zjorz/Creating-The-DSRM-Placeholder-Account-For-RWDCs.ps1

## Creating-The-DSRM-Placeholder-Account-For-RWDCs.ps1
# SOURCE: https://gist.github.com/zjorz/f7d8dd924daddc8b9023dc2be358049b/

Invoke-Command -ScriptBlock {

	Clear-Host

	$scriptMode = "ADSIorSDSP" # "ADSIorSDSP" Or "ADPoSH"

	Write-Host ""
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host "###             CREATING THE DSRM PLACEHOLDER ACCOUNT FOR RWDCs             ###" -Foregroundcolor Yellow
	Write-Host "###############################################################################" -Foregroundcolor Yellow

	# Some Basics
	$systemSecurityPrincipalStringSID = "S-1-5-18" # 'NT AUTHORITY\SYSTEM' Well-Known Security Principal
	$systemSecurityPrincipal = $(New-Object System.Security.Principal.SecurityIdentifier($systemSecurityPrincipalStringSID)).Translate([System.Security.Principal.NTAccount])
	$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"GenericAll" 				# Full Control
	$aclTypeAllow = [System.Security.AccessControl.AccessControlType]::"Allow"						# Allow ACE
	$aclTypeDeny = [System.Security.AccessControl.AccessControlType]::"Deny"						# Deny ACE
	$accessInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::"None"	# This Object Only
	$scopedObjectSchemaIDGuid = "00000000-0000-0000-0000-000000000000" 								# All
	$scopedAttributeSchemaIDGuid = "00000000-0000-0000-0000-000000000000" 							# All
	$aceDefinitionDeny = $systemSecurityPrincipal,$rightsCollection,$aclTypeDeny,$scopedAttributeSchemaIDGuid,$accessInheritanceType,$scopedObjectSchemaIDGuid

	If ($scriptMode -eq "ADSIorSDSP") {
		$adDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
		$adDomainFQDN = $adDomain.Name
		$adDomainDN = $adDomain.GetDirectoryEntry().Properties["DistinguishedName"].Value
		$adDomainSIDBytes = $adDomain.GetDirectoryEntry().Properties["ObjectSid"].Value
		$adDomainSID = (New-Object System.Security.Principal.SecurityIdentifier($adDomainSIDBytes, 0)).Value
		$adDomainNetBIOSName = $adDomain.GetDirectoryEntry().Properties["Name"].Value
		$rwdcPDCFSMOFQDN = $adDomain.PdcRoleOwner.Name
		$OU = "CN=Users,$adDomainDN" # As The Account Created Below Should Be Considered A Tier 0 Resource, Preferably Use An OU That Is Part Of Tier 0 Protecting And Hiding Tier 0 Resources)" # As The Account Created Below Should Be Considered A Tier 0 Resource, Preferably Use An OU That Is Part Of Tier 0 Protecting And Hiding Tier 0 Resources
	}

	If ($scriptMode -eq "ADPoSH") {
		Import-Module ActiveDirectory
		$adDomain = Get-ADdomain -Current LocalComputer
		$adDomainFQDN = $adDomain.DnsRoot
		$adDomainDN = $adDomain.DistinguishedName
		$adDomainSID = $adDomain.DomainSID.value
		$adDomainNetBIOSName = $adDomain.NetBIOSName
		$rwdcPDCFSMOFQDN = $adDomain.PDCEmulator
		$OU = "CN=Users,$adDomainDN" # As The Account Created Below Should Be Considered A Tier 0 Resource, Preferably Use An OU That Is Part Of Tier 0 Protecting And Hiding Tier 0 Resources)" # As The Account Created Below Should Be Considered A Tier 0 Resource, Preferably Use An OU That Is Part Of Tier 0 Protecting And Hiding Tier 0 Resources
	}

