API tools faq
paste
Advertisement
Guest User

centrifyinstall.ps1

a guest
Apr 4th, 2012
293
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 25.28 KB | None | 0 0
raw download clone embed print report
  1. $strLicContainer   = "Licenses"
  2. $strZoneContainer  = "Zones"
  3. $strOuUnixGroups   = "UNIX Groups"
  4. $strOuUnixServers  = "UNIX Servers"
  5. $strOuProvGroups   = "Provisioning Groups"
  6. $strOuSvcAccts     = "Service Accounts"
  7. $strOuRoleGroups   = "Role Groups"
  8. $strAdminContainer = "Zone Administration"
  9.  
  10. if ($Args.Length -ne 2)
  11. {
  12.     [System.Console]::WriteLine("Usage:");
  13.     [System.Console]::WriteLine("sdk-demo.ps1 <Domain> <OU-Name> ")
  14.     exit -1;
  15. }
  16.  
  17. function Bind([string] $domain)
  18. {
  19.     $path = "LDAP://{0}/rootDSE" -f $domain
  20. $objRootDse = [adsi]$path
  21. $strNc     = $objRootDse.get("defaultNamingContext")
  22. $strServer = $objRootDse.get("dnsHostName")
  23. $strNc, $strServer;
  24. }
  25. function GetLdapPath([string] $server, [string] $dn)
  26. {
  27. $path = "LDAP://{0}/{1}" -f $server, $dn;
  28. $path;
  29. }
  30. function GetCn([string] $name, [string] $objClass)
  31. {
  32.     $cn = "CN={0}" -f $name;
  33.     if ($objClass -eq "OrganizationalUnit")
  34.     {
  35.         $cn = "OU={0}" -f $name;
  36.     }
  37.     $cn;
  38. }
  39.  
  40. function CreateDsObject([string] $server, [string] $container, [string] $name, [string] $objClass)
  41. {
  42. $strConatinerPath = GetLdapPath -server $server -dn $container
  43. $objContainer = [adsi] $strConatinerPath
  44. $strChildCn = GetCn -name $name -objClass $objClass
  45. $strChildDn = "{0},{1}" -f $strChildCn, $container
  46. $strChildPath = GetLdapPath -server $server -dn $strChildDn
  47. $objChildEntry = $objContainer.Create($objClass, $strChildCn)
  48. [Void]$objChildEntry.SetInfo()
  49.     return $objChildEntry
  50. }
  51.  
  52. function CreateADGroup([string] $server, [string] $name, [string] $container, [string] $gtype)
  53. {
  54.     $objClass = "group";
  55.     $strCn = GetCn -name $name -objClass $objClass;
  56.     $objDsGroup  = CreateDsObject -server $server -container $container -name $name -objClass $objClass
  57.     [Void] $objDsGroup.Put("sAMAccountName", $name)
  58.     if ($gtype -eq "global")
  59.     {
  60.         # Global Distribution Group
  61.         [Void] $objDsGroup.Put("groupType", 0x80000002)
  62.     }
  63.     elseif ($gtype -eq "dlg")
  64.     {
  65.         # Domain Local Distribution Group  
  66.         [Void] $objDsGroup.Put("groupType", 0x80000004)
  67.     }
  68.     elseif ($gtype -eq "uni")
  69.     {
  70.         # Universal Security Group
  71.         [Void] $objDsGroup.Put("groupType", 0x80000008)
  72.     }
  73.     else
  74.     {
  75.         Write-Host("Invalid group type {0}" -f $gtype)
  76.     }
  77.     [Void]$objDsGroup.SetInfo()
  78.     return $objDsGroup
  79. }
  80. function GetSid($dsObj)
  81. {
  82.     $dn = $dsObj.distinguishedName.Value
  83.     $binary = $dsObj.psbase.Properties["objectSid"].Value
  84.     $sid = New-Object Security.Principal.SecurityIdentifier($binary, 0)
  85.     return $sid.ToString()
  86. }
  87.  
  88. # type shortcuts for very long namespace...
  89. $AC_TYPE = [System.Security.AccessControl.AccessControlType]
  90. $INHERITANCE = [System.DirectoryServices.ActiveDirectorySecurityInheritance]
  91. $PROP_ACCESS = [System.DirectoryServices.PropertyAccess]
  92. $AD_RIGHT = [System.DirectoryServices.ActiveDirectoryRights]
  93.  
