projects/declarative-ad-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
declarative-ad-framework/CHANGELOG.md
Damien Coles f172d00514 Initial release: Declarative AD Framework v2.1.0 
Infrastructure-as-code framework for Active Directory objects and Group Policy.
Sanitized from production deployment for public sharing.
2026-02-19 17:02:42 +00:00

9.3 KiB
Raw Permalink Blame History

Changelog

[2.1.0] - 2026-02-14

AD objects subsystem refactored into modular architecture matching the GPO pattern. New features for password policies, user properties, group protection, and stale object detection.

AD Objects -- Modular Architecture

Refactored ADHelper.ps1 from a monolithic library (606 lines) into a loader that dot-sources 6 specialized modules:

  • ADCore.ps1: CSPRNG password generation (Get-CryptoRandomInt, New-RandomPassword)
  • ADOrganizationalUnit.ps1: OU ensure/compare
  • ADGroup.ps1: Security group ensure/compare with accidental-deletion protection
  • ADUser.ps1: User account ensure/compare with optional property management
  • ADDelegation.ps1: OU delegation ACLs (schema GUIDs, ACE generation, bitwise subset checking)
  • ADPasswordPolicy.ps1: Fine-grained password policy (PSO) ensure/compare

Group Protection

Security groups now get ProtectedFromAccidentalDeletion = $true on creation. Existing unprotected groups are remediated on apply. Drift detection in TestOnly mode.

Extended User Properties

User definitions support optional AD attributes (Description, Title, Department, Mail, etc.) via a -Properties hashtable. Core schema keys are explicit parameters; everything else flows through Properties. Works for both new user creation and existing user updates.

Fine-Grained Password Policies (PSOs)

New password-policies.ps1 definition file with two admin-tier policies:

  • PSO-MasterAdmins: 16-char minimum, 30-day max age, 48 history, 3-attempt lockout (precedence 10)
  • PSO-DelegatedAdmins: 12-char minimum, 42-day max age, 24 history, 5-attempt lockout (precedence 20)

Both override the Default Domain Policy for their linked groups. Property-level drift detection and full AppliesTo group linkage sync.

Stale Object Detection

New Get-StaleADObjects.ps1 read-only reporting script. Scans managed OUs for:

  • Stale user accounts (no login in N days, default 90)
  • Unexpectedly disabled accounts (not intentionally disabled in definitions)
  • Empty security groups (zero members)
  • Unmanaged users/groups (in managed OUs but not in definition files)
  • Pending credential files with age

Documentation

  • Updated FRAMEWORK.md with modular AD architecture, PSO definition format, extended user properties
  • Updated CLAUDE.md and README.md with new repo structure and features
  • Updated function pairs table and dependency ordering

[2.0.0] - 2026-02-14

Major expansion of the GPO framework. Modular library architecture, 8 new subsystems, and hardening policies deployed across all GPOs.

GPO Framework -- Modular Architecture

Refactored GPOHelper.ps1 from a monolithic library into a loader that dot-sources 12 specialized modules:

  • GPOCore.ps1: SYSVOL paths, version bump, extension GUIDs, DSC helpers
  • GPOPolicy.ps1: Security policy (GptTmpl.inf), registry settings, restricted groups
  • GPOPermissions.ps1: GPO links (with order/enforcement), management permissions, security filtering
  • GPOScripts.ps1: Startup/shutdown/logon/logoff script deployment to SYSVOL
  • GPOAudit.ps1: Advanced audit policy (53 subcategories in audit.csv)
  • GPOPreferences.ps1: Group Policy Preferences XML (10 types -- see below)
  • GPOWmiFilter.ps1: WMI filter creation and GPO linking
  • GPOBackup.ps1: Pre-apply backup with timestamped snapshots, restore via Restore-GPOBaseline.ps1
  • GPOFirewall.ps1: Windows Firewall rules (Open-NetGPO session) and profile management
  • GPOAppLocker.ps1: AppLocker policy management via Set-AppLockerPolicy -LDAP
  • GPOWdac.ps1: WDAC policy deployment (.xml auto-converted to .p7b via ConvertFrom-CIPolicy)
  • GPOFolderRedirection.ps1: Folder redirection via fdeploy1.ini (12 supported folders)

GPO Preferences (10 types)

  • ScheduledTasks, DriveMaps, EnvironmentVariables, Services (from 1.0)
  • Printers: Shared printer mapping with default/skip-local options
  • Shortcuts: Desktop/Start Menu shortcuts (URL, filesystem, shell)
  • Files: File copy/replace from UNC or local paths
  • NetworkShares: Local share creation with permissions
  • RegistryItems: GPP registry items with action modes (distinct from Administrative Templates)
  • LocalUsersAndGroups: Additive local group membership management (ADD/REMOVE without full replace)
  • All types support Item-Level Targeting (ILT) filters

GPO Operations

  • Restore-GPOBaseline.ps1: List and restore GPO backups by name and timestamp
  • Get-UnmanagedGPOs.ps1: Discover orphan GPOs in AD not managed by the framework
  • Automatic backups: Every apply creates timestamped snapshots (SYSVOL + AD attributes), 5 retained per GPO
  • GPO status management: DisableUserConfiguration / DisableComputerConfiguration keys

New GPO -- Servers-01

  • Linked to ExampleServers OU with WMI filter (ProductType = 3)
  • Full audit (30 advanced audit subcategories), PowerShell transcription + module logging
  • Command-line in process creation events, 256 MB security log
  • Firewall: default-deny inbound, allow WinRM/RDP/ICMP/SMB
  • GPP LocalUsersAndGroups: MasterAdmins added to Remote Desktop Users

Hardening Deployed to Existing GPOs

  • Firewall profiles + rules: Servers-01, AdminWorkstations-01, Workstations-01 (default-deny inbound, allow management traffic)
  • Advanced audit policy: Servers-01 (30 subcategories), AdminWorkstations-01 (27 subcategories including DPAPI)
  • AppLocker audit mode: Workstations-01 and AdminWorkstations-01 (Exe/Msi/Script collections, Microsoft-signed + Program Files + Windows + admin unrestricted)
  • WDAC audit mode: AdminWorkstations-01 (AllowMicrosoft baseline -- all Microsoft root CAs, WHQL drivers, multiple policy format for future supplemental policies)

Documentation

  • FRAMEWORK.md: Complete developer reference -- architecture, ensure/compare pattern, all 15 setting types with format documentation, encoding guide, how-to recipes
  • Updated README.md with GPO capabilities table, full repo structure, Servers-01
  • Updated CLAUDE.md with 12-module library structure

Bug Fixes

  • AppLocker XML element names must match rule type (FilePathRule, FileHashRule, not always FilePublisherRule)
  • Get-NetFirewallRule uses -PolicyStore not -GPOSession for reading GPO firewall rules
  • Get-AppLockerPolicy -Domain is a SwitchParameter (flag), not a string parameter
  • XML comments cannot contain -- (double hyphen) -- .NET XmlSerializer strictly enforces this

[1.0.0] - 2026-02-13

First stable release. Full infrastructure-as-code coverage for the example.internal domain.

AD Object Management

  • Apply-ADBaseline.ps1: Idempotent orchestration for OUs, security groups, and user accounts
  • ADHelper.ps1: Shared functions -- CSPRNG password generation, OU/group/user ensure and compare
  • Credential handoff: New user passwords saved to ACL-locked files, never printed to console
  • Stale credential warnings: Files older than 24 hours trigger a warning banner
  • Dependency ordering: OUs -> groups -> users -> membership sync

Organizational Units

  • ExampleUsers, ExampleWorkstations, ExampleServers, ExampleAdmins, ExampleAdminWorkstations

Security Groups and Delegation

  • MasterAdmins: Full Control on all managed OUs, GPO edit rights (self-healing)
  • DelegatedAdmins: Scoped helpdesk in ExampleUsers (password reset, user properties)
  • ACL delegation automated via delegations.ps1 (Ensure/Compare pattern with AD schema GUIDs)

Group Policy

  • Apply-GPOBaseline.ps1: Declarative GPO management -- security policy, registry settings, links, security filtering, management permissions
  • GPOHelper.ps1: SYSVOL read/write, GptTmpl.inf parsing, GPO versioning, permission management
  • -GpUpdate switch: Optional gpupdate /force after applying
  • -TestOnly mode: Drift detection across all GPO settings without changes
  • Self-healing permissions: MasterAdmins edit rights enforced on every run

GPO Policies

  • Default Domain Policy: Password (7-char min, 42-day max, 24 history), lockout (5 attempts, 30-min), Kerberos (10-hour TGT)
  • Default Domain Controllers Policy: 25 user rights assignments, SMB/LDAP signing, secure channel encryption
  • Admins-01: 10-min session lock, PowerShell script block logging + transcription, taskbar cleanup
  • Users-01: Desktop lockdown (regedit, cmd, Run disabled), DelegatedAdmins exempted via deny security filtering
  • Workstations-01: Full audit, autorun disabled, Windows Update 3 AM daily, NLA required, log sizing
  • AdminWorkstations-01: Enhanced PAW -- all audit categories, PS transcription + module logging, command-line in 4688 events, 256 MB security log, Defender exclusions for JetBrains, RSAT startup script

DSC Compliance

  • Apply-DscBaseline.ps1: Second-layer validation of DC local state against GPO definitions
  • Single source of truth: DSC configs read from settings.ps1, no value duplication
  • Kerberos validation: Custom Script resource using secedit export (SecurityPolicyDsc doesn't support Kerberos natively)
  • Detailed drift output: Reports specific non-compliant resources
  • Apply mode safety: Warning banner + confirmation prompt required

Documentation

  • README.md with architecture, workflow, security model, and operations guide
  • Per-GPO README files with settings tables and design rationale
  • CLAUDE.md for AI assistant context