Public/New-ExchangeObject.ps1

Function New-ExchangeObject {
    <#
      .Synopsis
      Create Exchange Objects and Containers
      .DESCRIPTION
      Create the Exchange OU structure and objects used to manage
      this organization by following the defined Delegation Model.
      .EXAMPLE
      New-ExchangeObjects
      .INPUTS

      .NOTES
      Version: 1.0
      DateModified: 19/Apr/2016
      LasModifiedBy: Vicente Rodriguez Eguibar
      vicente@eguibar.com
      Eguibar Information Technology S.L.
      http://www.eguibarit.com
  #>

    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
    [OutputType([void])]

    Param(
        # PARAM1 full path to the configuration.xml file
        [Parameter(Mandatory = $true,
            ValueFromPipeline = $True,
            ValueFromPipelineByPropertyName = $True,
            ValueFromRemainingArguments = $false,
            HelpMessage = 'Full path to the configuration.xml file',
            Position = 0)]
        [string]
        $ConfigXMLFile,

        # Param2 Location of all scripts & files
        [Parameter(Mandatory = $false,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true,
            ValueFromRemainingArguments = $false,
            HelpMessage = 'Path to all the scripts and files needed by this function',
            Position = 1)]
        [PSDefaultValue(Help = 'Default Value is "C:\PsScripts\"')]
        [string]
        $DMscripts = 'C:\PsScripts\'
    )

    Begin {
        $error.Clear()

        $txt = ($constants.Header -f
            (Get-Date).ToShortDateString(),
            $MyInvocation.Mycommand,
            (Get-FunctionDisplay $PsBoundParameters -Verbose:$False)
        )
        Write-Verbose -Message $txt

        ##############################
        # Module imports

        Import-Module -Name ServerManager -SkipEditionCheck -Force -Verbose:$false | Out-Null
        Import-Module -Name ActiveDirectory -SkipEditionCheck -Force -Verbose:$false | Out-Null
        Import-Module -Name GroupPolicy -SkipEditionCheck -Force -Verbose:$false | Out-Null
        Import-Module -Name EguibarIT.DelegationPS -SkipEditionCheck -Force -Verbose:$false | Out-Null

        ##############################
        # Variables Definition

        try {
            # Check if Config.xml file is loaded. If not, proceed to load it.
            If (-Not (Test-Path -Path variable:confXML)) {
                # Check if the Config.xml file exist on the given path
                If (Test-Path -Path $PSBoundParameters['ConfigXMLFile']) {
                    #Open the configuration XML file
                    $confXML = [xml](Get-Content $PSBoundParameters['ConfigXMLFile'])
                } #end if
            } #end if
        } catch {
            Write-Error -Message 'Error when reading XML file'
            throw
        }



        # Naming conventions hashtable
        $NC = @{'sl' = $confXML.n.NC.LocalDomainGroupPreffix
            'sg'     = $confXML.n.NC.GlobalGroupPreffix
            'su'     = $confXML.n.NC.UniversalGroupPreffix
            'Delim'  = $confXML.n.NC.Delimiter
            'T0'     = $confXML.n.NC.AdminAccSufix0
            'T1'     = $confXML.n.NC.AdminAccSufix1
            'T2'     = $confXML.n.NC.AdminAccSufix2
        }

        #('{0}{1}{2}{1}{3}' -f $NC['sg'], $NC['Delim'], $confXML.n.Admin.lg.PAWM, $NC['T0'])
        # SG_PAWM_T0


        # Organizational Units Distinguished Names

        # IT Admin OU
        New-Variable -Name 'ItAdminOu' -Value $confXML.n.Admin.OUs.ItAdminOU.name -Option ReadOnly -Force
        # IT Admin OU Distinguished Name
        New-Variable -Name 'ItAdminOuDn' -Value ('OU={0},{1}' -f $ItAdminOu, $Variables.AdDn) -Option ReadOnly -Force

        # It Admin Groups OU
        #$ItGroupsOu = $confXML.n.Admin.OUs.ItAdminGroupsOU.name
        # It Admin Groups OU Distinguished Name
        #$ItGroupsOuDn = 'OU={0},{1}' -f $ItGroupsOu, $ItAdminOuDn

        # It Privileged Groups OU
        $ItPGOu = $confXML.n.Admin.OUs.ItPrivGroupsOU.name
        # It Privileged Groups OU Distinguished Name
        $ItPGOuDn = 'OU={0},{1}' -f $ItPGOu, $ItAdminOuDn