  94. # objectClass guid
  95. $guidContainer   = New-Object Guid("bf967a8b-0de6-11d0-a285-00aa003049e2")
  96. $guidOU          = New-Object Guid("bf967aa5-0de6-11d0-a285-00aa003049e2")
  97. $guidComp        = New-Object Guid("bf967a86-0de6-11d0-a285-00aa003049e2")
  98. $guidGroup       = New-Object Guid("bf967a9c-0de6-11d0-a285-00aa003049e2")
  99. $guidScp         = New-Object Guid("28630ec1-41d5-11d1-a9c1-0000f80367c1")
  100. $guidPosixAcc    = New-Object Guid("ad44bb41-67d5-4d88-b575-7b20674e76d8")
  101. $guidPosixGroup  = New-Object Guid("2a9350b8-062c-4ed0-9903-dde10d06deba")
  102.  
  103. # azman objectClass guid
  104. # Create authorization policy store
  105. $guidAzTask      = New-Object Guid("1ed3a473-9b1b-418a-bfa0-3a37b95a5306") # Write
  106. $guidAzOp        = New-Object Guid("860abe37-9a9b-4fa4-b3d2-b8ace5df9ec5") # Read
  107. $guidAzRole      = New-Object Guid("8213eac9-9d55-44dc-925c-e9a52b927644")
  108. $guidAzScope     = New-Object Guid("4feae054-ce55-47bb-860e-5b12063a51de")
  109. $guidAzAdminMgr  = New-Object Guid("cfee1051-5f28-4bae-a863-5d0cc18a8ed1") # Create/Delete OU/zones
  110. $guidAzApp       = New-Object Guid("ddf8de9b-cba5-4e12-842e-28d8b66f75ec")
  111.  
  112. # attribute guid
  113. # These are attributes for users/computers under centrify
  114. $guidDesc        = New-Object Guid("bf967950-0de6-11d0-a285-00aa003049e2")
  115. $guidCn          = New-Object Guid("bf96793f-0de6-11d0-a285-00aa003049e2")
  116. $guidName        = New-Object Guid("bf967a0e-0de6-11d0-a285-00aa003049e2")
  117. $guidKeywords    = New-Object Guid("bf967993-0de6-11d0-a285-00aa003049e2")
  118. $guidUid         = New-Object Guid("0bb0fca0-1e89-429f-901a-1413894d9f59")
  119. $guidUidNumber   = New-Object Guid("850fcc8f-9c6b-47e1-b671-7c654be4d5b3")
  120. $guidGidNumber   = New-Object Guid("c5b95f0c-ec9e-41c4-849c-b46597ed6696")
  121. $guidLoginShell  = New-Object Guid("a553d12c-3231-4c5e-8adf-8d189697721e")
  122. $guidUnixHomeDir = New-Object Guid("bc2dba12-000f-464d-bf1d-0808465d8843")
  123. $guidGecos       = New-Object Guid("a3e03f1f-1d55-4253-a0af-30c2a784e46e")
  124.  
  125. # azman attribute guid, used for zone delegation permissions (zone admins)
  126. $guidAzAppData   = New-Object Guid("503fc3e8-1cc6-461a-99a3-9eee04f402a7")
  127. $guidAzScopeName = New-Object Guid("515a6b06-2617-4173-8099-d5605df043c6")
  128. $guidAzOpForTask = New-Object Guid("1aacb436-2e9d-44a9-9298-ce4debeb6ebf")
  129.  
  130.  
  131. function GrantGenericRead($dsTrustee, $dsResources)
  132. {
  133.     $strSid = GetSid -dsObj $dsTrustee
  134.     $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
  135.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow)
  136.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  137.     [Void] $dsResources.psbase.CommitChanges()
  138. }
  139. function GrantReadWriteADGroup($dsTrustee, $dsResources)
  140. {
  141.     $strSid = GetSid -dsObj $dsTrustee
  142.     $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
  143.    
  144.     # grant read/update to group
  145.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericWrite, $AC_TYPE::Allow, $INHERITANCE::Children, $guidGroup)
  146.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  147.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Children, $guidGroup)
  148.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  149.    
  150.     [Void] $dsResources.psbase.CommitChanges()
  151. }
  152. function GrantCreateDeleteReadWriteChildObject($dsTrustee, $dsResources, $guidChildClass)
  153. {
  154.     $strSid = GetSid -dsObj $dsTrustee
  155.     $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
  156.    
