├── 02-AD_LAPS_Install
├── LAPS.x64.msi
├── AdmPwd.PS
│ ├── AdmPwd.PS.dll
│ ├── AdmPwd.PS.psd1
│ ├── AdmPwd.Utils.dll
│ └── AdmPwd.PS.format.ps1xml
├── InstallLAPSSchema.ps1
├── AdmPwd.adml
└── AdmPwd.admx
├── 01-AD_Setup_Domain
├── config.json
└── DCSetup.ps1
├── 03-AD_OU_CreateStructure
├── 3lettercodes.csv
└── CreateOUStructure.ps1
├── README.md
├── 04-AD_Users_Create
├── Names
│ ├── male_names.txt
│ ├── female_names.txt
│ └── names.txt
└── CreateUsers.ps1
├── 05-AD_Groups_Create
├── CreateGroups.ps1
└── groups.txt
├── CONTRIBUTING.md
├── AD_Connect_To_TestDomain
└── Add-TestDrive.ps1
├── AD_OU_SetACL
├── GPO Control Permissions.ps1
├── Full Control Permissions.ps1
├── Printer Control Permissions.ps1
├── OU Control Permissions.ps1
├── SetACL on OU.ps1
├── Replication Control Permissions.ps1
├── Group Control Permissions.ps1
├── Site and Subnet Control Permissions.ps1
├── User Control Permissions.ps1
└── Computer Control Permissions.ps1
├── 08-AD_Random_Groups
└── AddRandomToGroups.ps1
├── 07-AD_Permissions_Randomiser
├── Create Admin Groups_v2.ps1
└── GenerateRandomPermissions.ps1
├── 09-AD_Misc_Vulns
└── Add-MiscVulns.ps1
├── Invoke-Sparkler.ps1
├── 06-AD_Computers_Create
└── CreateComputers.ps1
└── LICENSE
/02-AD_LAPS_Install/LAPS.x64.msi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kurobeats/Sparkler/HEAD/02-AD_LAPS_Install/LAPS.x64.msi
--------------------------------------------------------------------------------
/02-AD_LAPS_Install/AdmPwd.PS/AdmPwd.PS.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kurobeats/Sparkler/HEAD/02-AD_LAPS_Install/AdmPwd.PS/AdmPwd.PS.dll
--------------------------------------------------------------------------------
/02-AD_LAPS_Install/AdmPwd.PS/AdmPwd.PS.psd1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kurobeats/Sparkler/HEAD/02-AD_LAPS_Install/AdmPwd.PS/AdmPwd.PS.psd1
--------------------------------------------------------------------------------
/02-AD_LAPS_Install/AdmPwd.PS/AdmPwd.Utils.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kurobeats/Sparkler/HEAD/02-AD_LAPS_Install/AdmPwd.PS/AdmPwd.Utils.dll
--------------------------------------------------------------------------------
/01-AD_Setup_Domain/config.json:
--------------------------------------------------------------------------------
1 | {
2 | "shell": {
3 | "DefaultShell": "explorer.exe"
4 | },
5 | "domain": {
6 | "DomainName": "sparkler.bmb",
7 | "DomainNetbiosName": "SPARKLER",
8 | "SafeModeAdministratorPassword": "Password123!"
9 | }
10 | }
--------------------------------------------------------------------------------
/03-AD_OU_CreateStructure/3lettercodes.csv:
--------------------------------------------------------------------------------
1 | name,description
2 | BDE,Business Development
3 | HRE,Human Relations
4 | FIN,Finance
5 | OGC,Office of the General Counsel
6 | FSR,Field Services
7 | AWS,AWS Stuff
8 | ESM,Endpoint System Management
9 | SEC,Information Security
10 | ITS,Information Technology Services
11 | GOO,Google Cloud
12 | AZR,Azure Cloud stuff
13 | TST,Testing Admin Stuff
14 | SAL,Sales
15 | ACC,Accounting
16 | CMC,Content Management Consulting
17 | CRE,Creative
18 | CRS,CRM Strategy
19 | ENG,Engineering
20 | PAC,Human Resources
21 | PM0,Project Management
22 | OPE,Operations
23 | CON,Consultant
--------------------------------------------------------------------------------
/02-AD_LAPS_Install/InstallLAPSSchema.ps1:
--------------------------------------------------------------------------------
1 | function Get-ScriptDirectory {
2 | Split-Path -Parent $PSCommandPath
3 | }
4 | $scriptPath = Get-ScriptDirectory
5 |
6 | copy-item -path ($scriptpath + "\admpwd.ps") -destination "C:\Windows\System32\WindowsPowerShell\v1.0\Modules"
7 | get-childitem -path ($scriptpath + "\admpwd.ps") -recurse | Foreach-object {
8 | Copy-item -literalpath $_.fullname -destination "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\admpwd.ps"
9 | }
10 | copy-item -path ($scriptpath + "\AdmPwd.admx") -destination "C:\Windows\PolicyDefinitions"
11 | copy-item -path ($scriptpath + "\AdmPwd.adml") -destination "C:\Windows\PolicyDefinitions\en-US"
12 |
13 | Import-Module ADMPwd.ps
14 | Update-AdmPwdADSchema
15 | Set-AdmPwdComputerSelfPermission -OrgUnit (Get-ADDomain).distinguishedname
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Sparkler
2 |
3 | sparkler bomb
4 |
5 | [ˈspɑːklə bɒm]
6 |
7 | NOUN
8 | 1. A bottle full of sparkler dust that once lit, is highly unpredictable.