	# Define The Random Password 2x 32 Characters In Total For The Placeholder DSRM Account For RWDCs
	$pwdPart1DSRMRWDCs = $(-join (33..126 | ForEach-Object {[char]$_} | Get-Random -Count 32))
	$pwdPart2DSRMRWDCs = $(-join (33..126 | ForEach-Object {[char]$_} | Get-Random -Count 32))
	$pwdDSRMRWDCs = $pwdPart1DSRMRWDCs + $pwdPart2DSRMRWDCs

	# Create The DSRM Placeholder AD User Account For RWDCs
	$dsrmRWDCsSamAccountName = "dsrm.RWDCs"
	$dsrmRWDCsAccountName = "DSRM Placeholder Account For RWDCs"
	Write-Host ""
	Write-Host "Creating DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName')" -Foregroundcolor Yellow
	Write-Host ""

	If ($scriptMode -eq "ADSIorSDSP") {
		$ouObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$OU"
		$dsrmAccountObject = $ouObject.Create("user", "CN=$dsrmRWDCsAccountName")
		$userAccountControl = 512 									# NORMAL_ACCOUNT
		$userAccountControl = $userAccountControl -bor 2			# ACCOUNTDISABLE
		$userAccountControl = $userAccountControl -bor 65536		# DONT_EXPIRE_PASSWORD
		$userAccountControl = $userAccountControl -bor 1048576		# NOT_DELEGATED
		$dsrmAccountObject.Put("userAccountControl", $userAccountControl)
		$dsrmAccountObject.Put("givenName", "DSRM")
		$dsrmAccountObject.Put("sn", "Placeholder Account For RWDCs")
		$dsrmAccountObject.Put("displayName", $dsrmRWDCsAccountName)
		$dsrmAccountObject.Put("description", "$dsrmRWDCsAccountName To Sync The Password From - !!! DO NOT ENABLE !!!")
		$dsrmAccountObject.Put("sAMAccountName", $dsrmRWDCsSamAccountName)
		$dsrmAccountObject.Put("userPrincipalName", "$dsrmRWDCsSamAccountName@$adDomainFQDN")
		$dsrmAccountObject.SetInfo()
		$dsrmAccountObject.RefreshCache()
		$dsrmAccountObject.SetPassword($pwdDSRMRWDCs)
		$dsrmAccountObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/CN=$dsrmRWDCsAccountName,$OU"
		$selfSecurityPrincipalStringSID = "S-1-5-10"				# SELF
		$selfSecurityPrincipal = $(New-Object System.Security.Principal.SecurityIdentifier($selfSecurityPrincipalStringSID)).Translate([System.Security.Principal.NTAccount])
		$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight"		# Extended Right
		$aclType = [System.Security.AccessControl.AccessControlType]::"Deny"						# Deny ACE
		$carChangePassword = "ab721a53-1e2f-11d0-9819-00aa0040529b"									# Control Access Right "Change Password"
		$inheritanceScope = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::"None"	# This Object Only
		$schemaIDguidUSER = "bf967aba-0de6-11d0-a285-00aa003049e2"									# Schema ID Guid For "USER"
		$aceDefinition = $selfSecurityPrincipal,$rightsCollection,$aclType,$carChangePassword,$inheritanceScope,$schemaIDguidUSER
		$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition)
		$dsrmAccountObject.PSBase.ObjectSecurity.AddAccessRule($accessRule)
		$dsrmAccountObject.PSBase.CommitChanges()
		$dsrmAccountObject.RefreshCache()
	}

