#Requires -Version 3 -RunAsAdministrator #Requires -Modules ActiveDirectory, GroupPolicy <# .Synopsis Import TIER GPO policy .DESCRIPTION Import GPO policy for TIERing and the necessary structure of objects .EXAMPLE .EXAMPLE .EXAMPLE .INPUTS .NOTES Author: Petr Štěpán Email: pstepan@totalservice.cz Release date: 13.2.2024 Revision date: 13.2.2024 Version: 1.0 .LINK https://git.totalservice.cz/xxxxxxxx https://totalservice.atlassian.net/browse/KB-316 #> Param ( # WorkFolderPath - working dir for script and download assets [String] $WorkFolderPath = (Join-Path -Path $env:homedrive -ChildPath 'Temp\TIER'), # TranscriptFileName - File name of script log [String] $TranscriptFileName = 'Script.log' ) Begin { $ErrorActionPreference = "Stop" #Start Transcript Start-Transcript -Path (Join-Path -Path $WorkFolderPath -ChildPath $TranscriptFileName) #Script start running time $StartScriptTime = Get-Date #### FUNCTIONS ### #Sending messages to console function Write-Message([string]$Message, [ValidateSet("Info","Warning","Error","Success")]$Severity="Info") { [string]$Time = (Get-Date -Format "HH:mm:ss").Trim() [string]$Count = ((Get-Date) - $StartScriptTime) switch($Severity) { "Info" {Write-Host $Time"|"$Count "-" $Message; Break} "Warning" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Yellow; Break} "Error" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Red; Break} "Success" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Green; Break} } } function Create-ADTierStructure([string]$DistinguishedName) { Write-Message -Message "Creating OU structure" New-ADOrganizationalUnit -Name "Admins" -Path $DistinguishedName New-ADOrganizationalUnit -Name "Domain" -Path "OU=Admins,$DistinguishedName" New-ADOrganizationalUnit -Name "Servers" -Path "OU=Admins,$DistinguishedName" New-ADOrganizationalUnit -Name "Workstations" -Path "OU=Admins,$DistinguishedName" Write-Message -Message "Creating Security Groups" $group = New-ADGroup -Name "AD Managers" -SamAccountName "AD Managers" -GroupCategory Security -GroupScope Global -DisplayName "AD Managers" -Path "OU=Domain,OU=Admins,$DistinguishedName" -Description "Group for managing un-privileged accounts in AD." -PassThru $ADGroupMapping.ADManagers = "$($group.SamAccountName)@$FQDN" $group = New-ADGroup -Name "Server Admins" -SamAccountName "Server Admins" -GroupCategory Security -GroupScope Global -DisplayName "Server Admins" -Path "OU=Servers,OU=Admins,$DistinguishedName" -Description "Managing servers in TIER 1" -PassThru $ADGroupMapping.ServerAdmins = "$($group.SamAccountName)@$FQDN" $group = New-ADGroup -Name "Workstation Admins" -SamAccountName "Workstation Admins" -GroupCategory Security -GroupScope Global -DisplayName "Workstation Admins" -Path "OU=Workstations,OU=Admins,$DistinguishedName" -Description "Managing workstations TIER 2" -PassThru $ADGroupMapping.WorkstationAdmins = "$($group.SamAccountName)@$FQDN" Write-Message -Message "Moving privileged grups to Admin\Domain OU." Get-ADGroup "Domain Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName" Get-ADGroup "Enterprise Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName" Get-ADGroup "Schema Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName" } #### FUNCTIONS END ### #Find FQDN and NetBIOS names Write-Message -Message "Finding FQDN and NetBIOS name" $FQDN = (Get-ADDomain).DNSRoot $DistinguishedName = (Get-ADDomain).DistinguishedName Write-Message -Message ('FQDN is: {0} and DistinguishedName is: {1}' -f $FQDN, $DistinguishedName) #### VARIABLES #### $ADGroupMapping = @{ "ServerAdmins" = "" "WorkstationAdmins" = "" "ADManagers" = "" "Administrator" = "Administrator@$FQDN" "DomainAdmins" = "Domain Admins@$FQDN" "EnterpriseAdmins" = "Enterprise Admins@$FQDN" } #### END VARIABLES #### } Process { Write-Host "Example: fqdn.contoso.com/ ├─ Admins/ │ ├─ Domain/ │ │ ├─ AD Managers │ ├─ Servers/ │ │ ├─ Server Admins │ ├─ Workstations/ │ │ ├─ Workstation Admins ├─ .../ ├─ .../ ├─ Computers/" $createDefaultADStructure = '' do { $answer = $(Write-Host "Do you want to import default OU and Security Groups structure? [Y/N] " -ForegroundColor Yellow -NoNewline; Read-Host) switch (($answer).ToLower()) { "y" { $createDefaultADStructure = $true; break; } "n" { $createDefaultADStructure = $false; break;} Default {} } } until ( ($createDefaultADStructure -eq $true) -or ($createDefaultADStructure -eq $false) ) if($createDefaultADStructure){ Write-Message -Message "Generating OU a Security Groups structure" Create-ADTierStructure($DistinguishedName) }else { Write-Message -Message "Manual Security Group mapping choosen" Write-Message -Message "Getting group name for Server Admins" # Server Admins do { $exist = $false $group = $(Write-Host "Enter SamAccount name of group for SERVER ADMINS: " -ForegroundColor Yellow -NoNewline; Read-Host) $exist = Get-ADGroup -Filter {SamAccountName -eq $group} if($exist -eq $null) { Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error }else{ $ADGroupMapping.ServerAdmins = "$($group)@$FQDN" } } until ( $exist -ne $null ) Write-Message -Message "Getting group name for Workstation Admins" # Workstation Admins do { $exist = $false $group = $(Write-Host "Enter SamAccount name of group for WORKSTATION ADMINS: " -ForegroundColor Yellow -NoNewline; Read-Host) $exist = Get-ADGroup -Filter {SamAccountName -eq $group} if($exist -eq $null) { Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error }else{ $ADGroupMapping.WorkstationAdmins = "$($group)@$FQDN" } } until ( $exist -ne $null ) Write-Message -Message "Getting group name for AD Managers" # AD Managers do { $exist = $false $group = $(Write-Host "Enter SamAccount name of group for AD MANAGERS: " -ForegroundColor Yellow -NoNewline; Read-Host) $exist = Get-ADGroup -Filter {SamAccountName -eq $group} if($exist -eq $null) { Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error }else{ $ADGroupMapping.ADManagers = "$($group)@$FQDN" } } until ( $exist -ne $null ) } # DEBUG $ADGroupMapping # TODO #- přepsat hodnoty v migration tabulce #- importovat GPO a zeptat se na názvy } End { #Stop Transcript Write-Message -Message $(Stop-Transcript) }