = "$Site.DTP" ; Description = "All Staff in the office working in Desktop Publishing" ; ManagedBy = "!$Site HR (Standard)" ; MemberOf = @("!GLT DTP (All)") },
@{Name = "!$Site Contractors (Standard)" ; Alias = "$Site.Contractors" ; Description = "All Contractors working onsite in the office" ; ManagedBy = "!$Site HR (Standard)" ; MemberOf = @("!$Site Everybody (Standard)") },
@{Name = "!$Site Content (Standard)" ; Alias = "$Site.Content" ; Description = "All Staff in the office working in Content Managment" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site CCDB Suggestion Status Change (Standard)" ; Alias = "$Site.CCDBSuggestionStatusChange" ; Description = "All Staff in the office Managing CCBD Suggestion Status" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site CCDB Suggestion Raised (Standard)" ; Alias = "$Site.CCDBSuggestionRaised" ; Description = "All Staff in the office Managing CCDB" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site CCDB Implementation Reminder (Standard)" ; Alias = "$Site.CCDBImplementionReminder" ; Description = "All Staff in the office Managing CCDB" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site CCDB Suggestion Accepted (Standard)" ; Alias = "$Site.CCDBSuggestionAccepted" ; Description = "All Staff in the office Managing CCDB" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site CCDB Customer Complaint Raised (Standard)" ; Alias = "$Site.CCDBCustomerComplaintRaised" ; Description = "All Staff in the office Managing CCDB" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site CCDB Customer Complaint Reminder (Standard)" ; Alias = "$Site.CCDBCustomerComplaintReminder" ; Description = "All Staff in the office Managing CCDB" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site CCDB Customer Compliment Raised (Standard)" ; Alias = "$Site.CCDBCustomerComplimentRaised" ; Description = "All Staff in the office Managing CCDB" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site BT Language Coordinator (Standard)" ; Alias = "$Site.BTLanguageCoordinator" ; Description = "All Staff in the office regarded as BT Language Co-ordinators" ; ManagedBy = "!$Site HR (Standard)" },
@{Name = "!$Site VM (Standard)" ; Alias = "$Site.VM" ; Description = "All staff in the office working in Vendor Managment" ; ManagedBy = "!$Site IT (Standard)" }
)
}
foreach ($Grouping in $ConfigurationData.AllNodes) {
#Each OU will have Roles defined
Write-Output "Group - Create: $($Grouping.Name)"
New-ADGroup -Name $Grouping.Name -SamAccountName $Grouping.Name -GroupCategory Security -GroupScope Universal -DisplayName $Grouping.Name -Path $LDAPPath -Description $Grouping.DisplayName -ManagedBy $Grouping.ManagedBy -Server $DomainController
Write-Output " - Dist : $($Grouping.Alias)@lionbridge.com"
Sleep 10
Enable-DistributionGroup -Identity $Grouping.Name -Alias $Grouping.Alias -PrimarySMTPAddress ($Grouping.Alias + "@lionbridge.com") -DomainController $DomainController
foreach ($membership in $Grouping.MemberOf) {
Write-Output " - Joining:$($membership)"
Add-ADGroupMember -Identity $Membership -Members $Grouping.Name
}
}
}
end {
If ( $MailSession )
{
Write-Output "Cleaning up PS Session to Exchange..."