  157.     # read/update group
  158.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericWrite, $AC_TYPE::Allow, $INHERITANCE::Children, $guidChildClass)
  159.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  160.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Children, $guidChildClass)
  161.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  162.     # create/delete group
  163.     $ace = New-Object DirectoryServices.CreateChildAccessRule($objSid, $AC_TYPE::Allow, $guidChildClass)
  164.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  165.     $ace = New-Object DirectoryServices.DeleteChildAccessRule($objSid, $AC_TYPE::Allow, $guidChildClass)
  166.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  167.    
  168.     [Void] $dsResources.psbase.CommitChanges()
  169. }
  170. function GrantCreateDeleteReadWriteADGroup($dsTrustee, $dsResources)
  171. {
  172.     GrantCreateDeleteReadWriteChildObject -dsTrustee $dsTrustee -dsResources $dsResources -guidChildClass $guidGroup
  173. }
  174.  
  175. function GrantCreateDeleteReadWriteADComputer($dsTrustee, $dsResources)
  176. {
  177.     GrantCreateDeleteReadWriteChildObject -dsTrustee $dsTrustee -dsResources $dsResources -guidChildClass $guidComp
  178.     # precreate computer using adedit contain the code below
  179.     #   sof sd $sd
  180.     #   svo
  181.     # when saving the whole SD, it demand permission to modify object's owner, which acutally
  182.     # never changed, we need to fix adedit to not changing owner but only ACL
  183.     # to workaround this problem, we grant "modify owner" permission
  184.     $strSid = GetSid -dsObj $dsTrustee
  185.     $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
  186.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::WriteOwner, $AC_TYPE::Allow, $INHERITANCE::Children, $guidComp)
  187.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  188.     [Void] $dsResources.psbase.CommitChanges()
  189. }
  190. function AddGenericReadToObject($target, $sid, $class)
  191. {
  192.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Descendents, $class);
  193.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  194. }
  195. function AddWritePropOfObject($target, $sid, $prop, $inheritType)
  196. {
  197.     $ace = New-Object DirectoryServices.PropertyAccessRule($sid, $AC_TYPE::Allow, $PROP_ACCESS::Write, $prop, $INHERITANCE::Descendents, $inheritType);
  198.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  199. }
  200. function AddCreateDeleteZoneUnderContainer($target, $sid, $container)
  201. {
  202.     # ADEdit: add_sd_ace  
  203.     #
  204.     # create/delete/delete-child for container
  205.     $ace = New-Object DirectoryServices.CreateChildAccessRule($sid, $AC_TYPE::Allow, $guidContainer, $INHERITANCE::All, $container)
  206.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  207.     $ace = New-Object DirectoryServices.DeleteChildAccessRule($sid, $AC_TYPE::Allow, $guidContainer, $INHERITANCE::All, $container)
  208.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  209.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteTree, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidContainer)
  210.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  211.     # create/delete/delete-child for OU
  212.     $ace = New-Object DirectoryServices.CreateChildAccessRule($sid, $AC_TYPE::Allow, $guidOU, $INHERITANCE::All, $container)
  213.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  214.     $ace = New-Object DirectoryServices.DeleteChildAccessRule($sid, $AC_TYPE::Allow, $guidOU, $INHERITANCE::All, $container)
  215.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  216.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteTree, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidOU)
  217.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  218. }
  219. function AddCreateDeleteXUnderY($target, $sid, $x, $y)
  220. {
  221.     $ace = New-Object DirectoryServices.CreateChildAccessRule($sid, $AC_TYPE::Allow, $x, $INHERITANCE::Descendents, $y)
  222.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  223.     $ace = New-Object DirectoryServices.DeleteChildAccessRule($sid, $AC_TYPE::Allow, $x, $INHERITANCE::Descendents, $y)
  224.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  225.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteTree, $AC_TYPE::Allow, $INHERITANCE::Descendents, $x)
  226.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  227. }
  228. function AddDeleteChildObject($target, $sid, $child)
  229. {
  230.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::Delete,      $AC_TYPE::Allow, $INHERITANCE::Descendents, $child);
  231.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  232.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteChild, $AC_TYPE::Allow, $INHERITANCE::Descendents, $child);
  233.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  234.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, $AD_RIGHT::DeleteTree, $AC_TYPE::Allow, $INHERITANCE::Descendents, $child);
  235.     [Void] $target.psbase.ObjectSecurity.AddAccessRule($ace)
  236. }
  237. function AddAzManDelegation($dsResources, $objSid)
  238. {
  239.     # create/delete msDS-AzAdminManager under zones (container + OU)
  240.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzAdminMgr -y $guidContainer
  241.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzAdminMgr -y $guidOU
  242.    