9 |
10 |
11 | Forked from [BadBlood](https://github.com/davidprowe/BadBlood) which was written by David Rowe and mashed together with kurobeats' [Active-Directory-User-Script](https://github.com/kurobeats/Active-Directory-User-Script) and WazeHell's [vulnerable-AD](https://github.com/WazeHell/vulnerable-AD). The tool creates a Microsoft Active Directory Domain with a structure and objects. The output of the tool aims to recreate domains seen in the real world (users at least, not sure admins would be this insane...). After Sparkler creates a domain, users can gain an understanding of the inner workings of Active Directory. Each time this tool creates a domain, it produces different results.
12 |
--------------------------------------------------------------------------------
/01-AD_Setup_Domain/DCSetup.ps1:
--------------------------------------------------------------------------------
1 | $Configuration = Get-Content -Path 01-AD_Setup_Domain\config.json | ConvertFrom-Json
2 |
3 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -name Shell -Value $Configuration.shell.DefaultShell
4 |
5 | Get-WindowsFeature -Name AD-Domain-Services | Install-WindowsFeature -Verbose
6 |
7 | Import-Module ADDSDeployment
8 |
9 | Install-ADDSForest `
10 | -CreateDnsDelegation:$false `
11 | -DatabasePath "C:\Windows\NTDS" `
12 | -DomainMode "WinThreshold" `
13 | -DomainName $Configuration.domain.DomainName `
14 | -DomainNetbiosName $Configuration.domain.DomainNetbiosName `
15 | -ForestMode "WinThreshold" `
16 | -InstallDns:$true `
17 | -LogPath "C:\Windows\NTDS" `
18 | -NoRebootOnCompletion:$true `
19 | -SysvolPath "C:\Windows\SYSVOL" `
20 | -SafeModeAdministratorPassword (ConvertTo-SecureString ($Configuration.domain.SafeModeAdministratorPassword) -AsPlainText -force) `
21 | -Force:$true
--------------------------------------------------------------------------------
/04-AD_Users_Create/Names/male_names.txt:
--------------------------------------------------------------------------------
1 | Aaron
2 | Adam
3 | Aidan
4 | Aiden
5 | Alex
6 | Alexander
7 | Ali
8 | Andrew
9 | Angus
10 | Anthony
11 | Archer
12 | Archie
13 | Arlo
14 | Arthur
15 | Ashton
16 | Austin
17 | Bailey
18 | Beau
19 | Ben
20 | Benjamin
21 | Blake
22 | Bodhi
23 | Brayden
24 | Brock
25 | Brodie
26 | Caleb
27 | Callum
28 | Cameron
29 | Carter
30 | Charles
31 | Charlie
32 | Christian
33 | Christopher
34 | Cody
35 | Connor
36 | Cooper
37 | Daniel
38 | Darcy
39 | David
40 | Dean
41 | Declan
42 | Dominic
43 | Dylan
44 | Edward
45 | Eli
46 | Elijah
47 | Ethan
48 | Felix
49 | Finn
50 | Fletcher
51 | Flynn
52 | Gabriel
53 | George
54 | Hamish
55 | Harley
56 | Harrison
57 | Harry
58 | Harvey
59 | Hayden
60 | Henry
61 | Hudson
62 | Hugo
63 | Hunter
64 | Isaac
65 | Jack
66 | Jackson
67 | Jacob
68 | Jai
69 | Jake
70 | James
71 | Jamie
72 | Jasper
73 | Jaxon
74 | Jayden
75 | Jeremy
76 | Jesse
77 | Jett
78 | Joel
79 | John
80 | Jonathan
81 | Jordan
82 | Joseph
83 | Joshua
84 | Jude
85 | Julian
86 | Justin
87 | Kai
88 | Koby
89 | Lachlan
90 | Leo
91 | Leon
92 | Levi
93 | Liam
94 | Lincoln
95 | Logan
96 | Louis
97 | Luca
98 | Lucas
99 | Luke
100 | Marcus
101 | Mason
102 | Matthew
103 | Max
104 | Michael
105 | Mitchell
106 | Muhammad
107 | Nate
108 | Nathan
109 | Nathaniel
110 | Nicholas
111 | Noah
112 | Oliver
113 | Oscar
114 | Owen
115 | Parker
116 | Patrick
117 | Riley
118 | Rory
119 | Ryan
120 | Ryder
121 | Sam
122 | Samuel
123 | Sean
124 | Sebastian
125 | Seth
126 | Sher
127 | Sonny
128 | Spencer
129 | Taj
130 | Theodore
131 | Thomas
132 | Timothy
133 | Toby
134 | Tristan
135 | Tyler
136 | Tyson
137 | Vincent
138 | Will
139 | William
140 | Xavier
141 | Zac