Remove-PSSession -Session $MailSession -Verbose:$False
}
# Importing PSSession with Exchange server to use Exchange server commands
}
}
function New-ADDelegatedSiteDevices {
param (
[string][Parameter(Mandatory=$true)] $Site = "WAL",
[string] $BaseOUPath = "ou=!Offices,dc=corpnet,dc=liox,dc=org",
[string] $DelegationGroupOUPath = "ou=Administration,ou=Delegations,dc=corpnet,dc=liox,dc=org"
)
$OfficeITTeam = New-ADDelegationGroup -Site $Site -DelegationGroupOUPath $DelegationGroupOUPath -DelegationRole "Device Admin"
#Add Members
$GroupMembershipList = "!$($SITE) IT (Standard), !CORP IT Helpdesk Admins, !CORP IT grp SCCM Client Administrators"
$GroupMembershipList = ($GroupMembershipList).Split(",;").trim()
For ( $i = 0 ; $i -lt $GroupMembershipList.Count ; $i++ )
{
write-output "Group [$OfficeITTeam] Adding Member [$($GroupMembershipList[$i])]"
Add-ADGroupMember -Identity $OfficeITTeam -Members $GroupMembershipList[$i]
}
$gpo = get-gpo -Name "Device Administration Privilages"
$path = "\\$($gpo.DomainName)\SYSVOL\$($gpo.DomainName)\Policies\{$($gpo.ID)}\machine\Preferences\Groups\Groups.xml"
if (Test-Path $path -ErrorAction SilentlyContinue)
{
[xml]$xml = Get-Content $path
if (!($xml.Groups.Group | ? {$_.Name -like "*$($Site) - *"})) {
$prefName = "$($Site) - Administrators (built-in)"
Write-Output "Creating new Preference Setting for [$prefName]"
#Create a Node, from an exisiting one
$newRole = $xml.Groups.AppendChild($xml.CreateElement("Group"))
#Customise the Node
$newRole.SetAttribute("clsid","{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}")
$newRole.SetAttribute("name",$prefName)
$newRole.SetAttribute("image",2)
$newRole.SetAttribute("changed","2015-09-30 14:42:11")
$newRole.SetAttribute("uid","{" + ([guid]::NewGuid()).tostring() + "}")
$newRole.SetAttribute("userContext",0)
$newRole.SetAttribute("removePolicy",0)
# Properties
$newRoleProperties = $newRole.AppendChild($xml.CreateElement("Properties"));
$newRoleProperties.SetAttribute("action","U")
$newRoleProperties.SetAttribute("newName","")
$newRoleProperties.SetAttribute("description","")
$newRoleProperties.SetAttribute("deleteAllUsers","0")
$newRoleProperties.SetAttribute("deleteAllGroups","0")
$newRoleProperties.SetAttribute("removeAccounts","0")
$newRoleProperties.SetAttribute("groupSid","S-1-5-32-544")
$newRoleProperties.SetAttribute("groupName","Administrators (built-in)")
$newRolePropertiesMembers = $newRoleProperties.AppendChild($xml.CreateElement("Members"));
$newRolePropertiesMembersMember = $newRolePropertiesMembers.AppendChild($xml.CreateElement("Member"));
$groupInfo = Get-ADGroup -Identity $OfficeITTeam
$newRolePropertiesMembersMember.SetAttribute("name","CORPNET\$($groupInfo.Name)")
$newRolePropertiesMembersMember.SetAttribute("sid",$groupInfo.sid.tostring())
$newRolePropertiesMembersMember.SetAttribute("action","ADD")
# Filters
$newRoleFilters = $newRole.AppendChild($xml.CreateElement("Filters"));
$newRoleFiltersFilterOrg = $newRoleFilters.AppendChild($xml.CreateElement("FilterOrgUnit"));
$newRoleFiltersFilterOrg.SetAttribute("bool","AND")
$newRoleFiltersFilterOrg.SetAttribute("not","0")
$newRoleFiltersFilterOrg.SetAttribute("name","ou=$($Site),$($BaseOUPath)")
$newRoleFiltersFilterOrg.SetAttribute("userContext","0")
$newRoleFiltersFilterOrg.SetAttribute("directMember","0")
# Now we need to add this node to the XML Record
$xml.Save($path)
} else {
Write-Output "Preferences are already defined in the GPO for the Site [$Site], Skipping"