	If ($scriptMode -eq "ADPoSH") {
		$dsrmParametersHT = @{
			Path					= $OU
			Enabled					= $false
			Name					= $dsrmRWDCsAccountName
			GivenName				= "DSRM"
			Surname					= "Placeholder Account For RWDCs"
			DisplayName				= $dsrmRWDCsAccountName
			Description				= "$dsrmRWDCsAccountName To Sync The Password From - !!! DO NOT ENABLE !!!"
			SamAccountName	 		= $dsrmRWDCsSamAccountName
			UserPrincipalName		= "$dsrmRWDCsSamAccountName@$adDomainFQDN"
			AccountPassword			= $(ConvertTo-SecureString $pwdDSRMRWDCs -AsPlainText -Force)
			CannotChangePassword	= $true
			AccountNotDelegated		= $true
			PasswordNeverExpires	= $true
			SmartcardLogonRequired	= $false
			Server					= $rwdcPDCFSMOFQDN
		}
		New-ADUser @dsrmParametersHT
		Start-Sleep -s 1
		$dsrmAdmAccount = Get-ADUser -Identity $dsrmRWDCsSamAccountName -Server $rwdcPDCFSMOFQDN
		$dsrmAdmAccountDN = $dsrmAdmAccount.DistinguishedName
	}

	Write-Host " > Script Mode...........: $scriptMode" -Foregroundcolor Yellow
	Write-Host " > Container/OU..........: $OU" -Foregroundcolor Yellow
	Write-Host " > Name/DisplayName......: $dsrmRWDCsAccountName" -Foregroundcolor Yellow
	Write-Host " > sAMAccountName........: $dsrmRWDCsSamAccountName" -Foregroundcolor Yellow
	Write-Host " > msDS-PrincipalName....: $adDomainNetBIOSName\$dsrmRWDCsSamAccountName" -Foregroundcolor Yellow
	Write-Host " > Password..............: ...RANDOM AND UNKNOWN..." -Foregroundcolor Cyan
	Write-Host ""

	# Add The DSRM Placeholder AD User Account For RWDCs To The Domain Guests Group And Reconfiguring Primary Group ID
	Write-Host ""
	Write-Host "Adding DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName') To Domain Guests Group And Reconfiguring Primary Group ID" -Foregroundcolor Yellow
	Write-Host ""
	If ($scriptMode -eq "ADSIorSDSP") {
		$domainGuestsGroupSID = "$adDomainSID-514"
		$domainGuestsGroupPrincipalName = $(New-Object System.Security.Principal.SecurityIdentifier($domainGuestsGroupSID)).Translate([System.Security.Principal.NTAccount]).Value
		$domainGuestsGroupSamAccountName = $domainGuestsGroupPrincipalName.Split("\")[1]
		$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
		$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
		$adsiSearcher.Filter = "(sAMAccountName=$domainGuestsGroupSamAccountName)"
		$domainGuestsGroupObject = $adsiSearcher.FindOne()
		([ADSI]"LDAP://$rwdcPDCFSMOFQDN/$($domainGuestsGroupObject.Properties.distinguishedname[0])").Add($dsrmAccountObject.ADSPath)
		$dsrmAccountObject.Put("primaryGroupId", 514)
		$dsrmAccountObject.SetInfo()
		$dsrmAccountObject.RefreshCache()
	}

	If ($scriptMode -eq "ADPoSH") {
		Add-ADGroupMember -Identity "$adDomainSID-514" -Members $dsrmRWDCsSamAccountName -Server $rwdcPDCFSMOFQDN
		Set-ADUser -Identity $dsrmRWDCsSamAccountName -Replace @{"primaryGroupID" = "514"} -Server $rwdcPDCFSMOFQDN
	}

	# Remove The DSRM Placeholder AD User Account For RWDCs From The Domain Users Group
	Write-Host ""
	Write-Host "Removing DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName') From Domain Users Group" -Foregroundcolor Yellow
	Write-Host ""
	If ($scriptMode -eq "ADSIorSDSP") {
		$domainUsersGroupSID = "$adDomainSID-513"
		$domainUsersGroupPrincipalName = $(New-Object System.Security.Principal.SecurityIdentifier($domainUsersGroupSID)).Translate([System.Security.Principal.NTAccount]).Value
		$domainUsersGroupSamAccountName = $domainUsersGroupPrincipalName.Split("\")[1]
		$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
		$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
		$adsiSearcher.Filter = "(sAMAccountName=$domainUsersGroupSamAccountName)"
		$domainUsersGroupObject = $adsiSearcher.FindOne()
		([ADSI]"LDAP://$rwdcPDCFSMOFQDN/$($domainUsersGroupObject.Properties.distinguishedname[0])").Remove($dsrmAccountObject.ADSPath)
	}

