Damien Coles
f172d00514
Infrastructure-as-code framework for Active Directory objects and Group Policy. Sanitized from production deployment for public sharing.
47 lines
1.5 KiB
PowerShell
47 lines
1.5 KiB
PowerShell
# OU Delegation Definitions
|
|
# Processed after groups and users exist (Step 5).
|
|
# Defines what security groups get what permissions on which OUs.
|
|
#
|
|
# Rights syntax:
|
|
# 'FullControl' - GenericAll on the OU and all descendants
|
|
# 'ListContents' - ListChildren on the OU itself
|
|
# 'ReadAllProperties' - ReadProperty (all) on the OU itself
|
|
# 'ResetPassword' - Extended right on descendant user objects
|
|
# 'ReadWriteProperty:<attributeName>' - Read+Write a specific attribute on descendant user objects
|
|
|
|
$domainDN = 'DC=example,DC=internal'
|
|
|
|
@(
|
|
@{
|
|
GroupName = 'MasterAdmins'
|
|
TargetOUs = @(
|
|
"OU=ExampleUsers,$domainDN"
|
|
"OU=ExampleWorkstations,$domainDN"
|
|
"OU=ExampleServers,$domainDN"
|
|
"OU=ExampleAdmins,$domainDN"
|
|
"OU=ExampleAdminWorkstations,$domainDN"
|
|
)
|
|
Rights = 'FullControl'
|
|
}
|
|
|
|
@{
|
|
GroupName = 'DelegatedAdmins'
|
|
TargetOUs = @(
|
|
"OU=ExampleUsers,$domainDN"
|
|
)
|
|
Rights = @(
|
|
'ListContents'
|
|
'ReadAllProperties'
|
|
'ResetPassword'
|
|
'ReadWriteProperty:userAccountControl'
|
|
'ReadWriteProperty:lockoutTime'
|
|
'ReadWriteProperty:displayName'
|
|
'ReadWriteProperty:givenName'
|
|
'ReadWriteProperty:sn'
|
|
'ReadWriteProperty:mail'
|
|
'ReadWriteProperty:telephoneNumber'
|
|
'ReadWriteProperty:description'
|
|
)
|
|
}
|
|
)
|