}
} else {
Write-Output "Unable to Locate the prference XML at [$path]. Aborting"
}
}
function New-ADDelegatedSiteOUStructure {
param (
[string] $Site = "WAL",
[string] $BaseOUPathOffice = "ou=!Offices,dc=corpnet,dc=liox,dc=org",
[string] $BaseOUPathContractor = "ou=!Contractors,dc=corpnet,dc=liox,dc=org",
[string] $DelegationGroupOUPath = "ou=Administration,ou=Delegations,dc=corpnet,dc=liox,dc=org"
)
New-ADDelegatedOfficeOU -Site $Site -BaseOUPath $BaseOUPathOffice -DelegationGroupOUPath $DelegationGroupOUPath
New-ADDelegatedContractorOU -Site $Site -BaseOUPath $BaseOUPathContractor -DelegationGroupOUPath $DelegationGroupOUPath
New-ADDelegatedSiteStandardGroups -Site $Site
New-ADDelegatedSiteDevices -Site $Site
}
#New-ADDelegatedSiteOUStructure -Site "IST"
#New-ADDelegatedSiteOUStructure -Site "LAU"
#New-ADDelegatedSiteOUStructure -Site "LON"
#New-ADDelegatedSiteOUStructure -Site "PRS"
New-ADDelegatedSiteOUStructure -Site "SHA"
#New-ADDelegatedSiteOUStructure -Site "ZUR"
#New-ADDelegatedSiteOUStructure -Site "ZUR"
#New-ADDelegatedSiteStandardGroups -Site "ZUR"
Raw
Add-SigniantFederationRelyingTrust.ps1

#Add-SigniantFederationRelyingTrust -Name "Signiant Share Portal for HTC" -MetadataURL https://lionbridge-htc-share.mediashuttle.com/saml2/metadata/sp -Group "!CORP IT grp Signiant Send Portal Access"
function Add-SigniantFederationRelyingTrust {
[CmdletBinding()]
param (
[string][Parameter(Mandatory=$true)]$Name,
[string][Parameter(Mandatory=$true)]$Group,
[string][Parameter(Mandatory=$true)]$MetadataURL
)
$PortalEndpoint = $MetadataURL.Split('/')[2]
Write-Verbose "Hosted Domain is [$PortalEndpoint]"
$SignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
$groupInfo = Get-ADGroup -Identity $Group
$IssueTransformRule = @'
@RuleName = "__Name__ Custom Claim"
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
=> add(store = "_OpaqueIdStore", types = ("https://__Portal_Endpoint__/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);
@RuleTemplate = "MapClaims"
@RuleName = "__Name__ Claim Transform"
c:[Type == "https://__Portal_Endpoint__/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
@RuleTemplate = "LdapClaims"
@RuleName = "__Name__ LDAP Attributes"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/claims/CommonName", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";mail,userPrincipalName,sAMAccountName,displayName,givenName,sn,tokenGroups;{0}", param = c.Value);
'@
$IssueAuthorizationRule = @'
@RuleName = "__Name__ Restriction to group __Group__"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)__Group_SID__$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
'@
# Customise the Issuance Transform Rule
$IssueTransformRule = $IssueTransformRule.Replace("__Portal_Endpoint__",$PortalEndpoint)
$IssueTransformRule = $IssueTransformRule.Replace("__Name__",$Name)
# Customise the Issuance Authorization Rule
$IssueAuthorizationRule = $IssueAuthorizationRule.Replace("__Group_SID__",$GroupInfo.SID.Value)
$IssueAuthorizationRule = $IssueAuthorizationRule.Replace("__Group__",$GroupInfo.Name)
$IssueAuthorizationRule = $IssueAuthorizationRule.Replace("__Name__",$Name)
# Add the New Relaying Trust
Add-ADFSRelyingPartyTrust -Name $Name –MetadataURL $MetadataURL -IssuanceAuthorizationRules $IssueAuthorizationRule -IssuanceTransformRules $IssueTransformRule
Set-ADFSRelyingPartyTrust -TargetName $Name -SignatureAlgorithm $SignatureAlgorithm
}
Raw