  243.     # generic read/write msDS-AzAdminManager objects
  244.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidAzAdminMgr);
  245.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  246.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericWrite, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidAzAdminMgr);
  247.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  248. }
  249. function AddNgDZDelegation($dsResources, $objSid)
  250. {
  251.     #########################################
  252.     # update ngz dz store timestamp
  253.     # o generic read msDs-AzAdminManager + write appData properties
  254.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzAdminMgr
  255.     AddWritePropOfObject -target $dsResources -sid $objSid -prop $guidAzAppData -inheritType $guidAzAdminMgr
  256.  
  257.     #########################################
  258.     # ngz dz role
  259.     # o gernreic read to msDs-AzTask + write name, description, msDs-AzApplicationData & msDs-AzOperationForTask
  260.     # o create/delete msDs-AzTask under container object
  261.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzTask
  262.     $guidAzAppData, $guidDesc, $guidName, $guidAzOpForTask | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzTask }
  263.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzTask -y $guidContainer
  264.  
  265.     #########################################
  266.     # ngz dz right
  267.     # o gernreic read to msDs-AzOperation + write name, description & msDs-AzApplicationData
  268.     # o create/delete msDs-AzOperation under container object
  269.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzOp
  270.     $guidAzAppData, $guidDesc, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzOp }
  271.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzOp -y $guidContainer
  272.  
  273.     #########################################
  274.     # ngz dz computer role
  275.     # o gernreic read to msDs-AzScope + write name, description & msDs-AzApplicationData
  276.     # o delete msDs-AzScope under msDS-AzApplication object, we do not delegate creating msDS-AzScope because it's a container
  277.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzScope
  278.     $guidAzAppData, $guidAzScopeName, $guidDesc | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzScope }
  279.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzScope -y $guidAzApp        # for computer zone dz scope
  280.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidContainer -y $guidContainer  # for computer zone
  281.     # instead of the above 2 lines, below is the right thing to do
  282.     #    AddDeleteChildObject -target $dsResources -sid $objSid -child $guidAzScope
  283.  
  284.     #########################################
  285.     # ngz dz asg  
  286.     # o gernreic read to msDs-AzRole + write name, description & msDs-AzApplicationData
  287.     # o under zone & computer role - create/delete msDs-AzRole under container object
  288.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzRole
  289.     $guidAzAppData, $guidDesc, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzRole }
  290.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzRole -y $guidContainer
  291. }
  292. function GrantModifyDeleteZone($dsTrustee, $dsResources)
  293. {
  294.     $strSid = GetSid -dsObj $dsTrustee
  295.     $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
  296.    
  297.     #########################################
  298.     #  zone object - container + OU
  299.     #  o write description , cn and name
  300.     $guidContainer, $guidOU | ForEach-Object { AddGenericReadToObject -target $dsResources -sid $objSid -class $_ }
  301.     $guidDesc, $guidCn, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidContainer }
  302.     $guidDesc, $guidCn, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidOU }
  303.     #########################################
  304.     # this is not recommened to grant both create + delete zone permission
  305.     # o create/delete/delete-ou+container under container object, this is very permissive, but adimport need this
  306.     AddCreateDeleteZoneUnderContainer -target $dsResources -sid $objSid -container $guidContainer
  307.     #########################################
  308.     # this is recommened to only grant delete zone permission
  309.     # o delete/delete-child under contain, this is recommend to delete zone delegation
  310.     # $guidContainer, $guidOU | ForEach-Object { AddDeleteChildObject -target $dsResources -sid $objSid -child $_ }
  311.    
  312.     #########################################
  313.     # user/group/computer
  314.     # o create/delete scp under container object
  315.     # o generic read scp
  316.     # o write user uid, uidNumber, gidNumber, loginShell, unixHomeDirectory, gecos
  317.     # o write group cn, gidNumer
  318.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidScp -y $guidContainer
  319.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidScp
  320.     $guidCn, $guidName, $guidKeywords, $guidUid, $guidUidNumber, $guidLoginShell, $guidUnixHomeDir, $guidGidNumber, $guidGecos | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidScp }
  321.     $guidUid, $guidUidNumber, $guidLoginShell, $guidUnixHomeDir, $guidGidNumber, $guidGecos | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidPosixAcc }
  322.     $guidCn, $guidGidNumber | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidPosixGroup }
  323.  
