At my company, the IT department consists of several teams like Microsoft, Network, Storage, Linux and VMware. To administer our environment we do not use our regular accounts (duh… 🙂 ), but instead use what we call admin accounts. Over the years, the security structure used to assign permissions to these admin accounts became poluted. Groups nested in groups nested in other groups, different group membership for team members, etc. As a result, we failed a security audit and I was tasked with cleaning this mess up using a role based access control (RBAC) like structure to achieve a transparent method of assigning permissions.
The first thing I realized was that I needed to create a new OU structure to hold not only all of the admin accounts, but also the groups needed to untangle all the nested groups. In this article I will share with you the PowerShell script I used to create this structure from scrath, create a number of groups and set the permissions on the OU’s to define who can do what in which OU. Keep in mind, the goal was not only to provide a more transparent way of assigning permissions to admin accounts, but also prevent it from becoming poluted again in the future.
So, what will this script do? First, it will create a new OU in the root of your AD. The name of this OU is determined by the value of variable $RBACRootName. I called mine “ICT-Administration”. Within this OU, it will create 3 main OUs called Accounts, Groups and Servers.
In the Accounts OU, 3 OUs will be created: Admin accounts, Domain Admin accounts and Service accounts. In the Admin accounts OU, a structure reflecting the several teams will be created. This is were the regular admin accounts will be created. The Domain Admin accounts OU will be used to create seperate domain admin accounts (in my case, these accounts will be named like dom-d.duck or dom-m.mouse). These accounts will be the only accounts granted Domain Admin privileges and will NOT be made a member of any of the role groups. Not even the admin accounts of the Microsoft team are granted Domain Admin privileges.The Service accounts OU will hold the service accounts we use for application like SCOM, SCCM, SQL, etc.
In the Groups OU, 4 OUs will be created called Profile groups, Protected groups, Role groups and Resource groups. Role groups are used to assign permissions within applications like SCOM, SQL and VMware, within Active Directory, DNS, DHCP, etc. Resource groups as used to assign permissions to resources like shares, printers, etc. 1 profile group is created per team, so 1 for Microsoft, 1 for Network, etc. A profile groups has all of the members of 1 team as member, no one else. The profile group itself is a member of all of the different role groups which together define the basic privileges assign to a team. From my point of view, this is where the magic comes together :-). Last, the Protected groups OU. This OU holds all the groups which may not be modified by anyone but the dom accounts. From a security stand, it may be undesirable for certain highly privileged access groups to be modified by regular adm accounts. Security changes on the OU structure, explained later on in this article, will make sure of that.
The Servers OU will be used to store the computer accounts of our servers. It has no additional sub OUs, but you can create them using the script if so desired.
Now, in order for this OU to remain clean this script will set restrictions on the several OU’s to determine who can do what. Enable inherited permissions will be disabled on the root OU, Account Operators and Print Operators will be removed from every OU in the structure.
On OU “Admin accounts” role group Role-Microsoft-AD-AdminAccountAdministrator-gg will be granted Full Control on user objects only. No permissions to create computers, groups or OUs.
On OU “Service accounts” group Role-Microsoft-AD-ServiceAccountAdministrator-gg will be granted Full Control on user objects only. No permissions to create computer, groups or OUs.
No permissions will be changed on the “Domain Admin accounts” OU, so only Domain Admins will have privileges to make any changes in this OU.
On OUs “Profile groups”, “Resource groups” and “Role groups” role group Role-Microsoft-AD-AdminGroupAdministrator-gg will be granted Full Control on group objects only. No permissions to create computers, users or OUs.
On OU “Servers” role group Role-Microsoft-AD-ComputerObjectAdministrator-gg will be granted Full Control on computer objects only. No permissions to create users, groups or OUs;
I am currently experimenting with assigning GPO permissions. The code is still in there, but commented out. Feel free to play around with it.
Well, a long story and I hope it all makes sense. I would advise you to not run the script all in one big bang. Instead, open it using PowerShell ISE or Visual Studio Code, select and run the code from line 1 to 463. Then, run each function (lines 470 – 475) seperately to make sure everything works as expected.
