
# Delegate Local Administration Password Service (LAPS)
function Set-AdAclLaps {
            Wrapper for all rights used for LAPS on a given container.
            The function will consolidate all rights used for LAPS on a given container.
            Set-AdAclLaps -ResetGroup "SG_SiteAdmins_XXXX" -ReadGroup "SG_GalAdmins_XXXX" -LDAPPath "OU=Users,OU=XXXX,OU=Sites,DC=EguibarIT,DC=local"
            Set-AdAclLaps -ResetGroup "SG_SiteAdmins_XXXX" -ReadGroup "SG_GalAdmins_XXXX" -LDAPPath "OU=Users,OU=XXXX,OU=Sites,DC=EguibarIT,DC=local" -RemoveRule
        .PARAMETER ReadGroup
            Identity of the group getting being able to READ the password
        .PARAMETER ResetGroup
            Identity of the group getting being able to RESET the password
            Distinguished Name of the OU where LAPS will apply to computer object.
        .PARAMETER RemoveRule
            If present, the access rule will be removed
            Used Functions:
                Name | Module
                Set-AdmPwdComputerSelfPermission | EguibarIT.DelegationPS
                Set-AdmPwdReadPasswordPermission | EguibarIT.DelegationPS
                Set-AdmPwdResetPasswordPermission | EguibarIT.DelegationPS
                Get-AttributeSchemaHashTable | EguibarIT.DelegationPS
                Get-CurrentErrorToDisplay | EguibarIT
                Get-FunctionDisplay | EguibarIT
                Set-AdmPwdComputerSelfPermission | AdmPwd.PS
                Set-AdmPwdReadPasswordPermission | AdmPwd.PS
                Set-AdmPwdResetPasswordPermission | AdmPwd.PS
            Version: 1.0
            DateModified: 19/Oct/2016
            LasModifiedBy: Vicente Rodriguez Eguibar
                Eguibar Information Technology S.L.

    [CmdletBinding(ConfirmImpact = 'Low')]
    Param (
        # PARAM1 STRING for the Delegated Group Name
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true,
            HelpMessage = 'Identity of the group getting being able to READ the password.',
            Position = 0)]

        # PARAM2 STRING for the Delegated Group Name
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true,
            HelpMessage = 'Identity of the group getting being able to RESET the password.',
            Position = 1)]

        # PARAM3 Distinguished Name of the OU where given group can read the computer password
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true,
            HelpMessage = 'Distinguished Name of the OU where LAPS will apply to computer object',
            Position = 2)]
        [validateScript({ Test-IsValidDN -ObjectDN $_ })]
        [Alias('DN', 'DistinguishedName')]

        # PARAM4 SWITCH If present, the access rule will be removed.
        [Parameter(Mandatory = $false, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true,
            HelpMessage = 'If present, the access rule will be removed.',
            Position = 3)]

    begin {
        Write-Verbose -Message '|=> ************************************************************************ <=|'
        Write-Verbose -Message (Get-Date).ToShortDateString()
        Write-Verbose -Message (' Starting: {0}' -f $MyInvocation.Mycommand)
        Write-Verbose -Message ('Parameters used by the function... {0}' -f (Get-FunctionDisplay $PsBoundParameters -Verbose:$False))

        Import-MyModule -name 'AdmPwd.PS' -Force -Verbose:$false
        Import-MyModule -name 'LAPS' -Force -Verbose:$false
        Import-MyModule -name 'EguibarIT.DelegationPS' -Force -Verbose:$false

        # Variables Definition


        # Get the SID of the group
        $currentResetGroup = Get-AdObjectType -Identity $PSBoundParameters['ResetGroup']
        $currentReadGroup = Get-AdObjectType -Identity $PSBoundParameters['ReadGroup']

    } #end Begin

    Process {

        Write-Verbose -Message 'LAPS is supported on this environment. We can proceed to configure it.'

        if ($Variables.guidmap['ms-Mcs-AdmPwd']) {
            # AdmPwd.PS CMDlets
            Set-AdmPwdComputerSelfPermission -LDAPpath $LDAPpath
            Set-AdmPwdReadPasswordPermission -Group $currentReadGroup -LDAPpath $PSBoundParameters['LDAPpath']
            Set-AdmPwdResetPasswordPermission -Group $currentResetGroup -LDAPpath $PSBoundParameters['LDAPpath']
        } else {
            Write-Error -Message 'Not Implemented. Schema does not contains the required attributes for legacy LAPS.'
        } #end If-Else

        if ($Variables.GuidMap['ms-Mcs-AdmPwdExpirationTime']) {
            # LAPS CMDlets
            Set-LapsADComputerSelfPermission -Identity $LDAPpath
            Set-LapsADReadPasswordPermission -AllowedPrincipals $currentReadGroup.SID -Identity $PSBoundParameters['LDAPpath']
            Set-LapsADResetPasswordPermission -AllowedPrincipals $currentResetGroup.SID -Identity $PSBoundParameters['LDAPpath']

        } else {
            Write-Error -Message 'Not Implemented. Schema does not contains the required attributes for new Windows LAPS.'
        } #end If-Else
    } #end Process

    End {
        Write-Verbose -Message "Function $($MyInvocation.InvocationName) finished delegating LAPS Admin."
        Write-Verbose -Message ''
        Write-Verbose -Message '-------------------------------------------------------------------------------'
        Write-Verbose -Message ''
    } #end End

} #end Function