        # It Admin Rights OU
        $ItRightsOu = $confXML.n.Admin.OUs.ItRightsOU.name
        # It Admin Rights OU Distinguished Name
        $ItRightsOuDn = 'OU={0},{1}' -f $ItRightsOu, $ItAdminOuDn

        # It Admin Exchange OU
        $ItExchangeOu = $confXML.n.AdminXtra.OUs.ItExchangeOU.name
        # It Admin Exchange OU Distinguished Name
        $ItExchangeOuDn = 'OU={0},{1}' -f $ItExchangeOu, $ItAdminOuDn

        # It Admin Exchange Distribution Groups OU
        $ItExDistGroupsOu = $confXML.n.AdminXtra.OUs.ItExDistGroups.name
        # It Admin Exchange Distribution Groups OU Distinguished Name
        $ItExDistGroupsOuDn = 'OU={0},{1}' -f $ItExDistGroupsOu, $ItExchangeOuDn

        # It Admin Exchange External Contacts OU
        $ItExExternalContactOu = $confXML.n.AdminXtra.OUs.ItExExternalContact.name
        # It Admin Exchange External Contacts OU Distinguished Name
        #$ItExExternalContactOuDn = 'OU={0},{1}' -f $ItExExternalContactOu, $ItExchangeOuDn

        # It Admin Exchange Resource OU
        $ItExResourceOu = $confXML.n.AdminXtra.OUs.ItExResource.name
        # It Admin Exchange Resource OU Distinguished Name
        #$ItExResourceOuDn = 'OU={0},{1}' -f $ItExResourceOu, $ItExchangeOuDn

        # It Admin Exchange Shared OU
        $ItExSharedOu = $confXML.n.AdminXtra.OUs.ItExShared.name
        # It Admin Exchange Shared OU Distinguished Name
        #$ItExSharedOuDn = 'OU={0},{1}' -f $ItExSharedOu, $ItExchangeOuDn

        # It Admin Exchange Equipment OU
        $ItExEquipOu = $confXML.n.AdminXtra.OUs.ItExEquip.name
        # It Admin Exchange Equipment OU Distinguished Name
        #$ItExEquipOuDn = 'OU={0},{1}' -f $ItExEquipOu, $ItExchangeOuDn

        # Servers OU
        $ServersOu = $confXML.n.Servers.OUs.ServersOU.name
        # Servers OU Distinguished Name
        $ServersOuDn = 'OU={0},{1}' -f $ServersOu, $Variables.AdDn

        # Exchange Servers
        $ExServersOu = $confXML.n.Servers.OUs.ExchangeOU.Name
        # Exchange Servers Distinguished Name
        $ExServersOuDn = 'OU={0},{1}' -f $ExServersOu, $ServersOuDn

        # Exchange CAS Servers
        $ExCasOu = $confXML.n.Servers.OUs.ExCasOU.Name
        # Exchange CAS Servers Distinguished Name
        $ExCasOuDn = 'OU={0},{1}' -f $ExCasOu, $ExServersOuDn

        # Exchange HUB Servers
        $ExHubOu = $confXML.n.Servers.OUs.ExHubOU.Name
        # Exchange HUB Servers Distinguished Name
        $ExHubOuDn = 'OU={0},{1}' -f $ExHubOu, $ExServersOuDn

        # Exchange EDGE Servers
        $ExEdgeOu = $confXML.n.Servers.OUs.ExEdgeOU.Name
        # Exchange EDGE Servers Distinguished Name
        $ExEdgeOuDn = 'OU={0},{1}' -f $ExEdgeOu, $ExServersOuDn

        # Exchange MAILBOX Servers
        $ExMailboxOu = $confXML.n.Servers.OUs.ExMailboxOU.Name
        # Exchange MAILBOX Servers Distinguished Name
        $ExMailboxOuDn = 'OU={0},{1}' -f $ExMailboxOu, $ExServersOuDn

        # Exchange MIXED ROLE Servers
        $ExMixedOu = $confXML.n.Servers.OUs.ExMixedRolOU.Name
        # Exchange MIXED ROLE Servers Distinguished Name
        $ExMixedOuDn = 'OU={0},{1}' -f $ExMixedOu, $ExServersOuDn

        # Quarantine OU
        $ItQuarantineOu = $confXML.n.Admin.OUs.ItNewComputersOU.name
        # Quarantine OU Distinguished Name
        $ItQuarantineOuDn = 'OU={0},{1}' -f $ItQuarantineOu, $Variables.AdDn