And also check out the code first and change it to your needs. Change the names of the OUs if you want, change the names of groups, etc. Use this script as a template and tailor it to your needs.
# // Start of section Script initialization. Load all required modules and declare base variables \\
If (-not (Get-Module -Name 'ActiveDirectory' -ErrorAction SilentlyContinue)) {
Import-Module ActiveDirectory
}
# Gather domain information
$DomainData = Get-ADDomain
$DomainDistinguishedName = $DomainData.DistinguishedName
$DomainNetBIOSName = $DomainData.NetBIOSName
# Gather RBAC OU information
$RBACRootName = "ICT-Administration1"
$RBACRootOU = "OU=$RBACRootName,$DomainDistinguishedName"
$AccountsOU = "OU=Accounts,$RBACRootOU"
$AdminAccountsOU = "OU=Admin accounts,$AccountsOU"
$DomAccountsOU = "OU=Domain Admin accounts,$AccountsOU"
$ServiceAccountsOU = "OU=Service accounts,$AccountsOU"
$GroupsOU = "OU=Groups,$RBACRootOU"
$ProfileGroupsOU = "OU=Profile groups,$GroupsOU"
$ProtectedGroupsOU = "OU=Protected groups,$GroupsOU"
$ResourceGroupsOU = "OU=Resource groups,$GroupsOU"
$RoleGroupsOU = "OU=Role groups,$GroupsOU"
$ServersOU = "OU=Servers,$RBACRootOU"
# \\ End of section Script initialization //
#############################################################################################################################
# // Start of section Functions \\
## Function CreateOUStructure creates the required OU structure to hold all accounts and groups
Function CreateOUStructure {
[CmdletBinding()]
Param() #param
Begin {
Write-Host "Creating OU structure"
} #begin
Process {
# Create Root OU
New-ADOrganizationalUnit -Name $RBACRootName -Path $DomainDistinguishedName -Description 'Default container for ICT Administration components'
# Create accounts OU and its sub OU's
New-ADOrganizationalUnit -Name 'Accounts' -Path $RBACRootOU
New-ADOrganizationalUnit -Name 'Admin accounts' -Path $AccountsOU
New-ADOrganizationalUnit -Name '_Disabled' -Path $AdminAccountsOU
New-ADOrganizationalUnit -Name 'Applicatie beheer' -Path $AdminAccountsOU
New-ADOrganizationalUnit -Name 'Dienst ICT' -Path $AdminAccountsOU
New-ADOrganizationalUnit -Name 'Divisie beheer' -Path $AdminAccountsOU
New-ADOrganizationalUnit -Name 'Leveranciers' -Path $AdminAccountsOU
New-ADOrganizationalUnit -Name 'Overige' -Path $AdminAccountsOU
New-ADOrganizationalUnit -Name 'Domain Admin accounts' -Path $AccountsOU
New-ADOrganizationalUnit -Name 'Service accounts' -Path $AccountsOU
# Create Groups OU
New-ADOrganizationalUnit -Name 'Groups' -Path $RBACRootOU
New-ADOrganizationalUnit -Name 'Profile groups' -Path $GroupsOU
New-ADOrganizationalUnit -Name 'Protected groups' -Path $GroupsOU
New-ADOrganizationalUnit -Name 'Role groups' -Path $GroupsOU
New-ADOrganizationalUnit -Name 'Resource groups' -Path $GroupsOU
# Create ServersOU
New-ADOrganizationalUnit -Name 'Servers' -Path $RBACRootOU
} #process
End {
Write-Host "Finished creating OU structure"
} #end
} #function
# Function CreateProfileGroups creates profile groups for the several teams in our ICT department
Function CreateProfileGroups {
[CmdletBinding()]
Param() #param
Begin {
Write-Host "Creating profile groups"
} #begin
Process {
$ProfileGroups = @{
'ICT-Network' = 'ICT - team Netwerk beheer'
'ICT-Linux' = 'ICT - team Linux beheer'
