From 8631d71dcd156c7e1051f824e8686cd8c91f88e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0t=C4=9Bp=C3=A1n?= Date: Thu, 15 Feb 2024 19:29:19 +0000 Subject: [PATCH] Import GPO script --- Import-TIER-GPO.ps1 | 215 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 215 insertions(+) create mode 100644 Import-TIER-GPO.ps1 diff --git a/Import-TIER-GPO.ps1 b/Import-TIER-GPO.ps1 new file mode 100644 index 0000000..b543139 --- /dev/null +++ b/Import-TIER-GPO.ps1 @@ -0,0 +1,215 @@ +#Requires -Version 3 -RunAsAdministrator +#Requires -Modules ActiveDirectory, GroupPolicy + +<# +.Synopsis +Import TIER GPO policy +.DESCRIPTION +Import GPO policy for TIERing and the necessary structure of objects +.EXAMPLE + +.EXAMPLE + +.EXAMPLE + +.INPUTS + +.NOTES +Author: Petr Štěpán +Email: pstepan@totalservice.cz +Release date: 13.2.2024 +Revision date: 13.2.2024 +Version: 1.0 +.LINK +https://git.totalservice.cz/xxxxxxxx +https://totalservice.atlassian.net/browse/KB-316 +#> + +Param +( + # WorkFolderPath - working dir for script and download assets + [String] + $WorkFolderPath = (Join-Path -Path $env:homedrive -ChildPath 'Temp\TIER'), + + # TranscriptFileName - File name of script log + [String] + $TranscriptFileName = 'Script.log' + + + + + +) + +Begin +{ + $ErrorActionPreference = "Stop" + + #Start Transcript + Start-Transcript -Path (Join-Path -Path $WorkFolderPath -ChildPath $TranscriptFileName) + + #Script start running time + $StartScriptTime = Get-Date + + #### FUNCTIONS ### + #Sending messages to console + function Write-Message([string]$Message, [ValidateSet("Info","Warning","Error","Success")]$Severity="Info") + { + [string]$Time = (Get-Date -Format "HH:mm:ss").Trim() + [string]$Count = ((Get-Date) - $StartScriptTime) + + switch($Severity) + { + "Info" {Write-Host $Time"|"$Count "-" $Message; Break} + "Warning" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Yellow; Break} + "Error" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Red; Break} + "Success" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Green; Break} + } + } + + function Create-ADTierStructure([string]$DistinguishedName) + { + Write-Message -Message "Creating OU structure" + New-ADOrganizationalUnit -Name "Admins" -Path $DistinguishedName + New-ADOrganizationalUnit -Name "Domain" -Path "OU=Admins,$DistinguishedName" + New-ADOrganizationalUnit -Name "Servers" -Path "OU=Admins,$DistinguishedName" + New-ADOrganizationalUnit -Name "Workstations" -Path "OU=Admins,$DistinguishedName" + + Write-Message -Message "Creating Security Groups" + $group = New-ADGroup -Name "AD Managers" -SamAccountName "AD Managers" -GroupCategory Security -GroupScope Global -DisplayName "AD Managers" -Path "OU=Domain,OU=Admins,$DistinguishedName" -Description "Group for managing un-privileged accounts in AD." -PassThru + $ADGroupMapping.ADManagers = "$($group.SamAccountName)@$FQDN" + + $group = New-ADGroup -Name "Server Admins" -SamAccountName "Server Admins" -GroupCategory Security -GroupScope Global -DisplayName "Server Admins" -Path "OU=Servers,OU=Admins,$DistinguishedName" -Description "Managing servers in TIER 1" -PassThru + $ADGroupMapping.ServerAdmins = "$($group.SamAccountName)@$FQDN" + + $group = New-ADGroup -Name "Workstation Admins" -SamAccountName "Workstation Admins" -GroupCategory Security -GroupScope Global -DisplayName "Workstation Admins" -Path "OU=Workstations,OU=Admins,$DistinguishedName" -Description "Managing workstations TIER 2" -PassThru + $ADGroupMapping.WorkstationAdmins = "$($group.SamAccountName)@$FQDN" + + Write-Message -Message "Moving privileged grups to Admin\Domain OU." + Get-ADGroup "Domain Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName" + Get-ADGroup "Enterprise Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName" + Get-ADGroup "Schema Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName" + + + } + + #### FUNCTIONS END ### + + #Find FQDN and NetBIOS names + Write-Message -Message "Finding FQDN and NetBIOS name" + $FQDN = (Get-ADDomain).DNSRoot + $DistinguishedName = (Get-ADDomain).DistinguishedName + Write-Message -Message ('FQDN is: {0} and DistinguishedName is: {1}' -f $FQDN, $DistinguishedName) + + #### VARIABLES #### + $ADGroupMapping = @{ + "ServerAdmins" = "" + "WorkstationAdmins" = "" + "ADManagers" = "" + "Administrator" = "Administrator@$FQDN" + "DomainAdmins" = "Domain Admins@$FQDN" + "EnterpriseAdmins" = "Enterprise Admins@$FQDN" + } + #### END VARIABLES #### + + +} +Process +{ + Write-Host "Example: + fqdn.contoso.com/ + ├─ Admins/ + │ ├─ Domain/ + │ │ ├─ AD Managers + │ ├─ Servers/ + │ │ ├─ Server Admins + │ ├─ Workstations/ + │ │ ├─ Workstation Admins + ├─ .../ + ├─ .../ + ├─ Computers/" + + $createDefaultADStructure = '' + do { + $answer = $(Write-Host "Do you want to import default OU and Security Groups structure? [Y/N] " -ForegroundColor Yellow -NoNewline; Read-Host) + + switch (($answer).ToLower()) { + "y" { $createDefaultADStructure = $true; break; } + "n" { $createDefaultADStructure = $false; break;} + Default {} + } + } until ( + ($createDefaultADStructure -eq $true) -or ($createDefaultADStructure -eq $false) + ) + + if($createDefaultADStructure){ + Write-Message -Message "Generating OU a Security Groups structure" + Create-ADTierStructure($DistinguishedName) + + }else { + Write-Message -Message "Manual Security Group mapping choosen" + + Write-Message -Message "Getting group name for Server Admins" + # Server Admins + do { + $exist = $false + $group = $(Write-Host "Enter SamAccount name of group for SERVER ADMINS: " -ForegroundColor Yellow -NoNewline; Read-Host) + $exist = Get-ADGroup -Filter {SamAccountName -eq $group} + + if($exist -eq $null) { + Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error + }else{ + $ADGroupMapping.ServerAdmins = "$($group)@$FQDN" + } + } until ( + $exist -ne $null + ) + + Write-Message -Message "Getting group name for Workstation Admins" + # Workstation Admins + do { + $exist = $false + $group = $(Write-Host "Enter SamAccount name of group for WORKSTATION ADMINS: " -ForegroundColor Yellow -NoNewline; Read-Host) + $exist = Get-ADGroup -Filter {SamAccountName -eq $group} + + if($exist -eq $null) { + Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error + }else{ + $ADGroupMapping.WorkstationAdmins = "$($group)@$FQDN" + } + } until ( + $exist -ne $null + ) + + Write-Message -Message "Getting group name for AD Managers" + # AD Managers + do { + $exist = $false + $group = $(Write-Host "Enter SamAccount name of group for AD MANAGERS: " -ForegroundColor Yellow -NoNewline; Read-Host) + $exist = Get-ADGroup -Filter {SamAccountName -eq $group} + + if($exist -eq $null) { + Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error + }else{ + $ADGroupMapping.ADManagers = "$($group)@$FQDN" + } + } until ( + $exist -ne $null + ) + } + + # DEBUG + $ADGroupMapping + + # TODO + #- přepsat hodnoty v migration tabulce + #- importovat GPO a zeptat se na názvy + +} +End +{ + #Stop Transcript + Write-Message -Message $(Stop-Transcript) + + +} \ No newline at end of file