142 | Zachary
143 | Zane
--------------------------------------------------------------------------------
/05-AD_Groups_Create/CreateGroups.ps1:
--------------------------------------------------------------------------------
1 | Function CreateGroup {
2 |
3 |
4 | $setDC = (Get-ADDomain).pdcemulator
5 |
6 | #=======================================================================
7 | #P1
8 | #set owner and creator here
9 |
10 | #p1
11 | $userlist = get-aduser -ResultSetSize 2500 -Server $setdc -Filter *
12 | $ownerinfo = get-random $userlist
13 |
14 | $Description = ''
15 |
16 | #================================
17 | # OU LOCATION
18 | #================================
19 | $OUsAll = get-adobject -Filter { objectclass -eq 'organizationalunit' } -ResultSetSize 300
20 | #will work on adding objects to containers later $ousall += get-adobject -Filter {objectclass -eq 'container'} -ResultSetSize 300|where-object -Property objectclass -eq 'container'|where-object -Property distinguishedname -notlike "*}*"|where-object -Property distinguishedname -notlike "*DomainUpdates*"
21 |
22 | $ouLocation = (Get-Random $OUsAll).distinguishedname
23 |
24 | #==========================================
25 | #END OU WORKFLOW
26 |
27 | function Get-ScriptDirectory {
28 | Split-Path -Parent $PSCommandPath
29 | }
30 | $groupscriptPath = Get-ScriptDirectory
31 |
32 | $GroupNameFull = try { (get-content($groupscriptPath + '\groups.txt') | get-random).substring(0, 9) } catch { (get-content($groupscriptPath + '\groups.txt') | get-random).substring(0, 3) }
33 |
34 | #=============================================
35 | #ATTEMPTING TO CREATE GROUP
36 | #=============================================
37 | try { New-ADGroup -Server $setdc -Description $Description -Name $GroupNameFull -Path $ouLocation -GroupCategory Security -GroupScope Global -ManagedBy $ownerinfo.distinguishedname }
38 | catch {
39 | #oopsie
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing
2 |
3 | When contributing to this repository, please first discuss the change you wish to make via issue,
4 | email, or any other method with the owners of this repository before making a change.
5 |
6 | Please note we have a code of conduct, please follow it in all your interactions with the project.
7 |
8 | ## Pull Request Process
9 |
10 | 1. Ensure any install or build dependencies are removed before the end of the layer when doing a
11 | build.
12 | 2. Update the README.md with details of changes to the interface, this includes new environment
13 | variables, exposed ports, useful file locations and container parameters.
14 | 3. Increase the version numbers in any examples files and the README.md to the new version that this
15 | Pull Request would represent.
16 | 4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you
17 | do not have permission to do that, you may request the second reviewer to merge it for you.
18 |
19 | ## Code of Conduct
20 |
21 | Keeping this simple by requiring people to be civil. The repo will be moderated and monitored and generally abusive behaviour will not be tolerated. Failure to comply may result in action being taken against offenders.
22 |
23 | ## Coding Standard
24 | Please ensure that you read the following coding standard for Powershell provided by [Microsoft](https://docs.microsoft.com/en-us/powershell/scripting/developer/cmdlet/strongly-encouraged-development-guidelines?view=powershell-7)
25 |
26 | Your submissions should comply to this standard and may be rejected if they fail to sufficiently meet this standard. If there is enough of a sentiment to move to a new coding standard then please raise an issue to allow it to be discussed.