'ICT-Windows' = 'ICT - team Windows beheer'
'ICT-Virtualisatie' = 'ICT - team Virtualisatie beheer'
'ICT-Storage' = 'ICT - team Storage beheer'
'ICT-DBA' = 'ICT - team Database beheer'
}
ForEach ($Group in $ProfileGroups.keys) {
# Check if group already exists and, if so, update the description if it is different
$a = $null
Try {
$a = Get-ADGroup -Identity ("Profile-" + $Group + "-gg")
} Catch { }
If (! ($a)) {
Try {
$Date = Get-Date -Format "dd-MMM-yyyy HH:mm:ss"
New-ADGroup -Name ("Profile-" + $Group + "-gg") `
-GroupScope Global `
-Path $ProfileGroupsOU `
-OtherAttributes @{'info' = "Created by $env:USERNAME on $Date" } `
-Description "$($ProfileGroups.Item($Group))"
Write-Host "Created group" ((Get-ADGroup "Profile-$Group-gg").Name)
} Catch {
Write-Error "An error occured creating group $Key"
}
} Else {
$b = (Get-ADGroup -Identity ("Profile-$Group-gg") -Properties Description).Description
$Value = $ProfileGroups[$Group]
If ($b -ne $Value) {
Write-Host "Description differs for group Profile-$Group-gg"
Set-ADGroup -Identity ("Profile-$Group-gg") -Description " "
Set-ADGroup -Identity ("Profile-$Group-gg") -Description $Value
} Else { }
}
}
# Enable ProtectedFromAccidentalDeletion for all all groups in the OU
Get-ADGroup -SearchBase $ProfileGroupsOU -Filter * | ForEach-Object { Set-ADObject -Identity $_ -ProtectedFromAccidentalDeletion $True }
} #process
End {
Write-Host "Finished creating profile groups"
} #end
} #function
# Function CreateProtectedGroups create the protected groups which can only by changed by Domain Admins
Function CreateProtectedGroups {
[CmdletBinding()]
Param() #param
Begin {
Write-Host "Creating protected groups"
} #begin
Process {
$ProtectedGroups = @{
'Role-Microsoft-AD-DomainAdmin-gg' = 'Members of this group have Administrator privileges in the AD domain'
}
ForEach ($Group in $ProtectedGroups.keys) {
Try {
$Date = Get-Date -Format "dd-MMM-yyyy HH:mm:ss"
New-ADGroup -Name $Group `
-GroupScope Global `
-Path $ProtectedGroupsOU `
-OtherAttributes @{'info' = "Created by $env:USERNAME on $Date" } `
-Description "$($ProtectedGroups.Item($Group))"
Write-Host "Created group" ((Get-ADGroup $Group).Name)
} Catch { }
}
# Enable ProtectedFromAccidentalDeletion for all all groups in the OU
Get-ADGroup -SearchBase $ProtectedGroupsOU -Filter * | ForEach-Object { Set-ADObject -Identity $_ -ProtectedFromAccidentalDeletion $True }
} #process
End {
Write-Host "Finished creating role groups"
} #end
} #function
Function CreateRoleGroups {
[CmdletBinding()]
Param()
Begin {
Write-Host "Creating role groups"
} #begin
Process {
$RoleGroups = [ordered]@{
'Role-Microsoft-AD-AdminAccountAdministrator-gg' = 'Members of this group can manage admin accounts in the Admin accountsOU'
'Role-Microsoft-AD-AdminGroupAdministrator-gg' = 'Members of this group can manage admin groups in the Groups OU'
'Role-Microsoft-AD-ComputerObjectAdministrator-gg' = 'Members of this group can manage computer objects in the Servers OU'
'Role-Microsoft-AD-EventLogReader-gg' = 'Members of this group can read event logs from local machine'
'Role-Microsoft-AD-GPOAdministrator-gg' = 'Members of this group can create/manage/delete GPOs on the Accounts, Groups and Servers RBAC OU'
'Role-Microsoft-AD-RemoteManagementUser-gg' = 'Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.'
