Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $strLicContainer = "Licenses"
- $strZoneContainer = "Zones"
- $strOuUnixGroups = "UNIX Groups"
- $strOuUnixServers = "UNIX Servers"
- $strOuProvGroups = "Provisioning Groups"
- $strOuSvcAccts = "Service Accounts"
- $strOuRoleGroups = "Role Groups"
- $strAdminContainer = "Zone Administration"
- if ($Args.Length -ne 2)
- {
- [System.Console]::WriteLine("Usage:");
- [System.Console]::WriteLine("sdk-demo.ps1 <Domain> <OU-Name> ")
- exit -1;
- }
- function Bind([string] $domain)
- {
- $path = "LDAP://{0}/rootDSE" -f $domain
- $objRootDse = [adsi]$path
- $strNc = $objRootDse.get("defaultNamingContext")
- $strServer = $objRootDse.get("dnsHostName")
- $strNc, $strServer;
- }
- function GetLdapPath([string] $server, [string] $dn)
- {
- $path = "LDAP://{0}/{1}" -f $server, $dn;
- $path;
- }
- function GetCn([string] $name, [string] $objClass)
- {
- $cn = "CN={0}" -f $name;
- if ($objClass -eq "OrganizationalUnit")
- {
- $cn = "OU={0}" -f $name;
- }
- $cn;
- }
- function CreateDsObject([string] $server, [string] $container, [string] $name, [string] $objClass)
- {
- $strConatinerPath = GetLdapPath -server $server -dn $container
- $objContainer = [adsi] $strConatinerPath
- $strChildCn = GetCn -name $name -objClass $objClass
- $strChildDn = "{0},{1}" -f $strChildCn, $container
- $strChildPath = GetLdapPath -server $server -dn $strChildDn
- $objChildEntry = $objContainer.Create($objClass, $strChildCn)
- [Void]$objChildEntry.SetInfo()
- return $objChildEntry
- }
- function CreateADGroup([string] $server, [string] $name, [string] $container, [string] $gtype)
- {
- $objClass = "group";
- $strCn = GetCn -name $name -objClass $objClass;
- $objDsGroup = CreateDsObject -server $server -container $container -name $name -objClass $objClass
- [Void] $objDsGroup.Put("sAMAccountName", $name)
- if ($gtype -eq "global")
- {
- # Global Distribution Group
- [Void] $objDsGroup.Put("groupType", 0x80000002)
- }
- elseif ($gtype -eq "dlg")
- {
- # Domain Local Distribution Group
- [Void] $objDsGroup.Put("groupType", 0x80000004)
- }
- elseif ($gtype -eq "uni")
- {
- # Universal Security Group
- [Void] $objDsGroup.Put("groupType", 0x80000008)
- }
- else
- {
- Write-Host("Invalid group type {0}" -f $gtype)
- }
- [Void]$objDsGroup.SetInfo()
- return $objDsGroup
- }
- function GetSid($dsObj)
- {
- $dn = $dsObj.distinguishedName.Value
- $binary = $dsObj.psbase.Properties["objectSid"].Value
- $sid = New-Object Security.Principal.SecurityIdentifier($binary, 0)
- return $sid.ToString()
- }
- # type shortcuts for very long namespace...
