Public/MngPrivilegedAccount/Set-AdAclMngPrivilegedAccount.ps1
|
Function Set-AdAclMngPrivilegedAccount { <# .Synopsis The function will delegate the permission for a group to Managed Privileged Accounts .DESCRIPTION The function will delegate the permission for a group to Managed Privileged Accounts by modifying the AdminSdHolder .EXAMPLE Set-AdAclMngPrivilegedAccount -Group "SL_PUM" .EXAMPLE Set-AdAclMngPrivilegedAccount -Group "SL_PUM" -RemoveRule .PARAMETER Group Identity of the group getting the delegation. .PARAMETER RemoveRule [SWITCH] If present, the access rule will be removed .NOTES Used Functions: Name | Module ---------------------------------------|-------------------------- Set-AclConstructor5 | EguibarIT.DelegationPS Get-AttributeSchemaHashTable | EguibarIT.DelegationPS Get-ExtendedRightHashTable | EguibarIT.DelegationPS .NOTES Version: 1.2 DateModified: 07/Dec/2016 LasModifiedBy: Vicente Rodriguez Eguibar vicente@eguibar.com Eguibar Information Technology S.L. http://www.eguibarit.com #> [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')] [OutputType([void])] Param ( # PARAM1 Delegated Group Name [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, HelpMessage = 'Identity of the group getting the delegation, usually a DomainLocal group.', Position = 0)] [ValidateNotNullOrEmpty()] [Alias('IdentityReference', 'Identity', 'Trustee', 'GroupID')] $Group, # PARAM3 SWITCH If present, the access rule will be removed. [Parameter(Mandatory = $false, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, HelpMessage = 'If present, the access rule will be removed.', Position = 1)] [ValidateNotNullOrEmpty()] [Switch] $RemoveRule ) Begin { $txt = ($Variables.HeaderDelegation -f (Get-Date).ToShortDateString(), $MyInvocation.Mycommand, (Get-FunctionDisplay -HashTable $PsBoundParameters -Verbose:$False) ) Write-Verbose -Message $txt ############################## # Module imports ############################## # Variables Definition [Hashtable]$Splat = [hashtable]::New([StringComparer]::OrdinalIgnoreCase) Write-Verbose -Message 'Checking variable $Variables.GuidMap. In case is empty a function is called to fill it up.' Get-AttributeSchemaHashTable Write-Verbose -Message 'Checking variable $Variables.ExtendedRightsMap. In case is empty a function is called to fill it up.' Get-ExtendedRightHashTable # Verify Group exist and return it as Microsoft.ActiveDirectory.Management.AdGroup $CurrentGroup = Get-AdObjectType -Identity $PSBoundParameters['Group'] } #end Begin Process { <# dsacls "CN=AdminSDHolder,CN=System,DC=EguibarIT,DC=local" /G "EguibarIT\SL_PUM":RPWP;member dsacls "CN=AdminSDHolder,CN=System,DC=EguibarIT,DC=local" /G "EguibarIT\SL_PUM":CA;"Reset Password" dsacls "CN=AdminSDHolder,CN=System,DC=EguibarIT,DC=local" /G "EguibarIT\SL_PUM":RPWP;lockoutTime dsacls "CN=AdminSDHolder,CN=System,DC=EguibarIT,DC=local" /G "EguibarIT\SL_PUM":RPWP;pwdLastSet dsacls "CN=AdminSDHolder,CN=System,DC=EguibarIT,DC=local" /G "EguibarIT\SL_PUM":RPWP;userAccountControl dsacls "CN=AdminSDHolder,CN=System,DC=EguibarIT,DC=local" /G "EguibarIT\SL_PUM":CA;"Change Password" dsacls "CN=AdminSDHolder,CN=System,DC=EguibarIT,DC=local" /G "EguibarIT\SL_PUM":RPWP;lockoutTime #> <# ACE number: 1 -------------------------------------------------------- IdentityReference : XXX ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow ObjectType : member [AttributeSchema] InheritanceType : None InheritedObjectType : GuidNULL IsInherited = False #> $Splat = @{ Id = $CurrentGroup LDAPPath = 'CN=AdminSDHolder,CN=System,{0}' -f $Variables.defaultNamingContext AdRight = 'ReadProperty', 'WriteProperty' AccessControlType = 'Allow' ObjectType = $Variables.GuidMap['member'] AdSecurityInheritance = 'None' } # Check if RemoveRule switch is present. If ($PSBoundParameters['RemoveRule']) { if ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Remove permissions for member?')) { # Add the parameter to remove the rule $Splat.Add('RemoveRule', $true) } #end If } #end If If ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Delegate the permissions for member?')) { Set-AclConstructor5 @Splat } #end If <# ACE number: 2 -------------------------------------------------------- IdentityReference : XXX ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow ObjectType : lockoutTime [AttributeSchema] InheritanceType : None InheritedObjectType : GuidNULL IsInherited = False #> $Splat = @{ Id = $CurrentGroup LDAPPath = 'CN=AdminSDHolder,CN=System,{0}' -f $Variables.defaultNamingContext AdRight = 'ReadProperty', 'WriteProperty' AccessControlType = 'Allow' ObjectType = $Variables.GuidMap['lockoutTime'] AdSecurityInheritance = 'None' } # Check if RemoveRule switch