'Role-Microsoft-AD-ServiceAccountAdministrator-gg' = 'Members of this group can manage service accounts in the Service accounts OU'
'Role-Microsoft-Desktop-Administrator-gg' = 'Grants local administrator permissions on all desktop endpoints located in OU \'
'Role-Microsoft-DHCP-Administrator-gg' = 'Members of this group have administrative access to the DHCP service'
'Role-Microsoft-DHCP-User-gg' = 'Members of this group have view-only access to the DHCP service'
'Role-Microsoft-DNS-RecordAdministrator-gg' = 'Members of this group have permissions to create/modify/delete DNS records in a specific DNS zone'
'Role-Microsoft-DNS-User-gg' = 'Members of this group have view-only access to the DNS service'
'Role-Microsoft-PrintServer-Administrator-gg' = 'Members of this group have administrative acces to print servers'
'Role-Microsoft-SCCM-FullAdministrator-gg' = 'Grants Full Administrator permissions in SCCM'
'Role-Microsoft-SCOM-Administrator-gg' = 'Grants Administrator permissions in SCOM'
'Role-Microsoft-SCOM-Operator-gg' = 'Grants Operator permissions in SCOM'
'Role-Microsoft-SCOM-ReadOnlyOperator-gg' = 'Grants Read Only Operator permissions in SCOM'
'Role-Microsoft-Server-Administrator-gg' = 'Grants Administrator permissions on all Microsoft Windows servers'
'Role-Microsoft-Server-RDPuser-gg' = 'Grants Remote Desktop User permissions on server '
'Role-Microsoft-SQL-Administrator-gg' = 'Grants Administrator permissions on all Microsoft SQL servers'
'Role-VMware-vCenter-Administrators-gg' = 'Grants Administrator permissions on all VMware vCenters'
'Role-VMware-vCenter-Console-gg' = 'Grants Console permissions on all VMs in all VMware vCenters'
'Role-VMware-vCenter-PowerUsers-gg' = 'Grants Power User permissions on all VMware vCenters'
}
ForEach ($Key in $RoleGroups.keys) {
# Check if group already exists and, if so, update the description if it is different
$a = $null
Try {
$a = Get-ADGroup -Identity $Key
} Catch { }
If (! ($a)) {
Try {
$Date = (Get-Date).ToString("dd-MMM-yyyy HH:mm:ss")
New-ADGroup -Name $Key `
-GroupScope Global `
-Path $RoleGroupsOU `
-OtherAttributes @{'info' = "Created by $env:USERNAME on $Date" } `
-Description "$($RoleGroups.Item($Key))"
Write-Host "Created group" ((Get-ADGroup $Key).Name)
} Catch {
Write-Error "An error occured creating group $Key"
}
} Else {
$b = (Get-ADGroup -Identity $Key -Properties Description).Description
$Value = $RoleGroups[$Key]
If ($b -ne $Value) {
$Key
Write-Host "Description differs for group" $Key
Set-ADGroup -Identity $Key -Description " "
Set-ADGroup -Identity $Key -Description $Rolegroups[$key]
} Else { }
}
}
# Enable ProtectedFromAccidentalDeletion for all all groups in the OU
Get-ADGroup -SearchBase $RoleGroupsOU -Filter * | ForEach-Object { Set-ADObject -Identity $_ -ProtectedFromAccidentalDeletion $True }
} #process
End {
Write-Host "Finished creating role groups"
} #end
} #function
# Function CreateDomAccount will created a domain admin account for the privileged few
Function CreateDomAccounts {
[CmdletBinding()]
Param() #param
Begin {
Write-Host "Creating dom accounts"
} #begin
Process {
$DomainName = '@' + ($env:USERDNSDOMAIN).ToLower()
$Date = Get-Date -Format "dd-MMM-yyyy HH:mm:ss"
$Firstnames = @('John', 'Donald', 'Mickey')
$Surnames = @('Doe', 'Duck', 'Mouse')
For ($i = 0; $i -lt $Firstnames.Length; $i++) {
$DisplayName = 'dom-' + $Firstnames[$i].Substring(0, 1).ToLower() + '.' + $Surnames[$i].Replace(" ", '').ToLower()
$Firstname = $Firstnames[$i]
$Surname = $Surnames[$i]
$Password = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..9 | Sort-Object { Get-Random })[0..12] -join ''
New-ADUser `
-Name $DisplayName `
-AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) `
-CannotChangePassword $False `
-DisplayName $DisplayName `
-Description "Domain admin account van $Firstname $Surname" `
-Enabled $True `
-GivenName $Firstnames[$i] `
-PasswordNeverExpires $False `
-Path $DomAccountsOU `
-SamAccountName $DisplayName `
-ScriptPath $LoginScriptPath `
-Surname $Surnames[$i] `
-UserPrincipalName ($DisplayName + $DomainName)
Add-ADGroupMember 'Domain Admins' -Members $DisplayName