	If ($scriptMode -eq "ADPoSH") {
		Remove-ADGroupMember -Identity "$adDomainSID-513" -Members $dsrmRWDCsSamAccountName -Confirm:$false -Server $rwdcPDCFSMOFQDN
	}

	# Add The DSRM Placeholder AD User Account For RWDCs To The DENIED RODC Password Replication Group
	Write-Host ""
	Write-Host "Adding DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName') To DENIED RODC Password Replication Group" -Foregroundcolor Yellow
	Write-Host ""
	If ($scriptMode -eq "ADSIorSDSP") {
		$domainRODCsPRPDenyGroupSID = "$adDomainSID-572"
		$domainRODCsPRPDenyGroupPrincipalName = $(New-Object System.Security.Principal.SecurityIdentifier($domainRODCsPRPDenyGroupSID)).Translate([System.Security.Principal.NTAccount]).Value
		$domainRODCsPRPDenyGroupSamAccountName = $domainRODCsPRPDenyGroupPrincipalName.Split("\")[1]
		$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
		$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
		$adsiSearcher.Filter = "(sAMAccountName=$domainRODCsPRPDenyGroupSamAccountName)"
		$domainRODCsPRPDenyGroupObject = $adsiSearcher.FindOne()
		([ADSI]"LDAP://$rwdcPDCFSMOFQDN/$($domainRODCsPRPDenyGroupObject.Properties.distinguishedname[0])").Add($dsrmAccountObject.ADSPath)
	}

	If ($scriptMode -eq "ADPoSH") {
		Add-ADGroupMember -Identity "$adDomainSID-572" -Members $dsrmRWDCsSamAccountName -Server $rwdcPDCFSMOFQDN
	}

	# Adding Restrictions To NOT Allow The Synchronization Of The Password From The DSRM Placeholder AD User Account For RWDCs
	Write-Host ""
	Write-Host "Adding Restrictions To NOT Allow Synchronization Of Password From DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName')" -Foregroundcolor Yellow
	Write-Host ""

	If ($scriptMode -eq "ADSIorSDSP") {
		$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinitionDeny)
		$dsrmAccountObject.PSBase.ObjectSecurity.RemoveAccess($systemSecurityPrincipal, $aclTypeAllow)
		$dsrmAccountObject.PSBase.ObjectSecurity.AddAccessRule($accessRule)
		$dsrmAccountObject.PSBase.CommitChanges()
	}

	If ($scriptMode -eq "ADPoSH") {
		$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinitionDeny)
		$adDrive = New-PSDrive -Name "CustomADDrive" -Root "" -PSProvider ActiveDirectory -Server $rwdcPDCFSMOFQDN
		$dsrmAdmAccountRWDCsACL = Get-Acl "$($adDrive.Name):\$dsrmAdmAccountDN"
		$dsrmAdmAccountRWDCsACL.RemoveAccess($systemSecurityPrincipal, $aclTypeAllow)
		$dsrmAdmAccountRWDCsACL.AddAccessRule($accessRule)
		$dsrmAdmAccountRWDCsACL | Set-Acl "$($adDrive.Name):\$dsrmAdmAccountDN"
		Remove-PSDrive $adDrive
	}

	Write-Host ""
	Write-Host "Secure This Account ('$adDomainFQDN\$dsrmRWDCsSamAccountName') As Best As Possible As It Should Be Considered A High-Privileged Account!" -Foregroundcolor Magenta

 	Write-Host ""
	Write-Host ""
}
	# SOURCE: https://gist.github.com/zjorz/f7d8dd924daddc8b9023dc2be358049b/

