Public/New-ExchangeObject.ps1
|
Function New-ExchangeObject { <# .Synopsis Create Exchange Objects and Containers .DESCRIPTION Create the Exchange OU structure and objects used to manage this organization by following the defined Delegation Model. .EXAMPLE New-ExchangeObjects .INPUTS .NOTES Version: 1.0 DateModified: 19/Apr/2016 LasModifiedBy: Vicente Rodriguez Eguibar vicente@eguibar.com Eguibar Information Technology S.L. http://www.eguibarit.com #> [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')] [OutputType([void])] Param( # PARAM1 full path to the configuration.xml file [Parameter(Mandatory = $true, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True, ValueFromRemainingArguments = $false, HelpMessage = 'Full path to the configuration.xml file', Position = 0)] [string] $ConfigXMLFile, # Param2 Location of all scripts & files [Parameter(Mandatory = $false, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, ValueFromRemainingArguments = $false, HelpMessage = 'Path to all the scripts and files needed by this function', Position = 1)] [PSDefaultValue(Help = 'Default Value is "C:\PsScripts\"')] [string] $DMscripts = 'C:\PsScripts\' ) Begin { $error.Clear() $txt = ($Variables.Header -f (Get-Date).ToShortDateString(), $MyInvocation.Mycommand, (Get-FunctionDisplay -HashTable $PsBoundParameters -Verbose:$False) ) Write-Verbose -Message $txt ############################## # Module imports Import-MyModule -Name 'ServerManager' -SkipEditionCheck -Verbose:$false Import-MyModule -Name 'ActiveDirectory' -Verbose:$false Import-MyModule -Name 'GroupPolicy' -SkipEditionCheck -Verbose:$false Import-MyModule -Name 'EguibarIT.DelegationPS' -Verbose:$false ############################## # Variables Definition try { # Check if Config.xml file is loaded. If not, proceed to load it. If (-Not (Test-Path -Path variable:confXML)) { # Check if the Config.xml file exist on the given path If (Test-Path -Path $PSBoundParameters['ConfigXMLFile']) { #Open the configuration XML file $confXML = [xml](Get-Content $PSBoundParameters['ConfigXMLFile']) } #end if } #end if } catch { Write-Error -Message 'Error when reading XML file' throw } # Naming conventions hashtable $NC = @{'sl' = $confXML.n.NC.LocalDomainGroupPreffix 'sg' = $confXML.n.NC.GlobalGroupPreffix 'su' = $confXML.n.NC.UniversalGroupPreffix 'Delim' = $confXML.n.NC.Delimiter 'T0' = $confXML.n.NC.AdminAccSufix0 'T1' = $confXML.n.NC.AdminAccSufix1 'T2' = $confXML.n.NC.AdminAccSufix2 } #('{0}{1}{2}{1}{3}' -f $NC['sg'], $NC['Delim'], $confXML.n.Admin.lg.PAWM, $NC['T0']) # SG_PAWM_T0 # Organizational Units Distinguished Names # IT Admin OU New-Variable -Name 'ItAdminOu' -Value $confXML.n.Admin.OUs.ItAdminOU.name -Option ReadOnly -Force # IT Admin OU Distinguished Name New-Variable -Name 'ItAdminOuDn' -Value ('OU={0},{1}' -f $ItAdminOu, $Variables.AdDn) -Option ReadOnly -Force # It Admin Groups OU #$ItGroupsOu = $confXML.n.Admin.OUs.ItAdminGroupsOU.name # It Admin Groups OU Distinguished Name #$ItGroupsOuDn = 'OU={0},{1}' -f $ItGroupsOu, $ItAdminOuDn # It Privileged Groups OU $ItPGOu = $confXML.n.Admin.OUs.ItPrivGroupsOU.name # It Privileged Groups OU Distinguished Name $ItPGOuDn = 'OU={0},{1}' -f $ItPGOu, $ItAdminOuDn # It Admin Rights OU $ItRightsOu = $confXML.n.Admin.OUs.ItRightsOU.name # It Admin Rights OU Distinguished Name $ItRightsOuDn = 'OU={0},{1}' -f $ItRightsOu, $ItAdminOuDn # It Admin Exchange OU $ItExchangeOu = $confXML.n.AdminXtra.OUs.ItExchangeOU.name # It Admin Exchange OU Distinguished Name $ItExchangeOuDn = 'OU={0},{1}' -f $ItExchangeOu, $ItAdminOuDn # It Admin Exchange Distribution Groups OU $ItExDistGroupsOu = $confXML.n.AdminXtra.OUs.ItExDistGroups.name # It Admin Exchange Distribution Groups OU Distinguished Name $ItExDistGroupsOuDn = 'OU={0},{1}' -f $ItExDistGroupsOu, $ItExchangeOuDn # It Admin Exchange External Contacts OU $ItExExternalContactOu = $confXML.n.AdminXtra.OUs.ItExExternalContact.name # It Admin