  324.     #########################################
  325.     # classic zone DZ permission
  326.     AddAzManDelegation -dsResources $dsResources -objSid $objSid
  327.  
  328.     #########################################
  329.     # ngzone DZ permission
  330.     AddNgDZDelegation -dsResources $dsResources -objSid $objSid
  331.  
  332.     [Void] $dsResources.psbase.CommitChanges()
  333. }
  334. function GrantModifyJoinedComputer($dsTrustee, $dsResources)
  335. {
  336.     $strSid = GetSid -dsObj $dsTrustee
  337.     $objSid = New-Object Security.Principal.SecurityIdentifier($strSid)
  338.    
  339.     #########################################
  340.     # ADEdit: precreate_computer -scp
  341.     # grant create/delete/read/write service connection point
  342.     $ace = New-Object DirectoryServices.CreateChildAccessRule($objSid, $AC_TYPE::Allow, $guidScp, $INHERITANCE::Descendents, $guidContainer)
  343.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  344.     $ace = New-Object DirectoryServices.DeleteChildAccessRule($objSid, $AC_TYPE::Allow, $guidScp, $INHERITANCE::Descendents, $guidContainer)
  345.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  346.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericWrite, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidScp)
  347.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  348.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidScp)
  349.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  350.    
  351.     #########################################
  352.     # update ngz directauthorize store timestamp
  353.     # o generic read msDs-AzAdminManager + write appData properties
  354.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzAdminMgr
  355.     AddWritePropOfObject -target $dsResources -sid $objSid -prop $guidAzAppData -inheritType $guidAzAdminMgr
  356.     $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::WriteDacl, $AC_TYPE::Allow, $INHERITANCE::Descendents, $guidAzAdminMgr)
  357.     [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace)
  358.    
  359.     #########################################
  360.     # ngz dz computer:zone
  361.     # o gernreic read to msDs-AzScope + write name, description & msDs-AzApplicationData
  362.     # o delete msDs-AzScope under msDS-AzApplication object, we do not delegate creating msDS-AzScope because it's a container
  363.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzScope
  364.     $guidAzAppData, $guidAzScopeName, $guidDesc | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzScope }
  365.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzScope -y $guidAzApp        # for computer zone dz scope
  366.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidContainer -y $guidContainer  # for computer zone
  367. #    AddDeleteChildObject -target $dsResources -sid $objSid -child $guidAzScope
  368.  
  369.     #########################################
  370.     # ngz dz asg  
  371.     # o generic read to msDs-AzRole + write name, description & msDs-AzApplicationData
  372.     # o under zone & computer role - create/delete msDs-AzRole under container object
  373.     AddGenericReadToObject -target $dsResources -sid $objSid -class $guidAzRole
  374.     $guidAzAppData, $guidDesc, $guidName | ForEach-Object { AddWritePropOfObject -target $dsResources -sid $objSid -prop $_ -inheritType $guidAzRole }
  375.     AddCreateDeleteXUnderY -target $dsResources -sid $objSid -x $guidAzRole -y $guidContainer
  376.  
  377.     [Void] $dsResources.psbase.CommitChanges()
  378. }
  379.    
  380. $domain = $Args[0]
  381. $ou = $Args[1]
  382.  
  383. $config = Bind -domain $domain
  384. $nc = $config[0]
  385. $server = $config[1]
  386. $ouDN = "OU={0},{1}" -f $ou, $nc
  387.  
  388. $ouPath = GetLdapPath -server $server -dn $ouDN
  389. $ouEntry = [adsi]$ouPath;
  390.  
  391. #if ($ouEntry.psbase.NativeGuid -ne $null)
  392. #{
  393. #    Write-Host("Cleaning up previous demo data under {0}" -f $ouEntry.distinguishedName.Value);
  394. #    $ouEntry.psbase.DeleteTree();
  395. #}
  396.  