	Invoke-Command -ScriptBlock {

	Clear-Host

	$scriptMode = "ADSIorSDSP" # "ADSIorSDSP" Or "ADPoSH"

	Write-Host ""
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host "### CREATING THE DSRM PLACEHOLDER ACCOUNT FOR RWDCs ###" -Foregroundcolor Yellow
	Write-Host "###############################################################################" -Foregroundcolor Yellow

	# Some Basics
	$systemSecurityPrincipalStringSID = "S-1-5-18" # 'NT AUTHORITY\SYSTEM' Well-Known Security Principal
	$systemSecurityPrincipal = $(New-Object System.Security.Principal.SecurityIdentifier($systemSecurityPrincipalStringSID)).Translate([System.Security.Principal.NTAccount])
	$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"GenericAll" # Full Control
	$aclTypeAllow = [System.Security.AccessControl.AccessControlType]::"Allow" # Allow ACE
	$aclTypeDeny = [System.Security.AccessControl.AccessControlType]::"Deny" # Deny ACE
	$accessInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::"None" # This Object Only
	$scopedObjectSchemaIDGuid = "00000000-0000-0000-0000-000000000000" # All
	$scopedAttributeSchemaIDGuid = "00000000-0000-0000-0000-000000000000" # All
	$aceDefinitionDeny = $systemSecurityPrincipal,$rightsCollection,$aclTypeDeny,$scopedAttributeSchemaIDGuid,$accessInheritanceType,$scopedObjectSchemaIDGuid

	If ($scriptMode -eq "ADSIorSDSP") {
	$adDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
	$adDomainFQDN = $adDomain.Name
	$adDomainDN = $adDomain.GetDirectoryEntry().Properties["DistinguishedName"].Value
	$adDomainSIDBytes = $adDomain.GetDirectoryEntry().Properties["ObjectSid"].Value
	$adDomainSID = (New-Object System.Security.Principal.SecurityIdentifier($adDomainSIDBytes, 0)).Value
	$adDomainNetBIOSName = $adDomain.GetDirectoryEntry().Properties["Name"].Value
	$rwdcPDCFSMOFQDN = $adDomain.PdcRoleOwner.Name
	$OU = "CN=Users,$adDomainDN" # As The Account Created Below Should Be Considered A Tier 0 Resource, Preferably Use An OU That Is Part Of Tier 0 Protecting And Hiding Tier 0 Resources)" # As The Account Created Below Should Be Considered A Tier 0 Resource, Preferably Use An OU That Is Part Of Tier 0 Protecting And Hiding Tier 0 Resources
	}

	If ($scriptMode -eq "ADPoSH") {
	Import-Module ActiveDirectory
	$adDomain = Get-ADdomain -Current LocalComputer
	$adDomainFQDN = $adDomain.DnsRoot
	$adDomainDN = $adDomain.DistinguishedName
	$adDomainSID = $adDomain.DomainSID.value
	$adDomainNetBIOSName = $adDomain.NetBIOSName
	$rwdcPDCFSMOFQDN = $adDomain.PDCEmulator
	$OU = "CN=Users,$adDomainDN" # As The Account Created Below Should Be Considered A Tier 0 Resource, Preferably Use An OU That Is Part Of Tier 0 Protecting And Hiding Tier 0 Resources)" # As The Account Created Below Should Be Considered A Tier 0 Resource, Preferably Use An OU That Is Part Of Tier 0 Protecting And Hiding Tier 0 Resources
	}

	# Define The Random Password 2x 32 Characters In Total For The Placeholder DSRM Account For RWDCs
	$pwdPart1DSRMRWDCs = $(-join (33..126 \| ForEach-Object {[char]$_} \| Get-Random -Count 32))
	$pwdPart2DSRMRWDCs = $(-join (33..126 \| ForEach-Object {[char]$_} \| Get-Random -Count 32))
	$pwdDSRMRWDCs = $pwdPart1DSRMRWDCs + $pwdPart2DSRMRWDCs