Get-OnPremiseExchangeMailLatency.ps1
#
# Get-OnPremiseExchangeMailLatency.ps1
#
workflow Get-OnPremiseExchangeMailLatency
{
#Param( [Parameter(Mandatory=$true) ][string]$UserPrincipalName )
Write-Verbose -Message "Starting [$WorkflowCommandName]"
$WarningPreference = 'Continue'
$WebServiceEndpoint = "https://localhost"
#
# Initialize Variables
#
$VarList = @( 'ExchangeServerList', 'MSOPCredentialsName')
$Vars = Get-BatchSMAVariable -Name $VarList `
-Prefix 'ExchangeHybrid' `
-WebServiceEndpoint $WebServiceEndpoint
$MSOPCreds = Get-AutomationPSCredential -Name $Vars.MSOPCredentialsName
Write-Verbose -Message "`$MSOPCreds.UserName [$($MSOPCreds.UserName)]"
#
# Start Flow Logic
#
$retVars = InlineScript
{
$ErrorActionPreference = [System.Management.Automation.ActionPreference]::Continue
& {
$null = $(
$DebugPreference = [System.Management.Automation.ActionPreference]$Using:DebugPreference
$VerbosePreference = [System.Management.Automation.ActionPreference]$Using:VerbosePreference
$ErrorActionPreference = [System.Management.Automation.ActionPreference]::Stop
#
# Publish Parent Variables in the runspace
#
$Vars = $Using:Vars
$MSOPCreds = $Using:MSOPCreds
$ReturnInfo = @{
'Feedback' = "";
'Latency' = 0;
'Samples' = 0;
'Status' = 'Unknown'
}
Try
{
#
# We need to connect with the on-Premise exchange to gather the latency metrics
#
# Go through the list of Exchange servers and find one we can connect to
$ExchangeServerList = ($Vars.ExchangeServerList).Split(",;")
For ( $i = 0 ; -not $ExchSession -and $i -lt $ExchangeServerList.Count ; $i++ )
{
$targetServer = $ExchangeServerList[$i].trim()
Write-verbose -Message "Attempting On-Premise connection to Exchange Server [$targetServer]"
$ExchSession = New-PSSession -ConnectionURI "http://$targetServer/powershell/" `
-ConfigurationName Microsoft.Exchange `
-Credential $MSOPCreds `
-ErrorAction Continue
}
# Importing PSSession with Exchange server to use Exchange server commands
If ( -not $ExchSession ) {
throw "Could not connect PSSession to On Premise servers."
} else {
Write-verbose -Message "Connected to On Premise Exchange Server [$($ExchSession.ComputerName)]"
}
#
# Import the First Batch of Commands from the relevant Exchange Environment for our user
#
$Import = Import-PSSession -Session $ExchSession `
-CommandName @("Get-TransportServer", "Get-MessageTrackingLog") `
-AllowClobber `
-Verbose:$False
#
# If the User configuration is for Remote Mail User, Update this now to indicate Hybrid Mail User
#
$transportServers = Get-TransportServer -Identity *EXC10*
If ( -not $? ) { throw $Error[0].Exception }
Write-Verbose -Message "Transport Servers [$transportServers]"
$mailLatency = @()
$mailSamples = @()
Foreach ($hubServer in $TransportServers) {
Write-Verbose -Message "Scanning Hub Server [$($hubServer.Name)]"
$latencyInfo = Get-MessageTrackingLog -Server $hubServer.Name -ResultSize Unlimited -Start (Get-Date).AddHours(-168) -EventID DELIVER
If ( -not $? ) { throw $Error[0].Exception }
Write-Verbose -Message "Server [$($hubServer.Name)] returned [$($latencyinfo.count)] records"
$totalDuration = 0
foreach ($record in $latencyInfo) {
$totalDuration += ([Timespan]$record.messagelatency).totalmilliseconds
}
$sampleLatency = $totalDuration / $latencyinfo.count
Write-Verbose -Message "Server [$($hubServer.Name)] spent [$totalDuration] milliseconds routing. Averaged out as [$sampleLatency] milliseconds"
$mailLatency += $sampleLatency
$mailSamples += $latencyinfo.count