  397. Write-Host("Creating OU Structure");
  398. $ouDemo         = CreateDsObject -server $server -container $nc   -name $ou                -objClass "OrganizationalUnit"
  399. $licContainer   = CreateDsObject -server $server -container $ouDN -name $strLicContainer   -objClass "Container"
  400. $zoneContainer  = CreateDsObject -server $server -container $ouDN -name $strZoneContainer  -objClass "Container"
  401. $ouUnixGroups   = CreateDsObject -server $server -container $ouDN -name $strOuUnixGroups   -objClass "OrganizationalUnit"
  402. $ouUnixServers  = CreateDsObject -server $server -container $ouDN -name $strOuUnixServers  -objClass "OrganizationalUnit"
  403. $ouProvGroups   = CreateDsObject -server $server -container $ouDN -name $strOuProvGroups   -objClass "OrganizationalUnit"
  404. $ouSvcAccts     = CreateDsObject -server $server -container $ouDN -name $strOuSvcAccts     -objClass "OrganizationalUnit"
  405. $ouRoleGroups   = CreateDsObject -server $server -container $ouDN -name $strOuRoleGroups   -objClass "OrganizationalUnit"
  406. $adminContainer = CreateDsObject -server $server -container $ouDN -name $strAdminContainer -objClass "OrganizationalUnit"
  407. $adminContainerDn = $adminContainer.distinguishedName.Value
  408.  
  409. $strAdminContainer = "Zone Administration"
  410.  
  411. Write-Host("Creating Groups")
  412. # Create groups but do not give them permissions
  413. $zoneAdmins = CreateADGroup -server $server -name "Zone Administrators" -container $adminContainerDn -gtype "global"
  414. $fulfillment = CreateADGroup -server $server -name "Fulfillment" -container $adminContainerDn -gtype "global"
  415. $joinOps = CreateADGroup -server $server -name "Join Operators" -container $adminContainerDn -gtype "global"
  416.  
  417. ## Kayne: permission comes from the email titled "OU Script"
  418. Write-Host("Delegating Admin Rights")
  419. # grant "Zone Administrators" permission
  420. GrantGenericRead -dsTrustee $zoneAdmins -dsResources $ouDemo
  421. GrantCreateDeleteReadWriteADGroup -dsTrustee $zoneAdmins -dsResources $ouUnixGroups
  422. GrantCreateDeleteReadWriteADGroup -dsTrustee $zoneAdmins -dsResources $ouProvGroups
  423. GrantCreateDeleteReadWriteADGroup -dsTrustee $zoneAdmins -dsResources $ouRoleGroups
  424. GrantGenericRead -dsTrustee $zoneAdmins -dsResources $adminContainer
  425.  
  426. ## "Services Accounts": no permissions, go ask a Domain Admin
  427. GrantCreateDeleteReadWriteADComputer -dsTrustee $zoneAdmins -dsResources $ouUnixServers
  428.  
  429. GrantModifyDeleteZone -dsTrustee $zoneAdmins -dsResources $zoneContainer
  430.  
  431. # grant "Fulfillment" permission
  432. GrantGenericRead -dsTrustee $fulfillment -dsResources $ouDemo
  433. GrantReadWriteADGroup -dsTrustee $fulfillment -dsResources $ouUnixGroups
  434. GrantReadWriteADGroup -dsTrustee $fulfillment -dsResources $ouProvGroups
  435. GrantReadWriteADGroup -dsTrustee $fulfillment -dsResources $ouRoleGroups
  436. GrantGenericRead -dsTrustee $fulfillment -dsResources $adminContainer
  437. GrantGenericRead -dsTrustee $fulfillment -dsResources $ouUnixServers
  438. GrantGenericRead -dsTrustee $fulfillment -dsResources $ouSvcAccts
  439. GrantGenericRead -dsTrustee $fulfillment -dsResources $licContainer
  440. GrantGenericRead -dsTrustee $fulfillment -dsResources $zoneContainer
  441.  
  442. # grant "Join Operators" permission
  443. # JoinOps can see
  444. GrantGenericRead -dsTrustee $joinOps -dsResources $ouDemo
  445. GrantGenericRead -dsTrustee $joinOps -dsResources $ouUnixGroups
  446. GrantGenericRead -dsTrustee $joinOps -dsResources $ouProvGroups
  447. GrantGenericRead -dsTrustee $joinOps -dsResources $ouRoleGroups
  448. GrantGenericRead -dsTrustee $joinOps -dsResources $adminContainer
  449. GrantCreateDeleteReadWriteADComputer -dsTrustee $joinOps -dsResources $ouUnixServers
  450. GrantGenericRead -dsTrustee $joinOps -dsResources $ouSvcAccts
  451. GrantGenericRead -dsTrustee $joinOps -dsResources $licContainer
  452. GrantModifyJoinedComputer -dsTrustee $joinOps -dsResources $zoneContainer
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!