Add import GPO policies
This commit is contained in:
@@ -33,7 +33,17 @@ Param
|
||||
|
||||
# TranscriptFileName - File name of script log
|
||||
[String]
|
||||
$TranscriptFileName = 'Script.log'
|
||||
$TranscriptFileName = "Script_$(Get-Date -Format 'yyyMMdd_HHmmss').log",
|
||||
|
||||
# GPOBackupZipFileName - Name of GPO backup zip file
|
||||
[String]
|
||||
$GPOBackupZipFileName = 'GPO_TIER.zip',
|
||||
|
||||
# DownloadURLGPOBackup - URL for downloading GPO backup file
|
||||
[String]
|
||||
$DownloadURLGPOBackup = 'https://git.totalservice.cz/public/AD-TIER/raw/branch/main/GPO_TIER.zip'
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -112,6 +122,28 @@ Begin
|
||||
}
|
||||
#### END VARIABLES ####
|
||||
|
||||
#Find GPO backup file zip
|
||||
Write-Message -Message ("Finding GPO backup zip file ({0})" -f $GPOBackupZipFileName)
|
||||
If (!(Test-Path -Path (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName)))
|
||||
{
|
||||
Write-Message -Message ("{0} not found. Starting downloading ..." -f $GPOBackupZipFileName)
|
||||
#Download GPO Backup zip file
|
||||
Write-Message -Message "Downloading GPO backup file"
|
||||
$DownloadStartTime = Get-Date
|
||||
#Certificate work around
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
Invoke-WebRequest -Uri $DownloadURLGPOBackup -OutFile (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName)
|
||||
Write-Message -Message ('Downloaded in: {0} second(s)' -f ((Get-Date) - $DownloadStartTime)) -Severity Success
|
||||
|
||||
}else{
|
||||
Write-Message -Message ("{0} found in shared folder" -f $GPOBackupZipFileName) -Severity Success
|
||||
}
|
||||
|
||||
#Unpack GPO backupfile
|
||||
Write-Message -Message ("Unpacking GPO backup file {0}" -f $GPOBackupZipFileName)
|
||||
Expand-Archive -LiteralPath (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName) -DestinationPath $WorkFolderPath -Force
|
||||
|
||||
|
||||
|
||||
}
|
||||
Process
|
||||
@@ -201,13 +233,66 @@ Process
|
||||
# DEBUG
|
||||
$ADGroupMapping
|
||||
|
||||
#Prepare GPO
|
||||
#Reference https://gallery.technet.microsoft.com/Migrate-Group-Policy-2b5067d8#content
|
||||
#Change variables in the GPO migration table to suit environment by recursing through the migration table and then changing the values to suit the current environment.
|
||||
Write-Message -Message "Modifying GPO migration table"
|
||||
$MigrationTable = "$WorkFolderPath\Migration.migtable"
|
||||
(Get-Content $MigrationTable).replace("\\SHAREFOLDER", "$ShareFolder") | Set-Content $MigrationTable
|
||||
|
||||
Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-DOMAIN"
|
||||
$MigrationTable = "$WorkFolderPath\SEC-Admin-Domain.migtable"
|
||||
$content = Get-Content $MigrationTable
|
||||
foreach($object in $ADGroupMapping){
|
||||
$content.Replace("[[$($object.Name)]]", $object.Value)
|
||||
}
|
||||
Set-Content $MigrationTable
|
||||
|
||||
Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-SERVERS"
|
||||
$MigrationTable = "$WorkFolderPath\SEC-Admin-Servers.migtable"
|
||||
$content = Get-Content $MigrationTable
|
||||
foreach($object in $ADGroupMapping){
|
||||
$content.Replace("[[$($object.Name)]]", $object.Value)
|
||||
}
|
||||
Set-Content $MigrationTable
|
||||
|
||||
Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-WORKSTATIONS"
|
||||
$MigrationTable = "$WorkFolderPath\SEC-Admin-Workstations.migtable"
|
||||
$content = Get-Content $MigrationTable
|
||||
foreach($object in $ADGroupMapping){
|
||||
$content.Replace("[[$($object.Name)]]", $object.Value)
|
||||
}
|
||||
Set-Content $MigrationTable
|
||||
|
||||
|
||||
#Import GPO
|
||||
Write-Message -Message "Importing GPO policy SEC-ADMIN-DOMAIN"
|
||||
$GPOName = $(Write-Host "Enter name for GPO policy DOMAIN TIER (T0) [SEC-Admin-Domain] " -ForegroundColor Yellow -NoNewline; Read-Host)
|
||||
if ($GPOName -eq '') {$GPOName = "SEC-Admin-Domain"}
|
||||
Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Domain' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Domain.migtable"
|
||||
|
||||
|
||||
Write-Message -Message "Importing GPO policy SEC-ADMIN-SERVERS"
|
||||
$GPOName = $(Write-Host "Enter name for GPO policy SERVERS TIER (T1) [SEC-Admin-Servers] " -ForegroundColor Yellow -NoNewline; Read-Host)
|
||||
if ($GPOName -eq '') {$GPOName = "SEC-Admin-Servers"}
|
||||
Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Servers' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Servers.migtable"
|
||||
|
||||
Write-Message -Message "Importing GPO policy SEC-ADMIN-WORKSTATIONS"
|
||||
$GPOName = $(Write-Host "Enter name for GPO policy SERVERS TIER (T1) [SEC-Admin-Workstations] " -ForegroundColor Yellow -NoNewline; Read-Host)
|
||||
if ($GPOName -eq '') {$GPOName = "SEC-Admin-Workstations"}
|
||||
Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Workstations' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Workstations.migtable"
|
||||
|
||||
|
||||
# TODO
|
||||
#- přepsat hodnoty v migration tabulce
|
||||
#- importovat GPO a zeptat se na názvy
|
||||
#- doplnit upozornění, aby všechny GPO politiky zkontrolovali a zvážili dopad na infastrukutru než je nalinkuji
|
||||
|
||||
}
|
||||
End
|
||||
{
|
||||
Write-Message -Message "Hotovo!" -Severity Success
|
||||
Write-Message -Message "!!!POZOR!!! Před nalinkováním GPO politik na OU kde jsou servery nebo stanice si nejprve všechny nové politiky pozorně projdi a zvaž jejich dopad na konkrétní infrastrukturu klienta. Je doporučeno politiky nasazovat postupně a nejprve na malou pilotní skupinu. Nezapomeň také vytvořit nebo přidat uživatele do nově vytvořených security skupin." -Severity Warning
|
||||
|
||||
|
||||
#Stop Transcript
|
||||
Write-Message -Message $(Stop-Transcript)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user