	# Create The DSRM Placeholder AD User Account For RWDCs
	$dsrmRWDCsSamAccountName = "dsrm.RWDCs"
	$dsrmRWDCsAccountName = "DSRM Placeholder Account For RWDCs"
	Write-Host ""
	Write-Host "Creating DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName')" -Foregroundcolor Yellow
	Write-Host ""

	If ($scriptMode -eq "ADSIorSDSP") {
	$ouObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$OU"
	$dsrmAccountObject = $ouObject.Create("user", "CN=$dsrmRWDCsAccountName")
	$userAccountControl = 512 # NORMAL_ACCOUNT
	$userAccountControl = $userAccountControl -bor 2 # ACCOUNTDISABLE
	$userAccountControl = $userAccountControl -bor 65536 # DONT_EXPIRE_PASSWORD
	$userAccountControl = $userAccountControl -bor 1048576 # NOT_DELEGATED
	$dsrmAccountObject.Put("userAccountControl", $userAccountControl)
	$dsrmAccountObject.Put("givenName", "DSRM")
	$dsrmAccountObject.Put("sn", "Placeholder Account For RWDCs")
	$dsrmAccountObject.Put("displayName", $dsrmRWDCsAccountName)
	$dsrmAccountObject.Put("description", "$dsrmRWDCsAccountName To Sync The Password From - !!! DO NOT ENABLE !!!")
	$dsrmAccountObject.Put("sAMAccountName", $dsrmRWDCsSamAccountName)
	$dsrmAccountObject.Put("userPrincipalName", "$dsrmRWDCsSamAccountName@$adDomainFQDN")
	$dsrmAccountObject.SetInfo()
	$dsrmAccountObject.RefreshCache()
	$dsrmAccountObject.SetPassword($pwdDSRMRWDCs)
	$dsrmAccountObject = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/CN=$dsrmRWDCsAccountName,$OU"
	$selfSecurityPrincipalStringSID = "S-1-5-10" # SELF
	$selfSecurityPrincipal = $(New-Object System.Security.Principal.SecurityIdentifier($selfSecurityPrincipalStringSID)).Translate([System.Security.Principal.NTAccount])
	$rightsCollection = [System.DirectoryServices.ActiveDirectoryRights]::"ExtendedRight" # Extended Right
	$aclType = [System.Security.AccessControl.AccessControlType]::"Deny" # Deny ACE
	$carChangePassword = "ab721a53-1e2f-11d0-9819-00aa0040529b" # Control Access Right "Change Password"
	$inheritanceScope = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::"None" # This Object Only
	$schemaIDguidUSER = "bf967aba-0de6-11d0-a285-00aa003049e2" # Schema ID Guid For "USER"
	$aceDefinition = $selfSecurityPrincipal,$rightsCollection,$aclType,$carChangePassword,$inheritanceScope,$schemaIDguidUSER
	$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition)
	$dsrmAccountObject.PSBase.ObjectSecurity.AddAccessRule($accessRule)
	$dsrmAccountObject.PSBase.CommitChanges()
	$dsrmAccountObject.RefreshCache()
	}

	If ($scriptMode -eq "ADPoSH") {
	$dsrmParametersHT = @{
	Path = $OU
	Enabled = $false
	Name = $dsrmRWDCsAccountName
	GivenName = "DSRM"
	Surname = "Placeholder Account For RWDCs"
	DisplayName = $dsrmRWDCsAccountName
	Description = "$dsrmRWDCsAccountName To Sync The Password From - !!! DO NOT ENABLE !!!"
	SamAccountName = $dsrmRWDCsSamAccountName
	UserPrincipalName = "$dsrmRWDCsSamAccountName@$adDomainFQDN"
	AccountPassword = $(ConvertTo-SecureString $pwdDSRMRWDCs -AsPlainText -Force)
	CannotChangePassword = $true
	AccountNotDelegated = $true
	PasswordNeverExpires = $true
	SmartcardLogonRequired = $false
	Server = $rwdcPDCFSMOFQDN
	}
	New-ADUser @dsrmParametersHT
	Start-Sleep -s 1
	$dsrmAdmAccount = Get-ADUser -Identity $dsrmRWDCsSamAccountName -Server $rwdcPDCFSMOFQDN
	$dsrmAdmAccountDN = $dsrmAdmAccount.DistinguishedName
	}