- $AC_TYPE = [System.Security.AccessControl.AccessControlType]
- $INHERITANCE = [System.DirectoryServices.ActiveDirectorySecurityInheritance]
- $PROP_ACCESS = [System.DirectoryServices.PropertyAccess]
- $AD_RIGHT = [System.DirectoryServices.ActiveDirectoryRights]
- # objectClass guid
- $guidContainer = New-Object Guid("bf967a8b-0de6-11d0-a285-00aa003049e2")
- $guidOU = New-Object Guid("bf967aa5-0de6-11d0-a285-00aa003049e2")
- $guidComp = New-Object Guid("bf967a86-0de6-11d0-a285-00aa003049e2")
- $guidGroup = New-Object Guid("bf967a9c-0de6-11d0-a285-00aa003049e2")
- $guidScp = New-Object Guid("28630ec1-41d5-11d1-a9c1-0000f80367c1")
- $guidPosixAcc = New-Object Guid("ad44bb41-67d5-4d88-b575-7b20674e76d8")
- $guidPosixGroup = New-Object Guid("2a9350b8-062c-4ed0-9903-dde10d06deba")
- # azman objectClass guid
- # Create authorization policy store
- $guidAzTask = New-Object Guid("1ed3a473-9b1b-418a-bfa0-3a37b95a5306") # Write
- $guidAzOp = New-Object Guid("860abe37-9a9b-4fa4-b3d2-b8ace5df9ec5") # Read
- $guidAzRole = New-Object Guid("8213eac9-9d55-44dc-925c-e9a52b927644")
- $guidAzScope = New-Object Guid("4feae054-ce55-47bb-860e-5b12063a51de")
- $guidAzAdminMgr = New-Object Guid("cfee1051-5f28-4bae-a863-5d0cc18a8ed1") # Create/Delete OU/zones
- $guidAzApp = New-Object Guid("ddf8de9b-cba5-4e12-842e-28d8b66f75ec")
- # attribute guid
- # These are attributes for users/computers under centrify
- $guidDesc = New-Object Guid("bf967950-0de6-11d0-a285-00aa003049e2")
- $guidCn = New-Object Guid("bf96793f-0de6-11d0-a285-00aa003049e2")
- $guidName = New-Object Guid("bf967a0e-0de6-11d0-a285-00aa003049e2")
- $guidKeywords = New-Object Guid("bf967993-0de6-11d0-a285-00aa003049e2")
- $guidUid = New-Object Guid("0bb0fca0-1e89-429f-901a-1413894d9f59")
- $guidUidNumber = New-Object Guid("850fcc8f-9c6b-47e1-b671-7c654be4d5b3")
- $guidGidNumber = New-Object Guid("c5b95f0c-ec9e-41c4-849c-b46597ed6696")
- $guidLoginShell = New-Object Guid("a553d12c-3231-4c5e-8adf-8d189697721e")
- $guidUnixHomeDir = New-Object Guid("bc2dba12-000f-464d-bf1d-0808465d8843")
- $guidGecos = New-Object Guid("a3e03f1f-1d55-4253-a0af-30c2a784e46e")
- # azman attribute guid, used for zone delegation permissions (zone admins)
- $guidAzAppData = New-Object Guid("503fc3e8-1cc6-461a-99a3-9eee04f402a7")
- $guidAzScopeName = New-Object Guid("515a6b06-2617-4173-8099-d5605df043c6")
- $guidAzOpForTask = New-Object Guid("1aacb436-2e9d-44a9-9298-ce4debeb6ebf")
- function GrantGenericRead($dsTrustee, $dsResources)
- {
- $strSid = GetSid -dsObj $dsTrustee
- $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- [Void] $dsResources.psbase.CommitChanges()
- }
- function GrantReadWriteADGroup($dsTrustee, $dsResources)
- {
- $strSid = GetSid -dsObj $dsTrustee
- $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
- # grant read/update to group
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericWrite, $AC_TYPE::Allow, $INHERITANCE::Children, $guidGroup)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Children, $guidGroup)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- [Void] $dsResources.psbase.CommitChanges()
- }
- function GrantCreateDeleteReadWriteChildObject($dsTrustee, $dsResources, $guidChildClass)
- {
- $strSid = GetSid -dsObj $dsTrustee
- $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
- # read/update group
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericWrite, $AC_TYPE::Allow, $INHERITANCE::Children, $guidChildClass)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Children, $guidChildClass)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- # create/delete group
- $ace = New-Object DirectoryServices.CreateChildAccessRule($objSid, $AC_TYPE::Allow, $guidChildClass)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.DeleteChildAccessRule($objSid, $AC_TYPE::Allow, $guidChildClass)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- [Void] $dsResources.psbase.CommitChanges()
- }
- function GrantCreateDeleteReadWriteADGroup($dsTrustee, $dsResources)
- {
- GrantCreateDeleteReadWriteChildObject -dsTrustee $dsTrustee -dsResources $dsResources -guidChildClass $guidGroup
- }
- function GrantCreateDeleteReadWriteADComputer($dsTrustee, $dsResources)
- {
- GrantCreateDeleteReadWriteChildObject -dsTrustee $dsTrustee -dsResources $dsResources -guidChildClass $guidComp
- # precreate computer using adedit contain the code below
- # sof sd $sd
- # svo
- # when saving the whole SD, it demand permission to modify object's owner, which acutally
- # never changed, we need to fix adedit to not changing owner but only ACL
- # to workaround this problem, we grant "modify owner" permission
- $strSid = GetSid -dsObj $dsTrustee
- $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::WriteOwner, $AC_TYPE::Allow, $INHERITANCE::Children, $guidComp)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- [Void] $dsResources.psbase.CommitChanges()
- }
