AD-TIER/Import-TIER-GPO.ps1

#Requires -Version 3 -RunAsAdministrator
#Requires -Modules ActiveDirectory, GroupPolicy

<#
.Synopsis
Import TIER GPO policy
.DESCRIPTION
Import GPO policy for TIERing and the necessary structure of objects
.EXAMPLE

.EXAMPLE

.EXAMPLE

.INPUTS

.NOTES
Author: Petr Štěpán
Email: pstepan@totalservice.cz
Release date: 13.2.2024
Revision date: 13.2.2024
Version: 1.0
.LINK
https://git.totalservice.cz/xxxxxxxx
https://totalservice.atlassian.net/browse/KB-316
#>

Param
(
    # WorkFolderPath - working dir for script and download assets
    [String]
    $WorkFolderPath = (Join-Path -Path $env:homedrive -ChildPath 'Temp\TIER'),

    # TranscriptFileName - File name of script log
    [String]
    $TranscriptFileName = 'Script.log'





)

Begin
{
    $ErrorActionPreference = "Stop"

    #Start Transcript
    Start-Transcript -Path (Join-Path -Path $WorkFolderPath -ChildPath $TranscriptFileName)

    #Script start running time
    $StartScriptTime = Get-Date

    #### FUNCTIONS ###
    #Sending messages to console
    function Write-Message([string]$Message, [ValidateSet("Info","Warning","Error","Success")]$Severity="Info")
    {
        [string]$Time = (Get-Date -Format "HH:mm:ss").Trim()
        [string]$Count = ((Get-Date) - $StartScriptTime)

        switch($Severity)
        {
            "Info" {Write-Host $Time"|"$Count "-" $Message; Break}
            "Warning" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Yellow; Break}
            "Error" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Red; Break}
            "Success" {Write-Host $Time"|"$Count "-" $Message -ForegroundColor Green; Break}
        }
    }

    function Create-ADTierStructure([string]$DistinguishedName)
    {
        Write-Message -Message "Creating OU structure"
        New-ADOrganizationalUnit -Name "Admins" -Path $DistinguishedName
        New-ADOrganizationalUnit -Name "Domain" -Path "OU=Admins,$DistinguishedName"
        New-ADOrganizationalUnit -Name "Servers" -Path "OU=Admins,$DistinguishedName"
        New-ADOrganizationalUnit -Name "Workstations" -Path "OU=Admins,$DistinguishedName"

        Write-Message -Message "Creating Security Groups"
        $group = New-ADGroup -Name "AD Managers" -SamAccountName "AD Managers" -GroupCategory Security -GroupScope Global -DisplayName "AD Managers" -Path "OU=Domain,OU=Admins,$DistinguishedName" -Description "Group for managing un-privileged accounts in AD." -PassThru
        $ADGroupMapping.ADManagers = "$($group.SamAccountName)@$FQDN"
        
        $group = New-ADGroup -Name "Server Admins" -SamAccountName "Server Admins" -GroupCategory Security -GroupScope Global -DisplayName "Server Admins" -Path "OU=Servers,OU=Admins,$DistinguishedName" -Description "Managing servers in TIER 1" -PassThru
        $ADGroupMapping.ServerAdmins = "$($group.SamAccountName)@$FQDN"

        $group = New-ADGroup -Name "Workstation Admins" -SamAccountName "Workstation Admins" -GroupCategory Security -GroupScope Global -DisplayName "Workstation Admins" -Path "OU=Workstations,OU=Admins,$DistinguishedName" -Description "Managing workstations TIER 2" -PassThru
        $ADGroupMapping.WorkstationAdmins = "$($group.SamAccountName)@$FQDN"

        Write-Message -Message "Moving privileged grups to Admin\Domain OU."
        Get-ADGroup "Domain Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName"
        Get-ADGroup "Enterprise Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName"
        Get-ADGroup "Schema Admins" | Move-ADObject -TargetPath "OU=Domain,OU=Admins,$DistinguishedName"