Set-ADUser -Identity $DisplayName -Add @{info = "[Created by $env:USERNAME on $Date]" }
# Enable ProtectedFromAccidentalDeletion for all accounts in the OU
Get-ADUser -SearchBase $DomAccountsOU -Filter * | ForEach-Object { Set-ADObject -Identity $_ -ProtectedFromAccidentalDeletion $True }
}
} #process
End {
Write-Host "Finished creating dom accounts"
} #end
} #function
# Function SetDelegatedPermissions sets the required delegated permissions on every OU in the newly create OU structure
Function SetDelegatedPermissions {
[CmdletBinding()]
Param() #param
Begin { } #begin
Process {
Set-Location AD:
$RootDSE = Get-ADRootDSE
# Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{ }
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid |
ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
# Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{ }
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID |
ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
# Enable Protect from Accidental Deletion on all OU's within the RBAC root OU
$RBACSubOUs = Get-ADOrganizationalUnit -SearchBase $RBACRootOU -Filter *
$RBACSubOUs | Set-ADObject -ProtectedFromAccidentalDeletion $True
# Disable permission inheritance and copy inherited permissions
$ou = Get-ADOrganizationalUnit -Identity ($RBACRootOU)
$acl = Get-Acl -Path $ou.DistinguishedName
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -AclObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
# Remove Account Operators and Print Operators from ACL
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Account Operators").SID
$q = New-Object System.Security.Principal.NTAccount("BUILTIN\Print Operators")
$r = New-Object System.Security.Principal.NTAccount("BUILTIN\Account Operators")
ForEach ($SubOU in $RBACSubOUs) {
$ou = Get-ADOrganizationalUnit -Identity $SubOU.DistinguishedName
$acl = Get-Acl -Path ($ou.DistinguishedName)
$acl | Select-Object -ExpandProperty Access | Where-Object { $_.IdentityReference -eq $p -or $_.IdentityReference -eq $q -or $_.IdentityReference -eq $r -or $_.IdentityReference -eq $s -or $_.IdentityReference -eq $t -or $_.IdentityReference -eq $u -or $_.IdentityReference -eq $v } | ForEach-Object { $ACL.RemoveAccessRule($_) }
Set-Acl -AclObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
}
# Delegate control to create, delete and manage user objects
$s = New-Object System.Security.Principal.NTAccount("$DomainNetBIOSName\Role-Microsoft-AD-AdminAccountAdministrator-gg")
$ou = Get-ADOrganizationalUnit -Identity $AdminAccountsOU
$acl = Get-Acl -Path ($ou.DistinguishedName)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", "Descendents", $guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "CreateChild,DeleteChild", "Allow", $guidmap["user"], "All"))
Set-Acl -AclObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
$s = New-Object System.Security.Principal.NTAccount("$DomainNetBIOSName\Role-Microsoft-AD-ServiceAccountAdministrator-gg")
$ou = Get-ADOrganizationalUnit -Identity $ServiceAccountsOU
$acl = Get-Acl -Path ($ou.DistinguishedName)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", "Descendents", $guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "CreateChild,DeleteChild", "Allow", $guidmap["user"], "All"))
Set-Acl -AclObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
# Delegate control to create, delete and manage group objects
$s = New-Object System.Security.Principal.NTAccount("$DomainNetBIOSName\Role-Microsoft-AD-AdminGroupAdministrator-gg")
$ou = Get-ADOrganizationalUnit -Identity $ProfileGroupsOU
$acl = Get-Acl -Path ($ou.DistinguishedName)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", "Descendents", $guidmap["group"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "CreateChild,DeleteChild", "Allow", $guidmap["group"], "All"))
Set-Acl -AclObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
$ou = Get-ADOrganizationalUnit -Identity $ResourceGroupsOU
$acl = Get-Acl -Path ($ou.DistinguishedName)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", "Descendents", $guidmap["group"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "CreateChild,DeleteChild", "Allow", $guidmap["group"], "All"))
