vars/OUTemplate-Org.ps1
$OrgTemplate = @{ OUs = @( @{ name = "$($RightsName)s" Description = "Groups granting privileges for GLOBAL aspects of this org, such as GPO linking or OU management. Users should not be members of these groups. Only other groups should be members of 'rights' groups." } @{ name = "$($RolesName)s" description = "Roles associated with multiple 'rights'. Only users should be members of 'role' groups." } @{ name = "PrivilegedAccounts" description = "Sensitive Acccounts granting elevated access" } @{ Name = $ComponentsOUStruct.name Description = $ComponentsOUStruct.Description } ) DefaultRoles = @( @{ nameSuffix = "Owner" Owner = $true Description = "Owner of this Org. Assumed to have full administrative rights on all systems in child components." Rights = @( "App-access" "App-modify" "App-admin" "AddEndpoint" "WindowsAdmin" "LogonRemote" "LogonLocal" "GPOEdit" "GPOLink" "GPOAudit" "OUCreate" "OUManage" "LAPSReadPassword" "$($rightsName)s-Admin" "$($RolesName)s-Manage" "sudo_full" ) } @{ nameSuffix = "Operator" Owner = $False Description = "Elevated rights for OS and application." Rights = @( "App-access" "App-modify" "AddEndpoint" "GPOAudit" "GPOEdit" "WindowsOps" "LogonRemote" "LogonLocal" "LAPSReadPassword" "sudo_operate" ) } @{ nameSuffix = "GPO-Admin" Owner = $false Description = "Permissions to edit, link and troubleshoot GPOs" Rights = @( "GPOEdit" "GPOLink" "GPOAudit" ) } @{ nameSuffix = "User" Owner = $false Description = "Act as user for applications under org" Rights = @( "App-access" "App-modify" ) } ) DefaultRights = @( @{ nameSuffix = "App-Access" Description = "Allowed Log in to applications (typically web interfaces) in this org. Often Necessary for SSO." } @{ nameSuffix = "App-Modify" Description = "Poweruser or modify access to applications (typically web interfaces) in this org" } @{ nameSuffix = "App-Admin" Description = "Admin access to applications (typically web interfaces) in this org" } @{ nameSuffix = "AddEndpoint" Description = "Allowed to create / join computer objects" } @{ nameSuffix = "GPOAudit" Description = "Allowed to run RSOP and GPO Modelling" } @{ nameSuffix = "GPOLink" Description = "Allowed to link and unlink GPOs in org" } @{ nameSuffix = "GPOEdit" Description = "Edit rights on All GPOs" } @{ nameSuffix = "OUCreate" Description = "Create Organizational Units" } @{ nameSuffix = "OUManage" Description = "Modify properties and permissions on ACLs" } @{ nameSuffix = "$($rightsName)s-Admin" Description = "Create and delete new rights, and modify membership of all groups." } @{ nameSuffix = "$($RolesName)s-Manage" Description = "Create and delete new roles, and modify membership of roles." } @{ nameSuffix = "WindowsAdmin" Description = "Local admin rights on Windows / Linux hosts" } @{ nameSuffix = "WindowsOps" Description = "Limited operator rights on Windows hosts: event log, performance monitoring, network changes" } @{ nameSuffix = "LAPSReadPassword" Description = "Fetch local machine passwords via Windows LAPS" } @{ nameSuffix = "LogonBatch" Description = "Rights for batch logon / scheduled task / cron access" } @{ nameSuffix = "LogonLocal" Description = "Rights for Local logon" info="Default mapped services: su, gdm, login`r`nWindows: Task Scheduler" } @{ nameSuffix = "LogonService" Description = "Rights for logon as service in this Org" } @{ nameSuffix = "LogonRemote" Description = "Rights to use Remote Desktop / SSH / Cockpit in this Org" } foreach ($sudoRoleType in $SUDO_ROLE_DEFS) { foreach ($passwd in $SUDO_PASSWD_TYPES) { @{ NameSuffix = "sudo{0}_{1}" -f $passwd, $sudoRoleType.name Description = "Sudoers- Right to use sudo$passwd for $($sudoRoleType.name) access: $($sudoRoleType.description)" } } } ) OUDelegations = @( @{ ADPathLeafOU = "" PrincipalSuffix = "GPOAudit" ExtendedRight = "Generate-RSoP-Planning" InheritanceType = "All" } @{ ADPathLeafOU = "" PrincipalSuffix = "GPOAudit" ExtendedRight = "Generate-RSoP-Logging" InheritanceType = "All" } @{ ADPathLeafOU = "" PrincipalSuffix = "GPOLink" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Link" InheritanceType = "None" } @{ ADPathLeafOU = "" PrincipalSuffix = "GPOLink" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "None" } @{ ADPathLeafOU = "" PrincipalSuffix = "GPOEdit" ADRight = "ReadProperty, WriteProperty" TargetObject = "GP-Options" InheritanceType = "All" } #endRegion #Region OU rights @{ ADPathLeafOU = "OU=Components" PrincipalSuffix = "OUCreate" ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "None" } @{ ADPathLeafOU = "OU=Components" PrincipalSuffix = "OUManage" ADRight = "ReadProperty, WriteProperty" TargetObject = "Description" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADPathLeafOU = "OU=Components" PrincipalSuffix = "OUManage" ADRight = "WriteDacl" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "All" } @{ ADPathLeafOU = "" Principal = "Right-Global-OUCreate" ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "None" } @{ ADPathLeafOU = "OU=Components" Principal = "Right-Global-OUCreate" ADRight = "CreateChild" TargetObject = "Organizational-Unit" AppliesTo = "Organizational-Unit" InheritanceType = "None" } #Region LAPSReadPassword if ((test-rBACFeatures).LAPS) { write-warning "Enabling LAPS features" @{ ADPathLeafOU = "" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty" TargetObject = "ms-LAPS-PasswordExpirationTime" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPathLeafOU = "" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-Password" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPathLeafOU = "" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPassword" AppliesTo = "Computer" InheritanceType = "Descendents" } @{ ADPathLeafOU = "" PrincipalSuffix = "LAPSReadPassword" ADRight = "ReadProperty, ExtendedRight" TargetObject = "ms-LAPS-EncryptedPasswordHistory" AppliesTo = "Computer" InheritanceType = "Descendents" } } else { write-warning "ms-LAPS-EncryptedPassword schema object is missing: you may need to update-lapsADSchema" } #endregion #region rightsAdmin @{ ADPathLeafOU = "OU=$($RightsName)s" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RightsName)s" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RightsName)s" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=Components" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "ReadProperty, WriteProperty, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=Components" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=Components" PrincipalSuffix = "$($RightsName)s-Admin" ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } #Region RolesManager @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "CreateChild, DeleteChild" TargetObject = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "WriteProperty" TargetObject = "Description" AppliesTo = "Group" InheritanceType = "All" } @{ ADPathLeafOU = "OU=$($RolesName)s" PrincipalSuffix = "$($RolesName)s-Manage" ADRight = "ReadProperty, WriteProperty" TargetObject = "Member" AppliesTo = "Group" InheritanceType = "All" } #EndRegion ) GPOs = @( @{ Metadata = @{ LinkOrder = 1 NamePrefix = "_HBAC" AlwaysRebuild = $true GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( ) Principals = @( "Right-Global-GPOEdit" ) } } } SecEdit = @{ "Privilege Rights" = @{ SeInteractiveLogonRight = @{ SIDS = @( $SID_Administrators ) Rights = @( "LogonLocal" ) Principals = @() } SeRemoteInteractiveLogonRight = @{ SIDS = @( $SID_Administrators $SID_RemoteDesktop ) Rights = @( "LogonRemote" ) Principals = @() } SeServiceLogonRight = @{ SIDS = @( $SID_NetworkService $SID_ALLSERVICES ) Rights = @( "LogonService" ) Principals = @() } SeBatchLogonRight = @{ SIDS = @( $SID_Administrators $SID_BackupOperators $SID_PerfLogUsers ) Rights = @( "LogonBatch" ) Principals = @() } } "Group Membership" = @{ "*$($SID_Administrators)__Members" = @{ SIDS = @( ) Rights = @( "WindowsAdmin" ) Principals = @() } "*$($SID_NetworkConfigOperators)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) } "*$($SID_PerfLogUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_PerfMonUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_EventLogUsers)__Members" = @{ SIDS = @() Rights = @( "WindowsOps" ) Principals = @() } "*$($SID_RemoteMgtUsers)__Members" = @{ SIDS = @() Rights = @( "LogonRemote" ) Principals = @() } "*$($SID_RemoteDesktop)__Members" = @{ SIDS = @() Rights = @( "LogonRemote" ) Principals = @() } } } RegPol = @( @{ KeyName = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ValueName = "ADPasswordEncryptionPrincipal" ValueType = "REG_SZ" ValueCollection = @{ SIDs = @() Rights = @( "LAPSReadPassword" ) Principals = @() } } ) } @{ Metadata = @{ LinkOrder = 2 NamePrefix = "_Settings" AlwaysRebuild = $False GPPermissions = @{ GPOEdit = @{ SIDs = @() Rights = @( "GPOEdit" ) Principals = @() } } } } ) } |