Write-Verbose -Message "Server [$($hubServer.Name)] Delivered [$($latencyinfo.count)] Messages with an average latency of [$sampleLatency)]"
}
$ReturnInfo.Latency = ($mailLatency | Measure-Object -Average).average
$ReturnInfo.Samples = ($mailSamples| Measure-Object -sum).sum
$ReturnInfo.feedback = "Located [$($ReturnInfo.Samples)] End to End Mail Messages, taking an averge [$($ReturnInfo.Latency)] milliseconds to route `n`r"
Remove-PSSession -Session $ExchSession
$ReturnInfo.Status = "Success"
}
Catch
{
$ExceptionInfo = Get-ExceptionInfo -Exception $_
Write-Exception -Exception $_ -Stream 'Warning'
Throw-Exception -Type '$WorkflowCommandName' `
-Message "Failed while checking Onpremise mail logs" `
-Property @{
'InnerMessage' = $ExceptionInfo.Message;
'InnerType' = $ExceptionInfo.Type;
'ScriptBlock' = $_.InvocationInfo.MyCommand.ScriptBlock;
'Position' = $_.InvocationInfo.PositionMessage;
'Feedback' = $ReturnInfo.feedback
'UserPrincipalName' = $UserPrincipalName;
'Status' = "Failure" }
}
)
return (ConvertTo-JSON $ReturnInfo)
}
}
#New-VariableRunbookTrackingInstance -VariablePrefix SecurityAwarenessNotification-Send -WebServiceEndpoint $WebServiceEndpoint
Write-Verbose -Message "`$retVars [$retVars]"
Write-Verbose -Message "Finished [$WorkflowCommandName]"
return $retVars
}
Raw
Post-DashboardMailDeliveryTime.ps1
#
# Post_DashboardMailDeliveryTime.ps1
#
#
# Area : Email
# Date : Midnight EST every Wednesday
# Defination : Process the Mail Transport Log for End-to-End mail messages for the period of a week, and average the latency flow
# Implemention : Runbook 1: Post_DashboardMailDeliveryTime
# Overview : Scheduled SMA Runbook, Querying Exchange Log Data, Parsing Result and posting to Sharepoint List
# Schedule : Weekly - Midnight EST every Wednesday
# Value : Current Mailflow Latency Average in Milliseconds
# Threhold's
# ::Warning : > 300
# ::Critical : > 200
workflow Post-DashboardMailDeliveryTime
{
Write-Verbose -Message "Starting [$WorkflowCommandName]"
$WarningPreference = 'Continue'
$WebServiceEndpoint = "https://localhost"
### Support Functions
function Update-SharepointRecord {
Param(
[string]$Service,
[String]$Value
)
$ItemPayload = @{
"StatisticName" = $Service;
"Value" = $Value;
"Date" = (Get-Date -Format s) #d
}
$ListName = "ITDashboardStats";
$SharepointQuery = "((StatisticName eq '$($Service)') and (Date ge datetime'$($ItemPayload.Date)'))"
Start-SmaRunbook -Name "Update-SharepointList" `
-WebServiceEndpoint "https://localhost" `
-Parameters @{ "SharepointList" = $ListName;
"SharepointQuery" = $SharepointQuery;
"SharepointProperties" = (ConvertTo-Json -InputObject $ItemPayload) }
}
# Get The License Information
$mailFlowInfo = Get-OnPremiseExchangeMailLatency
$mailFlowInfo = ConvertFrom-Json -InputObject $mailFlowInfo
# Update the Sharepoint List with the new metric
Update-SharepointRecord -Service "Mail Flow Latency" -Value $mailFlowInfo.Latency
#New-VariableRunbookTrackingInstance -VariablePrefix SecurityAwarenessNotification-Send -WebServiceEndpoint $WebServiceEndpoint
Write-Verbose -Message "Finished [$WorkflowCommandName]"
Return $RetVars
}
Raw
Resize-VMPartition.ps1
Function Resize-VMPartition {
[CmdletBinding()]
param (
[String] $VM
)
Begin {
$clusterList = "BIL-VM-LC1, BIL-VM-LC2, BDL-VM-LC1, BIL-VM-LC6"
$clusterList = ( $clusterList ).Split(",;").trim()
$nodes = $null
$VMList = $null
Write-Output "Gather Information from Clusters... Please Wait..."