    }

    #### FUNCTIONS END ###

    #Find FQDN and NetBIOS names
    Write-Message -Message "Finding FQDN and NetBIOS name"
    $FQDN = (Get-ADDomain).DNSRoot
    $DistinguishedName = (Get-ADDomain).DistinguishedName 
    Write-Message -Message ('FQDN is: {0} and DistinguishedName is: {1}' -f $FQDN, $DistinguishedName)

    #### VARIABLES ####
    $ADGroupMapping = @{
        "ServerAdmins" = ""
        "WorkstationAdmins" = ""
        "ADManagers" = ""
        "Administrator" = "Administrator@$FQDN"
        "DomainAdmins" = "Domain Admins@$FQDN"
        "EnterpriseAdmins" = "Enterprise Admins@$FQDN"
    }
    #### END VARIABLES ####


}
Process
{
    Write-Host "Example:
    fqdn.contoso.com/
    ├─ Admins/
    │  ├─ Domain/
    │  │  ├─ AD Managers
    │  ├─ Servers/
    │  │  ├─ Server Admins
    │  ├─ Workstations/
    │  │  ├─ Workstation Admins
    ├─ .../
    ├─ .../
    ├─ Computers/"

    $createDefaultADStructure = ''
    do {
        $answer = $(Write-Host "Do you want to import default OU and Security Groups structure? [Y/N] " -ForegroundColor Yellow -NoNewline; Read-Host)

        switch (($answer).ToLower()) {
            "y" { $createDefaultADStructure = $true; break; }
            "n" { $createDefaultADStructure = $false; break;}
            Default {}
        }
    } until (
        ($createDefaultADStructure -eq $true) -or ($createDefaultADStructure -eq $false)
    )
    
    if($createDefaultADStructure){
        Write-Message -Message "Generating OU a Security Groups structure"
        Create-ADTierStructure($DistinguishedName)

    }else {
        Write-Message -Message "Manual Security Group mapping choosen"

        Write-Message -Message "Getting group name for Server Admins"
        # Server Admins
        do {
            $exist = $false
            $group = $(Write-Host "Enter SamAccount name of group for SERVER ADMINS: " -ForegroundColor Yellow -NoNewline; Read-Host)
            $exist = Get-ADGroup -Filter {SamAccountName -eq $group}

            if($exist -eq $null) {
                Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error
            }else{
                $ADGroupMapping.ServerAdmins = "$($group)@$FQDN"
            }
        } until (
            $exist -ne $null
        )

        Write-Message -Message "Getting group name for Workstation Admins"
        # Workstation Admins
        do {
            $exist = $false
            $group = $(Write-Host "Enter SamAccount name of group for WORKSTATION ADMINS: " -ForegroundColor Yellow -NoNewline; Read-Host)
            $exist = Get-ADGroup -Filter {SamAccountName -eq $group}

            if($exist -eq $null) {
                Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error
            }else{
                $ADGroupMapping.WorkstationAdmins = "$($group)@$FQDN"
            }
        } until (
            $exist -ne $null
        )

        Write-Message -Message "Getting group name for AD Managers"
        # AD Managers
        do {
            $exist = $false
            $group = $(Write-Host "Enter SamAccount name of group for AD MANAGERS: " -ForegroundColor Yellow -NoNewline; Read-Host)
            $exist = Get-ADGroup -Filter {SamAccountName -eq $group}

            if($exist -eq $null) {
                Write-Message -Message ("Group {0} doesn't exist" -f $group) -Severity Error
            }else{
                $ADGroupMapping.ADManagers = "$($group)@$FQDN"
            }
        } until (
            $exist -ne $null
        )
    }

    # DEBUG
    $ADGroupMapping

    # TODO
    #- přepsat hodnoty v migration tabulce
    #- importovat GPO a zeptat se na názvy

}
End
{
    #Stop Transcript
    Write-Message -Message $(Stop-Transcript)


}