- function AddGenericReadToObject($target, $sid, $class)
- {
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Descendents, $class);
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- }
- function AddWritePropOfObject($target, $sid, $prop, $inheritType)
- {
- $ace = New-Object DirectoryServices.PropertyAccessRule($sid, $AC_TYPE::Allow, $PROP_ACCESS::Write, $prop, $INHERITANCE::Descendents, $inheritType);
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- }
- function AddCreateDeleteZoneUnderContainer($target, $sid, $container)
- {
- # ADEdit: add_sd_ace
- #
- # create/delete/delete-child for container
- $ace = New-Object DirectoryServices.CreateChildAccessRule($sid, $AC_TYPE::Allow, $guidContainer, $INHERITANCE::All, $container)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.DeleteChildAccessRule($sid, $AC_TYPE::Allow, $guidContainer, $INHERITANCE::All, $container)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteTree, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidContainer)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- # create/delete/delete-child for OU
- $ace = New-Object DirectoryServices.CreateChildAccessRule($sid, $AC_TYPE::Allow, $guidOU, $INHERITANCE::All, $container)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.DeleteChildAccessRule($sid, $AC_TYPE::Allow, $guidOU, $INHERITANCE::All, $container)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteTree, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidOU)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- }
- function AddCreateDeleteXUnderY($target, $sid, $x, $y)
- {
- $ace = New-Object DirectoryServices.CreateChildAccessRule($sid, $AC_TYPE::Allow, $x, $INHERITANCE::Descendents, $y)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.DeleteChildAccessRule($sid, $AC_TYPE::Allow, $x, $INHERITANCE::Descendents, $y)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteTree, $AC_TYPE::Allow, $INHERITANCE::Descendents, $x)
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- }
- function AddDeleteChildObject($target, $sid, $child)
- {
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::Delete, $AC_TYPE::Allow, $INHERITANCE::Descendents, $child);
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteChild, $AC_TYPE::Allow, $INHERITANCE::Descendents, $child);
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteTree, $AC_TYPE::Allow, $INHERITANCE::Descendents, $child);
- [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
- }
- function AddAzManDelegation($dsResources, $objSid)
- {
- # create/delete msDS-AzAdminManager under zones (container + OU)
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzAdminMgr -y $guidContainer
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzAdminMgr -y $guidOU
- # generic read/write msDS-AzAdminManager objects
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidAzAdminMgr);
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericWrite, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidAzAdminMgr);
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- }
- function AddNgDZDelegation($dsResources, $objSid)
- {
- #########################################
- # update ngz dz store timestamp
- # o generic read msDs-AzAdminManager + write appData properties
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzAdminMgr
- AddWritePropOfObject -target $dsResources -sid $objSid -prop $guidAzAppData -inheritType $guidAzAdminMgr
- #########################################
- # ngz dz role
- # o gernreic read to msDs-AzTask + write name, description, msDs-AzApplicationData & msDs-AzOperationForTask
- # o create/delete msDs-AzTask under container object
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzTask
- $guidAzAppData, $guidDesc, $guidName, $guidAzOpForTask | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzTask }
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzTask -y $guidContainer
- #########################################
- # ngz dz right
- # o gernreic read to msDs-AzOperation + write name, description & msDs-AzApplicationData
- # o create/delete msDs-AzOperation under container object
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzOp
- $guidAzAppData, $guidDesc, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzOp }
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzOp -y $guidContainer
- #########################################
- # ngz dz computer role
- # o gernreic read to msDs-AzScope + write name, description & msDs-AzApplicationData
- # o delete msDs-AzScope under msDS-AzApplication object, we do not delegate creating msDS-AzScope because it's a container
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzScope
- $guidAzAppData, $guidAzScopeName, $guidDesc | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzScope }
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzScope -y $guidAzApp # for computer zone dz scope
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidContainer -y $guidContainer # for computer zone
- # instead of the above 2 lines, below is the right thing to do
- # AddDeleteChildObject -target $dsResources -sid $objSid -child $guidAzScope
- #########################################
- # ngz dz asg
- # o gernreic read to msDs-AzRole + write name, description & msDs-AzApplicationData
- # o under zone & computer role - create/delete msDs-AzRole under container object
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzRole
- $guidAzAppData, $guidDesc, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzRole }
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzRole -y $guidContainer
- }
- function GrantModifyDeleteZone($dsTrustee, $dsResources)
- {
- $strSid = GetSid -dsObj $dsTrustee
- $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
- #########################################
- # zone object - container + OU
- # o write description , cn and name
- $guidContainer, $guidOU | ForEach-Object { AddGenericReadToObject -target $dsResources -sid $objSid -class $_ }
- $guidDesc, $guidCn, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidContainer }
- $guidDesc, $guidCn, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidOU }
- #########################################
- # this is not recommened to grant both create + delete zone permission
- # o create/delete/delete-ou+container under container object, this is very permissive, but adimport need this
- AddCreateDeleteZoneUnderContainer -target $dsResources -sid $objSid -container $guidContainer
- #########################################
- # this is recommened to only grant delete zone permission
- # o delete/delete-child under contain, this is recommend to delete zone delegation
- # $guidContainer, $guidOU | ForEach-Object { AddDeleteChildObject -target $dsResources -sid $objSid -child $_ }
- #########################################
- # user/group/computer
- # o create/delete scp under container object
- # o generic read scp
- # o write user uid, uidNumber, gidNumber, loginShell, unixHomeDirectory, gecos
- # o write group cn, gidNumer
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidScp -y $guidContainer
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidScp
- $guidCn, $guidName, $guidKeywords, $guidUid, $guidUidNumber, $guidLoginShell, $guidUnixHomeDir, $guidGidNumber, $guidGecos | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidScp }
- $guidUid, $guidUidNumber, $guidLoginShell, $guidUnixHomeDir, $guidGidNumber, $guidGecos | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidPosixAcc }
- $guidCn, $guidGidNumber | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidPosixGroup }
- #########################################
- # classic zone DZ permission
- AddAzManDelegation -dsResources $dsResources -objSid $objSid
- #########################################
- # ngzone DZ permission
- AddNgDZDelegation -dsResources $dsResources -objSid $objSid
- [Void] $dsResources.psbase.CommitChanges()
- }
- function GrantModifyJoinedComputer($dsTrustee, $dsResources)
- {
- $strSid = GetSid -dsObj $dsTrustee
- $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
- #########################################
- # ADEdit: precreate_computer -scp
- # grant create/delete/read/write service connection point
- $ace = New-Object DirectoryServices.CreateChildAccessRule($objSid, $AC_TYPE::Allow, $guidScp, $INHERITANCE::Descendents, $guidContainer)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.DeleteChildAccessRule($objSid, $AC_TYPE::Allow, $guidScp, $INHERITANCE::Descendents, $guidContainer)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericWrite, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidScp)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidScp)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- #########################################
- # update ngz directauthorize store timestamp
- # o generic read msDs-AzAdminManager + write appData properties
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzAdminMgr
- AddWritePropOfObject -target $dsResources -sid $objSid -prop $guidAzAppData -inheritType $guidAzAdminMgr
- $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::WriteDacl, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidAzAdminMgr)
- [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
- #########################################
- # ngz dz computer:zone
- # o gernreic read to msDs-AzScope + write name, description & msDs-AzApplicationData
- # o delete msDs-AzScope under msDS-AzApplication object, we do not delegate creating msDS-AzScope because it's a container
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzScope
- $guidAzAppData, $guidAzScopeName, $guidDesc | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzScope }
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzScope -y $guidAzApp # for computer zone dz scope