for ( $i = 0; $i -lt $clusterList.count; $i++ ) {
Write-Verbose "[$i] Cluster: $($clusterList[$i])"
$cluster = Get-Cluster -Name $clusterList[$i]
$nodes += Get-ClusterNode -Cluster $Cluster.name
}
for ( $i = 0; $i -lt $nodes.count; $i++ ) {
Write-Verbose "[$i] Node: $($nodes[$i])"
$VMs = Get-VM -ComputerName $nodes[$i].name | select Name, @{Name="VMHost";Expression={$nodes[$i]}}
$VMList += $VMs
}
Write-Output "Enumerated $($clusterList.count) Clusters, Containing $($Nodes.count) Nodes, and $($VMList.count) Virtual Machines"
}
Process {
$VMHost = ($VMList | ?{$_.Name -eq $VM}).vmhost
If ($VMHost) {
Write-Output "$VM is currently hosted on node $VMHost"
#Stop the VM
stop-vm -vmname $VM -computer $VMHost -Force
# Get the VHD information for the named VM
$VHDInfo = get-vm $VM -ComputerName $VMHost | select -expand harddrives | foreach {
$vm = $_.VMName
$path = $_.path.split(":")
$path = "\\" + $vmhost.name + "\" + $path[0] + "$" + $path[1]
Get-VHD $path | Select @{Name="VMName";Expression={$vm}},
Path,VHDType,VHDFormat,Size,FileSize,FragmentationPercentage,
@{Name="Utilization";Expression={($_.filesize/$_.size)*100}}
}
# Resize the VHD to 40Gb
$growPrecentage = 20
$focusVHD = $VHDInfo[0]
$NewVHDSize = (($focusVHD.Size / 100) * $growPrecentage) + $focusVHD.Size
$NewVHDSizeText = "{0:n2}" -f ($NewVHDSize / 1000000000) + "GB"
Write-Output "Resizing VHD $($focusVHD.path) by $growPrecentage% to $NewVHDSizeText"
$ResizeVHD = $focusVHD | Resize-VHD -SizeBytes $NewVHDSize -Passthru
Write-Verbose "Mounting VHD"
# Mount the First VHD, and Find the partitions on the First Disk, this is typically always to OS Disk
$Partitions = $focusVHD | mount-vhd -Passthru | get-disk | get-partition
# Ignore Partitions of less that 400Mb as these are system partitions, and then select the first partition to follow
$NonSysPartions = $partitions | ? {$_.size -gt 404857600} | Select -First 1
Write-Verbose "Located $($Partitions.count) Partitions, first non-System Partition is mounted to Drive $($NonSysPartions.DriveLetter)"
# determine what is the maximum size we can expand to for the non system partition
$SupportedSize = Get-PartitionSupportedSize -DiskNumber $NonSysPartions.DiskNumber -PartitionNumber $NonSysPartions.partitionnumber | select @{Name="Minimum Size (GB)";Expression={$_.SizeMin/1GB}}, @{Name="Maximum Size (GB)";Expression={$_.SizeMax/1GB}}, SizeMin, SizeMax
$CurrentVHDSizeText = "{0:n2}" -f ($NonSysPartions.Size / 1000000000) + "GB"
$NewVHDSizeText = "{0:n2}" -f $SupportedSize.'Maximum Size (GB)' + "GB"
Write-Verbose "Drive $($NonSysPartions.DriveLetter) is currently allocated $CurrentVHDSizeText and will be expanded to its maximum of $NewVHDSizeText"
# expand the partition to its maximum size
Resize-Partition -PartitionNumber $NonSysPartions.partitionnumber -DiskNumber $NonSysPartions.DiskNumber -Size $SupportedSize.sizemax
# Dismount the VHD
$dismount = $focusVHD | Dismount-VHD -Passthru
Write-Verbose "Dismounted VHD"
# Restart the VM
start-vm -name $VM -computer $VMHost
Write-Verbose "Restaring VM"
Write-Output "Resize Complete on $($focusVHD.path), Increased the First Non-System Partition by $growPrecentage% from $CurrentVHDSizeText to $NewVHDSizeText"
}
else
{
Write-Output "Unable to determine host for $VM. Aborting"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment