public/AD-TIER
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add import GPO policies

Browse Source
This commit is contained in:
Petr Štěpán
2024-02-15 20:36:16 +00:00
parent 8631d71dcd
commit ac68247dba
1 changed files with 88 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
Import-TIER-GPO.ps1
View File

@@ -33,7 +33,17 @@ Param
# TranscriptFileName - File name of script log # TranscriptFileName - File name of script log
[String] [String]
$TranscriptFileName = 'Script.log' $TranscriptFileName = "Script_$(Get-Date -Format 'yyyMMdd_HHmmss').log",
# GPOBackupZipFileName - Name of GPO backup zip file
[String]
$GPOBackupZipFileName = 'GPO_TIER.zip',
# DownloadURLGPOBackup - URL for downloading GPO backup file
[String]
$DownloadURLGPOBackup = 'https://git.totalservice.cz/public/AD-TIER/raw/branch/main/GPO_TIER.zip'
@@ -112,6 +122,28 @@ Begin
} }
#### END VARIABLES #### #### END VARIABLES ####
#Find GPO backup file zip
Write-Message -Message ("Finding GPO backup zip file ({0})" -f $GPOBackupZipFileName)
If (!(Test-Path -Path (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName)))
{
Write-Message -Message ("{0} not found. Starting downloading ..." -f $GPOBackupZipFileName)
#Download GPO Backup zip file
Write-Message -Message "Downloading GPO backup file"
$DownloadStartTime = Get-Date
#Certificate work around
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri $DownloadURLGPOBackup -OutFile (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName)
Write-Message -Message ('Downloaded in: {0} second(s)' -f ((Get-Date) - $DownloadStartTime)) -Severity Success
}else{
Write-Message -Message ("{0} found in shared folder" -f $GPOBackupZipFileName) -Severity Success
}
#Unpack GPO backupfile
Write-Message -Message ("Unpacking GPO backup file {0}" -f $GPOBackupZipFileName)
Expand-Archive -LiteralPath (Join-Path -Path $WorkFolderPath -ChildPath $GPOBackupZipFileName) -DestinationPath $WorkFolderPath -Force
} }
Process Process
@@ -201,13 +233,66 @@ Process
# DEBUG # DEBUG
$ADGroupMapping $ADGroupMapping
#Prepare GPO
#Reference https://gallery.technet.microsoft.com/Migrate-Group-Policy-2b5067d8#content
#Change variables in the GPO migration table to suit environment by recursing through the migration table and then changing the values to suit the current environment.
Write-Message -Message "Modifying GPO migration table"
$MigrationTable = "$WorkFolderPath\Migration.migtable"
(Get-Content $MigrationTable).replace("\\SHAREFOLDER", "$ShareFolder") | Set-Content $MigrationTable
Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-DOMAIN"
$MigrationTable = "$WorkFolderPath\SEC-Admin-Domain.migtable"
$content = Get-Content $MigrationTable
foreach($object in $ADGroupMapping){
$content.Replace("[[$($object.Name)]]", $object.Value)
}
Set-Content $MigrationTable
Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-SERVERS"
$MigrationTable = "$WorkFolderPath\SEC-Admin-Servers.migtable"
$content = Get-Content $MigrationTable
foreach($object in $ADGroupMapping){
$content.Replace("[[$($object.Name)]]", $object.Value)
}
Set-Content $MigrationTable
Write-Message -Message "Modifying GPO migration table for SEC-ADMIN-WORKSTATIONS"
$MigrationTable = "$WorkFolderPath\SEC-Admin-Workstations.migtable"
$content = Get-Content $MigrationTable
foreach($object in $ADGroupMapping){
$content.Replace("[[$($object.Name)]]", $object.Value)
}
Set-Content $MigrationTable
#Import GPO
Write-Message -Message "Importing GPO policy SEC-ADMIN-DOMAIN"
$GPOName = $(Write-Host "Enter name for GPO policy DOMAIN TIER (T0) [SEC-Admin-Domain] " -ForegroundColor Yellow -NoNewline; Read-Host)
if ($GPOName -eq '') {$GPOName = "SEC-Admin-Domain"}
Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Domain' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Domain.migtable"
Write-Message -Message "Importing GPO policy SEC-ADMIN-SERVERS"
$GPOName = $(Write-Host "Enter name for GPO policy SERVERS TIER (T1) [SEC-Admin-Servers] " -ForegroundColor Yellow -NoNewline; Read-Host)
if ($GPOName -eq '') {$GPOName = "SEC-Admin-Servers"}
Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Servers' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Servers.migtable"
Write-Message -Message "Importing GPO policy SEC-ADMIN-WORKSTATIONS"
$GPOName = $(Write-Host "Enter name for GPO policy SERVERS TIER (T1) [SEC-Admin-Workstations] " -ForegroundColor Yellow -NoNewline; Read-Host)
if ($GPOName -eq '') {$GPOName = "SEC-Admin-Workstations"}
Import-GPO -CreateIfNeeded -path "$WorkFolderPath" -BackupGpoName 'SEC-Admin-Workstations' -TargetName $GPOName -MigrationTable "$WorkFolderPath\SEC-Admin-Workstations.migtable"
# TODO # TODO
#- přepsat hodnoty v migration tabulce #- doplnit upozornění, aby všechny GPO politiky zkontrolovali a zvážili dopad na infastrukutru než je nalinkuji
#- importovat GPO a zeptat se na názvy
} }
End End
{ {
Write-Message -Message "Hotovo!" -Severity Success
Write-Message -Message "!!!POZOR!!! Před nalinkováním GPO politik na OU kde jsou servery nebo stanice si nejprve všechny nové politiky pozorně projdi a zvaž jejich dopad na konkrétní infrastrukturu klienta. Je doporučeno politiky nasazovat postupně a nejprve na malou pilotní skupinu. Nezapomeň také vytvořit nebo přidat uživatele do nově vytvořených security skupin." -Severity Warning
#Stop Transcript #Stop Transcript
Write-Message -Message $(Stop-Transcript) Write-Message -Message $(Stop-Transcript)