Set-Acl -AclObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
$ou = Get-ADOrganizationalUnit -Identity $RoleGroupsOU
$acl = Get-Acl -Path ($ou.DistinguishedName)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", "Descendents", $guidmap["group"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "CreateChild,DeleteChild", "Allow", $guidmap["group"], "All"))
Set-Acl -AclObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
# Delegate control to create, delete and manage server computer objects
$s = New-Object System.Security.Principal.NTAccount("$DomainNetBIOSName\Role-Microsoft-AD-ComputerObjectAdministrator-gg")
$ou = Get-ADOrganizationalUnit -Identity ("OU=Servers,$RBACRootOU")
$acl = Get-Acl -Path ($ou.DistinguishedName)
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", "Descendents", $guidmap["computer"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "CreateChild,DeleteChild", "Allow", $guidmap["computer"], "All"))
Set-Acl -AclObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
## Code left intentionally. Still trying to figure out how to properly set delegated permissions for GPO's
# Delegate control to create, delete, manage and link group policy objects
# https://4sysops.com/archives/set-up-delegation-for-group-policy-management/
# https://blogs.technet.microsoft.com/joec/2013/04/25/active-directory-delegation-via-powershell/
# https://www.sconstantinou.com/powershell-active-directory-delegation-part-2/
#$s = New-Object System.Security.Principal.NTAccount("STAGE\Role-Microsoft-AD-GPOAdministrator-gg")
#$ou = Get-ADOrganizationalUnit -Identity ("OU=Accounts,OU=$RBACRootOU,$DomainDistinguishedName")
#$acl = Get-ACL -Path ($ou.DistinguishedName)
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", $guidmap["gplink"], "All"))
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", $guidmap["gpoptions"], "All"))
#Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
#$ou = Get-ADOrganizationalUnit -Identity ("OU=Groups,OU=$RBACRootOU,$DomainDistinguishedName")
#$acl = Get-ACL -Path ($ou.DistinguishedName)
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", $guidmap["gplink"], "All"))
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", $guidmap["gpoptions"], "All"))
#Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
#$ou = Get-ADOrganizationalUnit -Identity ("OU=Servers,$DomainDistinguishedName")
#$acl = Get-ACL -Path ($ou.DistinguishedName)
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", $guidmap["gplink"], "All"))
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s, "GenericAll", "Allow", $guidmap["gpoptions"], "All"))
#Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
} #process
End { } #end
} #function
# \\ End of section Functions //
#############################################################################################################################
# // Start of main code section \\
CreateOUStructure
CreateProfileGroups
CreateRoleGroups
CreateProtectedGroups
CreateDomAccounts
SetDelegatedPermissions
# \\ End of main code section //
# Use this line if you want to mass remove Descriptions
# Get-ADOrganizationalUnit -SearchBase $RBACRootOU -Filter * | Set-ADOrganizationalUnit -Clear Description
# Use this line if you want to mass remove the Protected From Accidental Deletion tick for all OU's
# Get-ADOrganizationalUnit -SearchBase $RBACRootOU -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion $False
# Use this line to mass remove the Protected From Accidental Deletion tick for all groups
# Get-ADGroup -SearchBase $RBACRootOU -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion $False
As always, please keep in mind this script is tailored to my environment, but can be used as a template for your environment. I do not pretend to be a PowerShell guru and as such my script may not be perfect. I am open to suggestions 🙂 . If you found this script useful, I’d appreciate it if you leave a comment.
This is a very good and helpfull article. I learned a lot of it.
Thank you Dennis