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidContainer -y $guidContainer # for computer zone
- # AddDeleteChildObject -target $dsResources -sid $objSid -child $guidAzScope
- #########################################
- # ngz dz asg
- # o generic read to msDs-AzRole + write name, description & msDs-AzApplicationData
- # o under zone & computer role - create/delete msDs-AzRole under container object
- AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzRole
- $guidAzAppData, $guidDesc, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzRole }
- AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzRole -y $guidContainer
- [Void] $dsResources.psbase.CommitChanges()
- }
- $domain = $Args[0]
- $ou = $Args[1]
- $config = Bind -domain $domain
- $nc = $config[0]
- $server = $config[1]
- $ouDN = "OU={0},{1}" -f $ou, $nc
- $ouPath = GetLdapPath -server $server -dn $ouDN
- $ouEntry = [adsi]$ouPath;
- #if ($ouEntry.psbase.NativeGuid -ne $null)
- #{
- # Write-Host("Cleaning up previous demo data under {0}" -f $ouEntry.distinguishedName.Value);
- # $ouEntry.psbase.DeleteTree();
- #}
- Write-Host("Creating OU Structure");
- $ouDemo = CreateDsObject -server $server -container $nc -name $ou -objClass "OrganizationalUnit"
- $licContainer = CreateDsObject -server $server -container $ouDN -name $strLicContainer -objClass "Container"
- $zoneContainer = CreateDsObject -server $server -container $ouDN -name $strZoneContainer -objClass "Container"
- $ouUnixGroups = CreateDsObject -server $server -container $ouDN -name $strOuUnixGroups -objClass "OrganizationalUnit"
- $ouUnixServers = CreateDsObject -server $server -container $ouDN -name $strOuUnixServers -objClass "OrganizationalUnit"
- $ouProvGroups = CreateDsObject -server $server -container $ouDN -name $strOuProvGroups -objClass "OrganizationalUnit"
- $ouSvcAccts = CreateDsObject -server $server -container $ouDN -name $strOuSvcAccts -objClass "OrganizationalUnit"
- $ouRoleGroups = CreateDsObject -server $server -container $ouDN -name $strOuRoleGroups -objClass "OrganizationalUnit"
- $adminContainer = CreateDsObject -server $server -container $ouDN -name $strAdminContainer -objClass "OrganizationalUnit"
- $adminContainerDn = $adminContainer.distinguishedName.Value
- $strAdminContainer = "Zone Administration"
- Write-Host("Creating Groups")
- # Create groups but do not give them permissions
- $zoneAdmins = CreateADGroup -server $server -name "Zone Administrators" -container $adminContainerDn -gtype "global"
- $fulfillment = CreateADGroup -server $server -name "Fulfillment" -container $adminContainerDn -gtype "global"
- $joinOps = CreateADGroup -server $server -name "Join Operators" -container $adminContainerDn -gtype "global"
- ## Kayne: permission comes from the email titled "OU Script"
- Write-Host("Delegating Admin Rights")
- # grant "Zone Administrators" permission
- GrantGenericRead -dsTrustee $zoneAdmins -dsResources $ouDemo
- GrantCreateDeleteReadWriteADGroup -dsTrustee $zoneAdmins -dsResources $ouUnixGroups
- GrantCreateDeleteReadWriteADGroup -dsTrustee $zoneAdmins -dsResources $ouProvGroups
- GrantCreateDeleteReadWriteADGroup -dsTrustee $zoneAdmins -dsResources $ouRoleGroups
- GrantGenericRead -dsTrustee $zoneAdmins -dsResources $adminContainer
- ## "Services Accounts": no permissions, go ask a Domain Admin
- GrantCreateDeleteReadWriteADComputer -dsTrustee $zoneAdmins -dsResources $ouUnixServers
- GrantModifyDeleteZone -dsTrustee $zoneAdmins -dsResources $zoneContainer
- # grant "Fulfillment" permission
- GrantGenericRead -dsTrustee $fulfillment -dsResources $ouDemo
- GrantReadWriteADGroup -dsTrustee $fulfillment -dsResources $ouUnixGroups
- GrantReadWriteADGroup -dsTrustee $fulfillment -dsResources $ouProvGroups
- GrantReadWriteADGroup -dsTrustee $fulfillment -dsResources $ouRoleGroups
- GrantGenericRead -dsTrustee $fulfillment -dsResources $adminContainer
- GrantGenericRead -dsTrustee $fulfillment -dsResources $ouUnixServers
- GrantGenericRead -dsTrustee $fulfillment -dsResources $ouSvcAccts
- GrantGenericRead -dsTrustee $fulfillment -dsResources $licContainer
- GrantGenericRead -dsTrustee $fulfillment -dsResources $zoneContainer
- # grant "Join Operators" permission
- # JoinOps can see
- GrantGenericRead -dsTrustee $joinOps -dsResources $ouDemo
- GrantGenericRead -dsTrustee $joinOps -dsResources $ouUnixGroups
- GrantGenericRead -dsTrustee $joinOps -dsResources $ouProvGroups
- GrantGenericRead -dsTrustee $joinOps -dsResources $ouRoleGroups
- GrantGenericRead -dsTrustee $joinOps -dsResources $adminContainer
- GrantCreateDeleteReadWriteADComputer -dsTrustee $joinOps -dsResources $ouUnixServers
- GrantGenericRead -dsTrustee $joinOps -dsResources $ouSvcAccts
- GrantGenericRead -dsTrustee $joinOps -dsResources $licContainer
- GrantModifyJoinedComputer -dsTrustee $joinOps -dsResources $zoneContainer
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement