# OU Delegation Definitions
# Processed after groups and users exist (Step 5).
# Defines what security groups get what permissions on which OUs.
#
# Rights syntax:
#   'FullControl'                         - GenericAll on the OU and all descendants
#   'ListContents'                        - ListChildren on the OU itself
#   'ReadAllProperties'                   - ReadProperty (all) on the OU itself
#   'ResetPassword'                       - Extended right on descendant user objects
#   'ReadWriteProperty:<attributeName>'   - Read+Write a specific attribute on descendant user objects

$domainDN = 'DC=example,DC=internal'

@(
    @{
        GroupName  = 'MasterAdmins'
        TargetOUs  = @(
            "OU=ExampleUsers,$domainDN"
            "OU=ExampleWorkstations,$domainDN"
            "OU=ExampleServers,$domainDN"
            "OU=ExampleAdmins,$domainDN"
            "OU=ExampleAdminWorkstations,$domainDN"
        )
        Rights     = 'FullControl'
    }

    @{
        GroupName  = 'DelegatedAdmins'
        TargetOUs  = @(
            "OU=ExampleUsers,$domainDN"
        )
        Rights     = @(
            'ListContents'
            'ReadAllProperties'
            'ResetPassword'
            'ReadWriteProperty:userAccountControl'
            'ReadWriteProperty:lockoutTime'
            'ReadWriteProperty:displayName'
            'ReadWriteProperty:givenName'
            'ReadWriteProperty:sn'
            'ReadWriteProperty:mail'
            'ReadWriteProperty:telephoneNumber'
            'ReadWriteProperty:description'
        )
    }
)