	Write-Host " > Script Mode...........: $scriptMode" -Foregroundcolor Yellow
	Write-Host " > Container/OU..........: $OU" -Foregroundcolor Yellow
	Write-Host " > Name/DisplayName......: $dsrmRWDCsAccountName" -Foregroundcolor Yellow
	Write-Host " > sAMAccountName........: $dsrmRWDCsSamAccountName" -Foregroundcolor Yellow
	Write-Host " > msDS-PrincipalName....: $adDomainNetBIOSName\$dsrmRWDCsSamAccountName" -Foregroundcolor Yellow
	Write-Host " > Password..............: ...RANDOM AND UNKNOWN..." -Foregroundcolor Cyan
	Write-Host ""

	# Add The DSRM Placeholder AD User Account For RWDCs To The Domain Guests Group And Reconfiguring Primary Group ID
	Write-Host ""
	Write-Host "Adding DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName') To Domain Guests Group And Reconfiguring Primary Group ID" -Foregroundcolor Yellow
	Write-Host ""
	If ($scriptMode -eq "ADSIorSDSP") {
	$domainGuestsGroupSID = "$adDomainSID-514"
	$domainGuestsGroupPrincipalName = $(New-Object System.Security.Principal.SecurityIdentifier($domainGuestsGroupSID)).Translate([System.Security.Principal.NTAccount]).Value
	$domainGuestsGroupSamAccountName = $domainGuestsGroupPrincipalName.Split("\")[1]
	$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
	$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
	$adsiSearcher.Filter = "(sAMAccountName=$domainGuestsGroupSamAccountName)"
	$domainGuestsGroupObject = $adsiSearcher.FindOne()
	([ADSI]"LDAP://$rwdcPDCFSMOFQDN/$($domainGuestsGroupObject.Properties.distinguishedname[0])").Add($dsrmAccountObject.ADSPath)
	$dsrmAccountObject.Put("primaryGroupId", 514)
	$dsrmAccountObject.SetInfo()
	$dsrmAccountObject.RefreshCache()
	}

	If ($scriptMode -eq "ADPoSH") {
	Add-ADGroupMember -Identity "$adDomainSID-514" -Members $dsrmRWDCsSamAccountName -Server $rwdcPDCFSMOFQDN
	Set-ADUser -Identity $dsrmRWDCsSamAccountName -Replace @{"primaryGroupID" = "514"} -Server $rwdcPDCFSMOFQDN
	}

	# Remove The DSRM Placeholder AD User Account For RWDCs From The Domain Users Group
	Write-Host ""
	Write-Host "Removing DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName') From Domain Users Group" -Foregroundcolor Yellow
	Write-Host ""
	If ($scriptMode -eq "ADSIorSDSP") {
	$domainUsersGroupSID = "$adDomainSID-513"
	$domainUsersGroupPrincipalName = $(New-Object System.Security.Principal.SecurityIdentifier($domainUsersGroupSID)).Translate([System.Security.Principal.NTAccount]).Value
	$domainUsersGroupSamAccountName = $domainUsersGroupPrincipalName.Split("\")[1]
	$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
	$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
	$adsiSearcher.Filter = "(sAMAccountName=$domainUsersGroupSamAccountName)"
	$domainUsersGroupObject = $adsiSearcher.FindOne()
	([ADSI]"LDAP://$rwdcPDCFSMOFQDN/$($domainUsersGroupObject.Properties.distinguishedname[0])").Remove($dsrmAccountObject.ADSPath)
	}

