projects/declarative-ad-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
declarative-ad-framework/CHANGELOG.md
Damien Coles f172d00514 Initial release: Declarative AD Framework v2.1.0 
Infrastructure-as-code framework for Active Directory objects and Group Policy.
Sanitized from production deployment for public sharing.
2026-02-19 17:02:42 +00:00

174 lines
9.3 KiB
Markdown
Raw Blame History

# Changelog
## [2.1.0] - 2026-02-14
AD objects subsystem refactored into modular architecture matching the GPO pattern. New features for password policies, user properties, group protection, and stale object detection.
### AD Objects -- Modular Architecture
Refactored `ADHelper.ps1` from a monolithic library (606 lines) into a loader that dot-sources 6 specialized modules:
- **ADCore.ps1**: CSPRNG password generation (Get-CryptoRandomInt, New-RandomPassword)
- **ADOrganizationalUnit.ps1**: OU ensure/compare
- **ADGroup.ps1**: Security group ensure/compare with accidental-deletion protection
- **ADUser.ps1**: User account ensure/compare with optional property management
- **ADDelegation.ps1**: OU delegation ACLs (schema GUIDs, ACE generation, bitwise subset checking)
- **ADPasswordPolicy.ps1**: Fine-grained password policy (PSO) ensure/compare
### Group Protection
Security groups now get `ProtectedFromAccidentalDeletion = $true` on creation. Existing unprotected groups are remediated on apply. Drift detection in TestOnly mode.
### Extended User Properties
User definitions support optional AD attributes (Description, Title, Department, Mail, etc.) via a `-Properties` hashtable. Core schema keys are explicit parameters; everything else flows through Properties. Works for both new user creation and existing user updates.
### Fine-Grained Password Policies (PSOs)
New `password-policies.ps1` definition file with two admin-tier policies:
- **PSO-MasterAdmins**: 16-char minimum, 30-day max age, 48 history, 3-attempt lockout (precedence 10)
- **PSO-DelegatedAdmins**: 12-char minimum, 42-day max age, 24 history, 5-attempt lockout (precedence 20)
Both override the Default Domain Policy for their linked groups. Property-level drift detection and full AppliesTo group linkage sync.
### Stale Object Detection
New `Get-StaleADObjects.ps1` read-only reporting script. Scans managed OUs for:
- Stale user accounts (no login in N days, default 90)
- Unexpectedly disabled accounts (not intentionally disabled in definitions)
- Empty security groups (zero members)
- Unmanaged users/groups (in managed OUs but not in definition files)
- Pending credential files with age
### Documentation
- Updated FRAMEWORK.md with modular AD architecture, PSO definition format, extended user properties
- Updated CLAUDE.md and README.md with new repo structure and features
- Updated function pairs table and dependency ordering
---
## [2.0.0] - 2026-02-14
Major expansion of the GPO framework. Modular library architecture, 8 new subsystems, and hardening policies deployed across all GPOs.
### GPO Framework -- Modular Architecture
Refactored `GPOHelper.ps1` from a monolithic library into a loader that dot-sources 12 specialized modules:
- **GPOCore.ps1**: SYSVOL paths, version bump, extension GUIDs, DSC helpers
- **GPOPolicy.ps1**: Security policy (GptTmpl.inf), registry settings, restricted groups
- **GPOPermissions.ps1**: GPO links (with order/enforcement), management permissions, security filtering
- **GPOScripts.ps1**: Startup/shutdown/logon/logoff script deployment to SYSVOL
- **GPOAudit.ps1**: Advanced audit policy (53 subcategories in audit.csv)
- **GPOPreferences.ps1**: Group Policy Preferences XML (10 types -- see below)
- **GPOWmiFilter.ps1**: WMI filter creation and GPO linking
- **GPOBackup.ps1**: Pre-apply backup with timestamped snapshots, restore via `Restore-GPOBaseline.ps1`
- **GPOFirewall.ps1**: Windows Firewall rules (`Open-NetGPO` session) and profile management
- **GPOAppLocker.ps1**: AppLocker policy management via `Set-AppLockerPolicy -LDAP`
- **GPOWdac.ps1**: WDAC policy deployment (.xml auto-converted to .p7b via `ConvertFrom-CIPolicy`)
- **GPOFolderRedirection.ps1**: Folder redirection via fdeploy1.ini (12 supported folders)
### GPO Preferences (10 types)
- ScheduledTasks, DriveMaps, EnvironmentVariables, Services (from 1.0)
- **Printers**: Shared printer mapping with default/skip-local options
- **Shortcuts**: Desktop/Start Menu shortcuts (URL, filesystem, shell)
- **Files**: File copy/replace from UNC or local paths
- **NetworkShares**: Local share creation with permissions
- **RegistryItems**: GPP registry items with action modes (distinct from Administrative Templates)
- **LocalUsersAndGroups**: Additive local group membership management (ADD/REMOVE without full replace)
- All types support Item-Level Targeting (ILT) filters
### GPO Operations
- **Restore-GPOBaseline.ps1**: List and restore GPO backups by name and timestamp
- **Get-UnmanagedGPOs.ps1**: Discover orphan GPOs in AD not managed by the framework
