functions/schemadefaultpermissions/Register-FMSchemaDefaultPermission.ps1

function Register-FMSchemaDefaultPermission
{
<#
    .SYNOPSIS
        Registers a new desired schema default permission access rule.
     
    .DESCRIPTION
        Registers a new desired schema default permission access rule.
        These access rules are then used / applied when when creating a new object of the class affected.
     
        These settings apply only to new objects created of the affected class, not already existing ones.
        Using this you could for example add a group to have full control over all newly created group policy objects.
     
    .PARAMETER ClassName
        The name of the object class in schema this applies to.
     
    .PARAMETER Identity
        The principal to which the access rule applies.
        Supports limited string resolution.
     
    .PARAMETER ActiveDirectoryRights
        The rights granted.
     
    .PARAMETER AccessControlType
        Allow or Deny?
        Defaults to: Allow
     
    .PARAMETER InheritanceType
        How is this privilege inherited by child objects?
     
    .PARAMETER ObjectType
        What object types does this permission apply to?
     
    .PARAMETER InheritedObjectType
        What object types does this permission apply to?
        Used for extended properties.
     
    .PARAMETER Mode
        How access rules are actually applied:
        - Additive: Only add new access rules, but do not touch existing ones
        - Defined: Add new access rules, remove access rules not defined in configuration that apply to a principal that has access rules defined.
        - Constrained: Add new access rules, remove all access rules not defined in configuration
     
        All Modes of all settings for a given class are used when determining the effective Mode applied to that class.
        The most restrictive Mode applies.
     
    .PARAMETER ContextName
        The name of the context defining the setting.
        This allows determining the configuration set that provided this setting.
        Used by the ADMF, available to any other configuration management solution.
     
    .EXAMPLE
        PS C:\> Get-Content .\sdp.json | ConvertFrom-Json | Write-Output | Register-FMSchemaDefaultPermission
     
        Loads all entries from the specified json file and registers them.
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ClassName,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $Identity,
        
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]
        $ActiveDirectoryRights,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [System.Security.AccessControl.AccessControlType]
        $AccessControlType = 'Allow',
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [System.DirectoryServices.ActiveDirectorySecurityInheritance]
        $InheritanceType = 'None',
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $ObjectType = '<All>',
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $InheritedObjectType = '<All>',
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [ValidateSet('Constrained', 'Defined', 'Additive')]
        [string]
        $Mode,
        
        [Parameter(ValueFromPipelineByPropertyName = $true)]
        [string]
        $ContextName = '<Undefined>'
    )
    
    process
    {
        if (-not $script:schemaDefaultPermissions[$ClassName]) { $script:schemaDefaultPermissions[$ClassName] = @{ } }
        $script:schemaDefaultPermissions[$ClassName]["$($Identity)þ$($ActiveDirectoryRights)þ$($ObjectType)þ$($InheritedObjectType)þ$($InheritanceType)þ$($AccessControlType)"] = [PSCustomObject]@{
            PSTypeName              = 'ForestManagement.SchemaDefaultPermission.Configuration'
            ClassName              = $ClassName
            Identity              = $Identity
            ActiveDirectoryRights = $ActiveDirectoryRights
            AccessControlType      = $AccessControlType
            InheritanceType          = $InheritanceType
            ObjectType              = $ObjectType
            InheritedObjectType   = $InheritedObjectType
            Mode                  = $Mode
            ContextName              = $ContextName
        }
    }
}