	If ($scriptMode -eq "ADPoSH") {
	Remove-ADGroupMember -Identity "$adDomainSID-513" -Members $dsrmRWDCsSamAccountName -Confirm:$false -Server $rwdcPDCFSMOFQDN
	}

	# Add The DSRM Placeholder AD User Account For RWDCs To The DENIED RODC Password Replication Group
	Write-Host ""
	Write-Host "Adding DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName') To DENIED RODC Password Replication Group" -Foregroundcolor Yellow
	Write-Host ""
	If ($scriptMode -eq "ADSIorSDSP") {
	$domainRODCsPRPDenyGroupSID = "$adDomainSID-572"
	$domainRODCsPRPDenyGroupPrincipalName = $(New-Object System.Security.Principal.SecurityIdentifier($domainRODCsPRPDenyGroupSID)).Translate([System.Security.Principal.NTAccount]).Value
	$domainRODCsPRPDenyGroupSamAccountName = $domainRODCsPRPDenyGroupPrincipalName.Split("\")[1]
	$adsiSearcher = New-Object DirectoryServices.DirectorySearcher
	$adsiSearcher.SearchRoot = [ADSI]"LDAP://$rwdcPDCFSMOFQDN/$adDomainDN"
	$adsiSearcher.Filter = "(sAMAccountName=$domainRODCsPRPDenyGroupSamAccountName)"
	$domainRODCsPRPDenyGroupObject = $adsiSearcher.FindOne()
	([ADSI]"LDAP://$rwdcPDCFSMOFQDN/$($domainRODCsPRPDenyGroupObject.Properties.distinguishedname[0])").Add($dsrmAccountObject.ADSPath)
	}

	If ($scriptMode -eq "ADPoSH") {
	Add-ADGroupMember -Identity "$adDomainSID-572" -Members $dsrmRWDCsSamAccountName -Server $rwdcPDCFSMOFQDN
	}

	# Adding Restrictions To NOT Allow The Synchronization Of The Password From The DSRM Placeholder AD User Account For RWDCs
	Write-Host ""
	Write-Host "Adding Restrictions To NOT Allow Synchronization Of Password From DSRM Placeholder AD User Account For RWDCs ('$dsrmRWDCsSamAccountName')" -Foregroundcolor Yellow
	Write-Host ""

	If ($scriptMode -eq "ADSIorSDSP") {
	$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinitionDeny)
	$dsrmAccountObject.PSBase.ObjectSecurity.RemoveAccess($systemSecurityPrincipal, $aclTypeAllow)
	$dsrmAccountObject.PSBase.ObjectSecurity.AddAccessRule($accessRule)
	$dsrmAccountObject.PSBase.CommitChanges()
	}

	If ($scriptMode -eq "ADPoSH") {
	$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinitionDeny)
	$adDrive = New-PSDrive -Name "CustomADDrive" -Root "" -PSProvider ActiveDirectory -Server $rwdcPDCFSMOFQDN
	$dsrmAdmAccountRWDCsACL = Get-Acl "$($adDrive.Name):\$dsrmAdmAccountDN"
	$dsrmAdmAccountRWDCsACL.RemoveAccess($systemSecurityPrincipal, $aclTypeAllow)
	$dsrmAdmAccountRWDCsACL.AddAccessRule($accessRule)
	$dsrmAdmAccountRWDCsACL \| Set-Acl "$($adDrive.Name):\$dsrmAdmAccountDN"
	Remove-PSDrive $adDrive
	}

	Write-Host ""
	Write-Host "Secure This Account ('$adDomainFQDN\$dsrmRWDCsSamAccountName') As Best As Possible As It Should Be Considered A High-Privileged Account!" -Foregroundcolor Magenta

	Write-Host ""
	Write-Host ""
	}
No results found