From ac68247dba2aa6fbaa40d80ab7b017f3f4eb69c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0t=C4=9Bp=C3=A1n?= Date: Thu, 15 Feb 2024 20:36:16 +0000 Subject: [PATCH] Add import GPO policies --- Import-TIER-GPO.ps1 | 91 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 88 insertions(+), 3 deletions(-) diff --git a/Import-TIER-GPO.ps1 b/Import-TIER-GPO.ps1 index b543139..5ec5847 100644 --- a/Import-TIER-GPO.ps1 +++ b/Import-TIER-GPO.ps1 @@ -33,7 +33,17 @@ Param # TranscriptFileName - File name of script log [String] - $TranscriptFileName = 'Script.log' + $TranscriptFileName = "Script_$(Get-Date -Format 'yyyMMdd_HHmmss').log", + + # GPOBackupZipFileName - Name of GPO backup zip file + [String] + $GPOBackupZipFileName = 'GPO_TIER.zip', + + # DownloadURLGPOBackup - URL for downloading GPO backup file + [String] + $DownloadURLGPOBackup = 'https://git.totalservice.cz/public/AD-TIER/raw/branch/main/GPO_TIER.zip' + + @@ -112,6 +122,28 @@ Begin } #### END VARIABLES #### + #Find GPO backup file zip + Write-Message -Message ("Finding GPO backup zip file ({0})" -f $GPOBackupZipFileName) + If (!(Test-Path -Path (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName))) + { + Write-Message -Message ("{0} not found. Starting downloading ..." -f $GPOBackupZipFileName) + #Download GPO Backup zip file + Write-Message -Message "Downloading GPO backup file" + $DownloadStartTime = Get-Date + #Certificate work around + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest -Uri $DownloadURLGPOBackup -OutFile (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName) + Write-Message -Message ('Downloaded in: {0} second(s)' -f ((Get-Date) - $DownloadStartTime)) -Severity Success + + }else{ + Write-Message -Message ("{0} found in shared folder" -f $GPOBackupZipFileName) -Severity Success + } + + #Unpack GPO backupfile + Write-Message -Message ("Unpacking GPO backup file {0}" -f $GPOBackupZipFileName) + Expand-Archive -LiteralPath (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName) -DestinationPath $WorkFolderPath -Force + + } Process @@ -201,13 +233,66 @@ Process # DEBUG $ADGroupMapping + #Prepare GPO + #Reference https://gallery.technet.microsoft.com/Migrate-Group-Policy-2b5067d8#content + #Change variables in the GPO migration table to suit environment by recursing through the migration table and then changing the values to suit the current environment. + Write-Message -Message "Modifying GPO migration table" + $MigrationTable = "$WorkFolderPath\Migration.migtable" + (Get-Content $MigrationTable).replace("\\SHAREFOLDER", "$ShareFolder") | Set-Content $MigrationTable + + Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-DOMAIN" + $MigrationTable = "$WorkFolderPath\SEC-Admin-Domain.migtable" + $content = Get-Content $MigrationTable + foreach($object in $ADGroupMapping){ + $content.Replace("[[$($object.Name)]]", $object.Value) + } + Set-Content $MigrationTable + + Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-SERVERS" + $MigrationTable = "$WorkFolderPath\SEC-Admin-Servers.migtable" + $content = Get-Content $MigrationTable + foreach($object in $ADGroupMapping){ + $content.Replace("[[$($object.Name)]]", $object.Value) + } + Set-Content $MigrationTable + + Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-WORKSTATIONS" + $MigrationTable = "$WorkFolderPath\SEC-Admin-Workstations.migtable" + $content = Get-Content $MigrationTable + foreach($object in $ADGroupMapping){ + $content.Replace("[[$($object.Name)]]", $object.Value) + } + Set-Content $MigrationTable + + + #Import GPO + Write-Message -Message "Importing GPO policy SEC-ADMIN-DOMAIN" + $GPOName = $(Write-Host "Enter name for GPO policy DOMAIN TIER (T0) [SEC-Admin-Domain] " -ForegroundColor Yellow -NoNewline; Read-Host) + if ($GPOName -eq '') {$GPOName = "SEC-Admin-Domain"} + Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Domain' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Domain.migtable" + + + Write-Message -Message "Importing GPO policy SEC-ADMIN-SERVERS" + $GPOName = $(Write-Host "Enter name for GPO policy SERVERS TIER (T1) [SEC-Admin-Servers] " -ForegroundColor Yellow -NoNewline; Read-Host) + if ($GPOName -eq '') {$GPOName = "SEC-Admin-Servers"} + Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Servers' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Servers.migtable" + + Write-Message -Message "Importing GPO policy SEC-ADMIN-WORKSTATIONS" + $GPOName = $(Write-Host "Enter name for GPO policy SERVERS TIER (T1) [SEC-Admin-Workstations] " -ForegroundColor Yellow -NoNewline; Read-Host) + if ($GPOName -eq '') {$GPOName = "SEC-Admin-Workstations"} + Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Workstations' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Workstations.migtable" + + # TODO - #- přepsat hodnoty v migration tabulce - #- importovat GPO a zeptat se na názvy + #- doplnit upozornění, aby všechny GPO politiky zkontrolovali a zvážili dopad na infastrukutru než je nalinkuji } End { + Write-Message -Message "Hotovo!" -Severity Success + Write-Message -Message "!!!POZOR!!! Před nalinkováním GPO politik na OU kde jsou servery nebo stanice si nejprve všechny nové politiky pozorně projdi a zvaž jejich dopad na konkrétní infrastrukturu klienta. Je doporučeno politiky nasazovat postupně a nejprve na malou pilotní skupinu. Nezapomeň také vytvořit nebo přidat uživatele do nově vytvořených security skupin." -Severity Warning + + #Stop Transcript Write-Message -Message $(Stop-Transcript)