Exchange External Contacts OU Distinguished Name #$ItExExternalContactOuDn = 'OU={0},{1}' -f $ItExExternalContactOu, $ItExchangeOuDn # It Admin Exchange Resource OU $ItExResourceOu = $confXML.n.AdminXtra.OUs.ItExResource.name # It Admin Exchange Resource OU Distinguished Name #$ItExResourceOuDn = 'OU={0},{1}' -f $ItExResourceOu, $ItExchangeOuDn # It Admin Exchange Shared OU $ItExSharedOu = $confXML.n.AdminXtra.OUs.ItExShared.name # It Admin Exchange Shared OU Distinguished Name #$ItExSharedOuDn = 'OU={0},{1}' -f $ItExSharedOu, $ItExchangeOuDn # It Admin Exchange Equipment OU $ItExEquipOu = $confXML.n.AdminXtra.OUs.ItExEquip.name # It Admin Exchange Equipment OU Distinguished Name #$ItExEquipOuDn = 'OU={0},{1}' -f $ItExEquipOu, $ItExchangeOuDn # Servers OU $ServersOu = $confXML.n.Servers.OUs.ServersOU.name # Servers OU Distinguished Name $ServersOuDn = 'OU={0},{1}' -f $ServersOu, $Variables.AdDn # Exchange Servers $ExServersOu = $confXML.n.Servers.OUs.ExchangeOU.Name # Exchange Servers Distinguished Name $ExServersOuDn = 'OU={0},{1}' -f $ExServersOu, $ServersOuDn # Exchange CAS Servers $ExCasOu = $confXML.n.Servers.OUs.ExCasOU.Name # Exchange CAS Servers Distinguished Name $ExCasOuDn = 'OU={0},{1}' -f $ExCasOu, $ExServersOuDn # Exchange HUB Servers $ExHubOu = $confXML.n.Servers.OUs.ExHubOU.Name # Exchange HUB Servers Distinguished Name $ExHubOuDn = 'OU={0},{1}' -f $ExHubOu, $ExServersOuDn # Exchange EDGE Servers $ExEdgeOu = $confXML.n.Servers.OUs.ExEdgeOU.Name # Exchange EDGE Servers Distinguished Name $ExEdgeOuDn = 'OU={0},{1}' -f $ExEdgeOu, $ExServersOuDn # Exchange MAILBOX Servers $ExMailboxOu = $confXML.n.Servers.OUs.ExMailboxOU.Name # Exchange MAILBOX Servers Distinguished Name $ExMailboxOuDn = 'OU={0},{1}' -f $ExMailboxOu, $ExServersOuDn # Exchange MIXED ROLE Servers $ExMixedOu = $confXML.n.Servers.OUs.ExMixedRolOU.Name # Exchange MIXED ROLE Servers Distinguished Name $ExMixedOuDn = 'OU={0},{1}' -f $ExMixedOu, $ExServersOuDn # Quarantine OU $ItQuarantineOu = $confXML.n.Admin.OUs.ItNewComputersOU.name # Quarantine OU Distinguished Name $ItQuarantineOuDn = 'OU={0},{1}' -f $ItQuarantineOu, $Variables.AdDn } #end Begin Process { ############################################################################### # Create Sub-OUs for admin New-DelegateAdOU -ouName $ItExchangeOu -ouPath $ItAdminOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExchangeOU.Description ############################################################################### # Create Sub-Sub-OUs New-DelegateAdOU -ouName $ItExDistGroupsOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExDistGroups.Description New-DelegateAdOU -ouName $ItExExternalContactOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExExternalContact.Description New-DelegateAdOU -ouName $ItExResourceOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExResource.Description New-DelegateAdOU -ouName $ItExSharedOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExShared.Description New-DelegateAdOU -ouName $ItExEquipOu -ouPath $ItExchangeOuDn -ouDescription $confXML.n.AdminXtra.OUs.ItExEquip.Description ############################################################################### # Create OU Admin groups $parameters = @{ Name = '{0}{1}{2}' -f $NC['sg'], $NC['Delim'], $confXML.n.AdminXtra.GG.ExAdmins.Name GroupCategory = 'Security' GroupScope = 'Global' DisplayName = $confXML.n.AdminXtra.GG.ExAdmins.DisplayName Path = $ItPGOuDn Description = $confXML.n.AdminXtra.GG.ExAdmins.Description ProtectFromAccidentalDeletion = $True RemoveAccountOperators = $True RemoveEveryone = $True RemovePreWin2000 = $True } $SG_ExAdmins = New-AdDelegatedGroup @parameters $parameters = @{ Name = '{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.AdminXtra.LG.ExRight.Name GroupCategory = 'Security' GroupScope = 'DomainLocal' DisplayName = $confXML.n.AdminXtra.LG.ExRight.DisplayName Path = $ItRightsOuDn Description = $confXML.n.AdminXtra.LG.ExRight.Description ProtectFromAccidentalDeletion = $True RemoveAccountOperators = $True RemoveEveryone = $True RemovePreWin2000 = $True } $SL_ExRight = New-AdDelegatedGroup @parameters ############################################################################### # Create a New Fine Grained Password Policy for Admins Accounts # and apply the PSO to the account () Add-ADFineGrainedPasswordPolicySubject -Identity $confXML.n.Admin.PSOs.ItAdminsPSO.Name -Subjects $SG_ExAdmins.SamAccountName, $SL_ExRight.SamAccountName ############################################################################### # Nest Groups - Security for RODC # Avoid having privileged or semi-privileged groups copy to RODC Add-ADGroupMember -Identity 'Denied RODC Password Replication Group' -Members $SG_ExAdmins, $SL_ExRight ############################################################################### # Nest Groups - Extend Rights Add-AdGroupNesting -Identity $SG_ExAdmins -Members ('{0}{1}{2}' -f $NC['sg'], $NC['Delim'], $confXML.n.Admin.GG.InfraAdmins.Name) Add-AdGroupNesting -Identity $SL_ExRight -Members $SG_ExAdmins ############################################################################### # START Delegation to SL_InfraRights group on ADMIN area $SL_InfraRight = Get-ADGroup -Identity ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.InfraRight.Name) $SL_AdRight = Get-ADGroup -Identity ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.AdRight.Name) $SL_PGM = Get-ADGroup -Identity ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.PGM.Name) # Administration OU Set-AdAclCreateDeleteGroup -Group $SL_InfraRight.SamAccountName -LDAPPath $ItExDistGroupsOuDn Set-AdAclCreateDeleteGroup -Group $SL_PGM.SamAccountName -LDAPPath $ItExDistGroupsOuDn Set-AdAclCreateDeleteGroup -Group $SL_ExRight.SamAccountName -LDAPPath $ItExDistGroupsOuDn ############################################################################### # START Delegation to SL_AdRights group on ADMIN area # Administration OU Set-AdAclChangeGroup -Group $SL_AdRight.SamAccountName -LDAPPath $ItExDistGroupsOuDn Set-AdAclChangeGroup -Group $SL_PGM.SamAccountName -LDAPPath $ItExDistGroupsOuDn Set-AdAclChangeGroup -Group $SL_ExRight.SamAccountName -LDAPPath $ItExDistGroupsOuDn ############################################################################### # Create Servers and Sub OUs # Create Sub-Sub-OUs for Exchange New-DelegateAdOU -ouName $ExServersOu -ouPath $ServersOuDn -ouDescription $confXML.n.Servers.OUs.ExchangeOU.Description New-DelegateAdOU -ouName $ExCasOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExCasOU.Description New-DelegateAdOU -ouName $ExHubOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExHubOU.Description New-DelegateAdOU -ouName $ExEdgeOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExEdgeOU.Description New-DelegateAdOU -ouName $ExMailboxOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExMailboxOU.Description New-DelegateAdOU -ouName $ExMixedOu -ouPath $ExServersOuDn -ouDescription $confXML.n.Servers.OUs.ExMixedRolOU.Description ############################################################################### # START Delegation to SL_InfraRights group on SERVERS area # Servers OU # Create/Delete Computers Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExServersOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExCasOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExHubOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExEdgeOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExMailboxOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_InfraRight.SamAccountName -LDAPPath $ExMixedOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExServersOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExCasOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExHubOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExEdgeOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExMailboxOuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_ExRight.SamAccountName -LDAPPath $ExMixedOuDn -QuarantineDN $ItQuarantineOuDn ############################################################################### # START Delegation to SL_AdRights group # Servers OU # Change Public Info Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExServersOuDn Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExCasOuDn Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExHubOuDn Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExEdgeOuDn Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExMailboxOuDn Set-AdAclComputerPublicInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExMixedOuDn Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExServersOuDn Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExCasOuDn Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExHubOuDn Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExEdgeOuDn Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExMailboxOuDn Set-AdAclComputerPublicInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExMixedOuDn # Change Personal Info Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExServersOuDn Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExCasOuDn Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExHubOuDn Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExEdgeOuDn Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExMailboxOuDn Set-AdAclComputerPersonalInfo -Group $SL_AdRight.SamAccountName -LDAPPath $ExMixedOuDn Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExServersOuDn Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExCasOuDn Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExHubOuDn Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExEdgeOuDn Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExMailboxOuDn Set-AdAclComputerPersonalInfo -Group $SL_ExRight.SamAccountName -LDAPPath $ExMixedOuDn ############################################################################### # Create basic GPOs for different types under Servers New-DelegateAdGpo -gpoDescription ('{0}-Baseline' -f $ExCasOu) -gpoScope C -gpoLinkPath $ExCasOuDn -GpoAdmin ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.GpoAdminRight.Name) New-DelegateAdGpo -gpoDescription ('{0}-Baseline' -f $ExHubOu) -gpoScope C -gpoLinkPath $ExHubOuDn -GpoAdmin ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.GpoAdminRight.Name) New-DelegateAdGpo -gpoDescription ('{0}-Baseline' -f $ExMailboxOu) -gpoScope C -gpoLinkPath $ExMailboxOuDn -GpoAdmin ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.GpoAdminRight.Name) New-DelegateAdGpo -gpoDescription ('{0}-Baseline' -f $ExEdgeOuDn) -gpoScope C -gpoLinkPath $ExEdgeOuDn -GpoAdmin ('{0}{1}{2}' -f $NC['sl'], $NC['Delim'], $confXML.n.Admin.LG.GpoAdminRight.Name) ############################################################################### # Import the security templates to the corresponding GPOs under Servers # Configure Exchange ClientAccess GPO #Import-GPO -BackupId $confXML.n.AdminXtra.GPOs.ExCas.backupID -TargetName ('C-{0}-Baseline' -f $ExCasOu) -path (Join-Path -Path $DMscripts -ChildPath SecTmpl) # Configure Exchange Hub GPO #Import-GPO -BackupId $confXML.n.AdminXtra.GPOs.ExHub.backupID -TargetName ('C-{0}-Baseline' -f $ExHubOu) -path (Join-Path -Path $DMscripts -ChildPath SecTmpl) # Configure Mailbox GPO #Import-GPO -BackupId $confXML.n.AdminXtra.GPOs.ExMailbox.backupID -TargetName ('C-{0}-Baseline' -f $ExMailboxOu) -path (Join-Path -Path $DMscripts -ChildPath SecTmpl) # Configure EDGE GPO #Import-GPO -BackupId $confXML.n.AdminXtra.GPOs.ExEdge.backupID -TargetName ('C-{0}-Baseline' -f $ExEdgeOuDn) -path (Join-Path -Path $DMscripts -ChildPath SecTmpl) } #end Process End { $txt = ($Variables.Footer -f $MyInvocation.InvocationName, 'creating Exchange containers and objects.' ) Write-Verbose -Message $txt } #end End } #end Function |