    } #end Begin

    Process {
        ###############################################################################
        # Create Sub-OUs for admin

        New-DelegateAdOU -ouName $ItExchangeOu -ouPath $ItAdminOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExchangeOU.Description

        ###############################################################################
        # Create Sub-Sub-OUs
        New-DelegateAdOU -ouName $ItExDistGroupsOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExDistGroups.Description
        New-DelegateAdOU -ouName $ItExExternalContactOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExExternalContact.Description
        New-DelegateAdOU -ouName $ItExResourceOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExResource.Description
        New-DelegateAdOU -ouName $ItExSharedOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExShared.Description
        New-DelegateAdOU -ouName $ItExEquipOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExEquip.Description

        ###############################################################################
        # Create OU Admin groups
        $parameters = @{
            Name                          = '{0}{1}{2}' -f $NC['sg'], $NC['Delim'], $confXML.n.AdminXtra.GG.ExAdmins.Name
            GroupCategory                 = 'Security'
            GroupScope                    = 'Global'
            DisplayName                   = $confXML.n.AdminXtra.GG.ExAdmins.DisplayName
            Path                          = $ItPGOuDn
            Description                   = $confXML.n.AdminXtra.GG.ExAdmins.Description
            ProtectFromAccidentalDeletion = $True
            RemoveAccountOperators        = $True
            RemoveEveryone                = $True
            RemovePreWin2000              = $True
        }
        $SG_ExAdmins = New-AdDelegatedGroup @parameters

        $parameters = @{
            Name                          = '{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.AdminXtra.LG.ExRight.Name
            GroupCategory                 = 'Security'
            GroupScope                    = 'DomainLocal'
            DisplayName                   = $confXML.n.AdminXtra.LG.ExRight.DisplayName
            Path                          = $ItRightsOuDn
            Description                   = $confXML.n.AdminXtra.LG.ExRight.Description
            ProtectFromAccidentalDeletion = $True
            RemoveAccountOperators        = $True
            RemoveEveryone                = $True
            RemovePreWin2000              = $True
        }
        $SL_ExRight = New-AdDelegatedGroup @parameters

        ###############################################################################
        # Create a New Fine Grained Password Policy for Admins Accounts
        # and apply the PSO to the account ()
        Add-ADFineGrainedPasswordPolicySubject -Identity $confXML.n.Admin.PSOs.ItAdminsPSO.Name -Subjects $SG_ExAdmins.SamAccountName, $SL_ExRight.SamAccountName

        ###############################################################################
        # Nest Groups - Security for RODC
        # Avoid having privileged or semi-privileged groups copy to RODC

        Add-ADGroupMember -Identity 'Denied RODC Password Replication Group' -Members $SG_ExAdmins, $SL_ExRight


        ###############################################################################
        # Nest Groups - Extend Rights

        Add-AdGroupNesting -Identity $SG_ExAdmins -Members ('{0}{1}{2}' -f $NC['sg'], $NC['Delim'], $confXML.n.Admin.GG.InfraAdmins.Name)
        Add-AdGroupNesting -Identity $SL_ExRight -Members $SG_ExAdmins

        ###############################################################################
        # START Delegation to SL_InfraRights group on ADMIN area

        $SL_InfraRight = Get-ADGroup -Identity ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.InfraRight.Name)
        $SL_AdRight = Get-ADGroup -Identity ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.AdRight.Name)
        $SL_PGM = Get-ADGroup -Identity ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.PGM.Name)

        # Administration OU
        Set-AdAclCreateDeleteGroup -Group $SL_InfraRight.SamAccountName -LDAPPath $ItExDistGroupsOuDn
        Set-AdAclCreateDeleteGroup -Group $SL_PGM.SamAccountName -LDAPPath $ItExDistGroupsOuDn
        Set-AdAclCreateDeleteGroup -Group $SL_ExRight.SamAccountName -LDAPPath $ItExDistGroupsOuDn

        ###############################################################################
        # START Delegation to SL_AdRights group on ADMIN area

        # Administration OU
        Set-AdAclChangeGroup -Group $SL_AdRight.SamAccountName -LDAPPath $ItExDistGroupsOuDn
        Set-AdAclChangeGroup -Group $SL_PGM.SamAccountName -LDAPPath $ItExDistGroupsOuDn
        Set-AdAclChangeGroup -Group $SL_ExRight.SamAccountName -LDAPPath $ItExDistGroupsOuDn