is present. If ($PSBoundParameters['RemoveRule']) { if ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Remove permissions for lockoutTime?')) { # Add the parameter to remove the rule $Splat.Add('RemoveRule', $true) } #end If } #end If If ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Delegate the permissions for lockoutTime?')) { Set-AclConstructor5 @Splat } #end If <# ACE number: 3 -------------------------------------------------------- IdentityReference : XXX ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow ObjectType : userAccountControl [AttributeSchema] InheritanceType : None InheritedObjectType : GuidNULL IsInherited = False #> $Splat = @{ Id = $CurrentGroup LDAPPath = 'CN=AdminSDHolder,CN=System,{0}' -f $Variables.defaultNamingContext AdRight = 'ReadProperty', 'WriteProperty' AccessControlType = 'Allow' ObjectType = $Variables.GuidMap['userAccountControl'] AdSecurityInheritance = 'None' } # Check if RemoveRule switch is present. If ($PSBoundParameters['RemoveRule']) { if ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Remove permissions for userAccountControl?')) { # Add the parameter to remove the rule $Splat.Add('RemoveRule', $true) } #end If } #end If If ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Delegate the permissions for userAccountControl?')) { Set-AclConstructor5 @Splat } #end If <# ACE number: 4 -------------------------------------------------------- IdentityReference : XXX ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow ObjectType : pwdLastSet [AttributeSchema] InheritanceType : None InheritedObjectType : GuidNULL IsInherited = False #> $Splat = @{ Id = $CurrentGroup LDAPPath = 'CN=AdminSDHolder,CN=System,{0}' -f $Variables.defaultNamingContext AdRight = 'ReadProperty', 'WriteProperty' AccessControlType = 'Allow' ObjectType = $Variables.GuidMap['pwdLastSet'] AdSecurityInheritance = 'None' } # Check if RemoveRule switch is present. If ($PSBoundParameters['RemoveRule']) { if ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Remove permissions for pwdLastSet?')) { # Add the parameter to remove the rule $Splat.Add('RemoveRule', $true) } #end If } #end If If ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Delegate the permissions for pwdLastSet?')) { Set-AclConstructor5 @Splat } #end If <# ACE number: 5 -------------------------------------------------------- IdentityReference : XXX ActiveDirectoryRights : ExtendedRight AccessControlType : Allow ObjectType : Reset Password [ExtendedRight] InheritanceType : None InheritedObjectType : GuidNULL IsInherited = False #> $Splat = @{ Id = $CurrentGroup LDAPPath = 'CN=AdminSDHolder,CN=System,{0}' -f $Variables.defaultNamingContext AdRight = 'ReadProperty', 'WriteProperty' AccessControlType = 'Allow' ObjectType = $Variables.ExtendedRightsMap['Reset Password'] AdSecurityInheritance = 'None' } # Check if RemoveRule switch is present. If ($PSBoundParameters['RemoveRule']) { if ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Remove permissions for Reset Password?')) { # Add the parameter to remove the rule $Splat.Add('RemoveRule', $true) } #end If } #end If If ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Delegate the permissions for Reset Password?')) { Set-AclConstructor5 @Splat } #end If <# ACE number: 6 -------------------------------------------------------- IdentityReference : XXX ActiveDirectoryRights : ExtendedRight AccessControlType : Allow ObjectType : Change Password [ExtendedRight] InheritanceType : None InheritedObjectType : GuidNULL IsInherited = False #> $Splat = @{ Id = $CurrentGroup LDAPPath = 'CN=AdminSDHolder,CN=System,{0}' -f $Variables.defaultNamingContext AdRight = 'ReadProperty', 'WriteProperty' AccessControlType = 'Allow' ObjectType = $Variables.ExtendedRightsMap['Change Password'] AdSecurityInheritance = 'None' } # Check if RemoveRule switch is present. If ($PSBoundParameters['RemoveRule']) { if ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Remove permissions for Change Password?')) { # Add the parameter to remove the rule $Splat.Add('RemoveRule', $true) } #end If } #end If If ($Force -or $PSCmdlet.ShouldProcess($PSBoundParameters['Group'], 'Delegate the permissions for Change Password?')) { Set-AclConstructor5 @Splat } #end If } #end Process End { if ($RemoveRule) { Write-Verbose ('Permissions removal process completed for group: {0}' -f $PSBoundParameters['Group']) } else { Write-Verbose ('Permissions delegation process completed for group: {0} ' -f $PSBoundParameters['Group']) } #end If-Else $txt = ($Variables.FooterDelegation -f $MyInvocation.InvocationName, 'delegating management of Privileged Accounts (AdminSDHolder).' ) Write-Verbose -Message $txt } #end END } |