- **Automatic backups**: Every apply creates timestamped snapshots (SYSVOL + AD attributes), 5 retained per GPO
- **GPO status management**: `DisableUserConfiguration` / `DisableComputerConfiguration` keys
### New GPO -- Servers-01
- Linked to ExampleServers OU with WMI filter (ProductType = 3)
- Full audit (30 advanced audit subcategories), PowerShell transcription + module logging
- Command-line in process creation events, 256 MB security log
- Firewall: default-deny inbound, allow WinRM/RDP/ICMP/SMB
- GPP LocalUsersAndGroups: MasterAdmins added to Remote Desktop Users
### Hardening Deployed to Existing GPOs
- **Firewall profiles + rules**: Servers-01, AdminWorkstations-01, Workstations-01 (default-deny inbound, allow management traffic)
- **Advanced audit policy**: Servers-01 (30 subcategories), AdminWorkstations-01 (27 subcategories including DPAPI)
- **AppLocker audit mode**: Workstations-01 and AdminWorkstations-01 (Exe/Msi/Script collections, Microsoft-signed + Program Files + Windows + admin unrestricted)
- **WDAC audit mode**: AdminWorkstations-01 (AllowMicrosoft baseline -- all Microsoft root CAs, WHQL drivers, multiple policy format for future supplemental policies)
### Documentation
- **FRAMEWORK.md**: Complete developer reference -- architecture, ensure/compare pattern, all 15 setting types with format documentation, encoding guide, how-to recipes
- Updated README.md with GPO capabilities table, full repo structure, Servers-01
- Updated CLAUDE.md with 12-module library structure
### Bug Fixes
- AppLocker XML element names must match rule type (FilePathRule, FileHashRule, not always FilePublisherRule)
- `Get-NetFirewallRule` uses `-PolicyStore` not `-GPOSession` for reading GPO firewall rules
- `Get-AppLockerPolicy -Domain` is a SwitchParameter (flag), not a string parameter
- XML comments cannot contain `--` (double hyphen) -- .NET XmlSerializer strictly enforces this
---
## [1.0.0] - 2026-02-13
First stable release. Full infrastructure-as-code coverage for the example.internal domain.
### AD Object Management
- **Apply-ADBaseline.ps1**: Idempotent orchestration for OUs, security groups, and user accounts
- **ADHelper.ps1**: Shared functions -- CSPRNG password generation, OU/group/user ensure and compare
- **Credential handoff**: New user passwords saved to ACL-locked files, never printed to console
- **Stale credential warnings**: Files older than 24 hours trigger a warning banner
- **Dependency ordering**: OUs -> groups -> users -> membership sync
### Organizational Units
- ExampleUsers, ExampleWorkstations, ExampleServers, ExampleAdmins, ExampleAdminWorkstations
### Security Groups and Delegation
- **MasterAdmins**: Full Control on all managed OUs, GPO edit rights (self-healing)
- **DelegatedAdmins**: Scoped helpdesk in ExampleUsers (password reset, user properties)
- ACL delegation automated via `delegations.ps1` (Ensure/Compare pattern with AD schema GUIDs)
### Group Policy
- **Apply-GPOBaseline.ps1**: Declarative GPO management -- security policy, registry settings, links, security filtering, management permissions
- **GPOHelper.ps1**: SYSVOL read/write, GptTmpl.inf parsing, GPO versioning, permission management
- **-GpUpdate switch**: Optional `gpupdate /force` after applying
- **-TestOnly mode**: Drift detection across all GPO settings without changes
- **Self-healing permissions**: MasterAdmins edit rights enforced on every run
### GPO Policies
- **Default Domain Policy**: Password (7-char min, 42-day max, 24 history), lockout (5 attempts, 30-min), Kerberos (10-hour TGT)
- **Default Domain Controllers Policy**: 25 user rights assignments, SMB/LDAP signing, secure channel encryption
- **Admins-01**: 10-min session lock, PowerShell script block logging + transcription, taskbar cleanup
- **Users-01**: Desktop lockdown (regedit, cmd, Run disabled), DelegatedAdmins exempted via deny security filtering
- **Workstations-01**: Full audit, autorun disabled, Windows Update 3 AM daily, NLA required, log sizing
- **AdminWorkstations-01**: Enhanced PAW -- all audit categories, PS transcription + module logging, command-line in 4688 events, 256 MB security log, Defender exclusions for JetBrains, RSAT startup script
### DSC Compliance
- **Apply-DscBaseline.ps1**: Second-layer validation of DC local state against GPO definitions
- **Single source of truth**: DSC configs read from settings.ps1, no value duplication
- **Kerberos validation**: Custom Script resource using secedit export (SecurityPolicyDsc doesn't support Kerberos natively)
- **Detailed drift output**: Reports specific non-compliant resources
- **Apply mode safety**: Warning banner + confirmation prompt required
### Documentation
- README.md with architecture, workflow, security model, and operations guide
- Per-GPO README files with settings tables and design rationale
- CLAUDE.md for AI assistant context
Reference in New Issue View Git Blame Copy Permalink