        ###############################################################################
        # Create Servers and Sub OUs
        # Create Sub-Sub-OUs for Exchange
        New-DelegateAdOU -ouName $ExServersOu -ouPath $ServersOuDn -ouDescription $confXML.n.Servers.OUs.ExchangeOU.Description
        New-DelegateAdOU -ouName $ExCasOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExCasOU.Description
        New-DelegateAdOU -ouName $ExHubOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExHubOU.Description
        New-DelegateAdOU -ouName $ExEdgeOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExEdgeOU.Description
        New-DelegateAdOU -ouName $ExMailboxOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExMailboxOU.Description
        New-DelegateAdOU -ouName $ExMixedOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExMixedRolOU.Description

        ###############################################################################
        # START Delegation to SL_InfraRights group on SERVERS area

        # Servers OU
        # Create/Delete Computers
        Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExServersOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExCasOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExHubOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExEdgeOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExMailboxOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExMixedOuDn -QuarantineDN $ItQuarantineOuDn

        Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExServersOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExCasOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExHubOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExEdgeOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExMailboxOuDn -QuarantineDN $ItQuarantineOuDn
        Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExMixedOuDn -QuarantineDN $ItQuarantineOuDn

        ###############################################################################
        # START Delegation to SL_AdRights group

        # Servers OU
        # Change Public Info
        Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExServersOuDn
        Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExCasOuDn
        Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExHubOuDn
        Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExEdgeOuDn
        Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExMailboxOuDn
        Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExMixedOuDn

        Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExServersOuDn
        Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExCasOuDn
        Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExHubOuDn
        Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExEdgeOuDn
        Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExMailboxOuDn
        Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExMixedOuDn

        # Change Personal Info
        Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExServersOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExCasOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExHubOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExEdgeOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExMailboxOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExMixedOuDn

        Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExServersOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExCasOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExHubOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExEdgeOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExMailboxOuDn
        Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExMixedOuDn

        ###############################################################################
        # Create basic GPOs for different types under Servers
        New-DelegateAdGpo -gpoDescription ('{0}-Baseline' -f $ExCasOu) -gpoScope C -gpoLinkPath $ExCasOuDn -GpoAdmin ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.GpoAdminRight.Name)
        New-DelegateAdGpo -gpoDescription ('{0}-Baseline' -f $ExHubOu) -gpoScope C -gpoLinkPath $ExHubOuDn -GpoAdmin ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.GpoAdminRight.Name)
        New-DelegateAdGpo -gpoDescription ('{0}-Baseline' -f $ExMailboxOu) -gpoScope C -gpoLinkPath $ExMailboxOuDn -GpoAdmin ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.GpoAdminRight.Name)
        New-DelegateAdGpo -gpoDescription ('{0}-Baseline' -f $ExEdgeOuDn) -gpoScope C -gpoLinkPath $ExEdgeOuDn -GpoAdmin ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.GpoAdminRight.Name)

        ###############################################################################
        # Import the security templates to the corresponding GPOs under Servers

        # Configure Exchange ClientAccess GPO
        #Import-GPO -BackupId $confXML.n.AdminXtra.GPOs.ExCas.backupID -TargetName ('C-{0}-Baseline' -f $ExCasOu) -path (Join-Path -Path $DMscripts -ChildPath SecTmpl)

        # Configure Exchange Hub GPO
        #Import-GPO -BackupId $confXML.n.AdminXtra.GPOs.ExHub.backupID -TargetName ('C-{0}-Baseline' -f $ExHubOu) -path (Join-Path -Path $DMscripts -ChildPath SecTmpl)

        # Configure Mailbox GPO
        #Import-GPO -BackupId $confXML.n.AdminXtra.GPOs.ExMailbox.backupID -TargetName ('C-{0}-Baseline' -f $ExMailboxOu) -path (Join-Path -Path $DMscripts -ChildPath SecTmpl)

        # Configure EDGE GPO
        #Import-GPO -BackupId $confXML.n.AdminXtra.GPOs.ExEdge.backupID -TargetName ('C-{0}-Baseline' -f $ExEdgeOuDn) -path (Join-Path -Path $DMscripts -ChildPath SecTmpl)
    } #end Process

    End {
        $txt = ($Constants.Footer -f $MyInvocation.InvocationName,
            'creating Exchange containers and objects.'
        )
        Write-Verbose -Message $txt
    } #end End
} #end Function