27 |
28 | ### Attribution
29 |
30 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
31 | available at [http://contributor-covenant.org/version/1/4][version]
32 |
33 | [homepage]: http://contributor-covenant.org
34 | [version]: http://contributor-covenant.org/version/1/4/
35 |
--------------------------------------------------------------------------------
/04-AD_Users_Create/Names/female_names.txt:
--------------------------------------------------------------------------------
1 | Aaliyah
2 | Abbey
3 | Abby
4 | Abigail
5 | Addison
6 | Alana
7 | Alannah
8 | Alexandra
9 | Alexis
10 | Alica
11 | Alice
12 | Alicia
13 | Alyssa
14 | Amber
15 | Amelia
16 | Amelie
17 | Amy
18 | Angelina
19 | Angus
20 | Anna
21 | Annabelle
22 | Archer
23 | Aria
24 | Ariana
25 | Ashley
26 | Audrey
27 | Aurora
28 | Ava
29 | Ayla
30 | Bailey
31 | Bella
32 | Ben
33 | Bethany
34 | Bianca
35 | Billie
36 | Bonnie
37 | Brianna
38 | Brooke
39 | Caitlin
40 | Caitlyn
41 | Caleb
42 | Cameron
43 | Charli
44 | Charlie
45 | Charlotte
46 | Chelsea
47 | Chloe
48 | Christian
49 | Christopher
50 | Claire
51 | Claudia
52 | Daisy
53 | Dakota
54 | Dominic
55 | Ebony
56 | Eden
57 | Eleanor
58 | Elena
59 | Elijah
60 | Eliza
61 | Elizabeth
62 | Ella
63 | Ellie
64 | Eloise
65 | Elsie
66 | Emilia
67 | Emily
68 | Emma
69 | Erin
70 | Eva
71 | Eve
72 | Evelyn
73 | Evie
74 | Florence
75 | Flynn
76 | Frankie
77 | Freya
78 | Gabriella
79 | Gabrielle
80 | Gemma
81 | Georgia
82 | Grace
83 | Hannah
84 | Harlow
85 | Harper
86 | Harriet
87 | Harry
88 | Hayley
89 | Hazel
90 | Heidi
91 | Holly
92 | Imogen
93 | Indiana
94 | Isabel
95 | Isabella
96 | Isabelle
97 | Isla
98 | Ivy
99 | Jade
100 | Jake
101 | Jasmine
102 | Jasper
103 | Jaxon
104 | Jesse
105 | Jessica
106 | Jorja
107 | Joseph
108 | Joshua
109 | Julian
110 | Justin
111 | Kaitlyn
112 | Kate
113 | Katie
114 | Kayla
115 | Keira
116 | Kiara
117 | Lachlan
118 | Lara
119 | Laura
120 | Lauren
121 | Layla
122 | Leah
123 | Lilian
124 | Lilly
125 | Lily
126 | Lincoln
127 | Logan
128 | Lola
129 | Lucinda
130 | Lucy
131 | Luna
132 | Mackenzie
133 | Maddison
134 | Madeleine
135 | Madeline
136 | Madison
137 | Makayla
138 | Mariam
139 | Mary
140 | Matilda
141 | Matthew
142 | Max
143 | Maya
144 | Mia
145 | Mikayla
146 | Mila
147 | Milla
148 | Millie
149 | Molly
150 | Natalie
151 | Natasha
152 | Noah
153 | Olive
154 | Olivia
155 | Oscar
156 | Paige
157 | Penelope
158 | Peyton
159 | Phoebe
160 | Piper
161 | Poppy
162 | Quinn
163 | Rachel
164 | Rebecca
165 | Riley
166 | Rory
167 | Rose
168 | Ruby
169 | Samantha
170 | Samuel
171 | Sara
172 | Sarah
173 | Savannah
174 | Scarlett
175 | Sienna
176 | Skye
177 | Sofia
178 | Sophia
179 | Sophie
180 | Stella
181 | Stephanie
182 | Summer
183 | Tahlia
184 | Taj
185 | Tayla
186 | Taylah
187 | Thomas
188 | Timothy
189 | Tyler
190 | Victoria
191 | Violet
192 | William
193 | Willow
194 | Zac
195 | Zara
196 | Zoe
--------------------------------------------------------------------------------
/AD_Connect_To_TestDomain/Add-TestDrive.ps1:
--------------------------------------------------------------------------------
1 | function Add-TestDrives {
2 | <#
3 | .SYNOPSIS
4 | Adds a powershell drive from your workstation to the domain controller. Port 9389 must be open from your machine to this DC
5 |
6 | .DESCRIPTION
7 | By specifying the machines IP you can connect to the machine and run remote commands on the test domain
8 |
9 |
10 | .EXAMPLE
11 | PS C:\> Add-TestDrives
12 | PS C:\> Add-TestDrives -TestDC 10.0.0.123 #connects to the specified domain controller IP
13 | PS C:\> Add-TestDrives -TestDC 10.1.1.20 -TestDN sparkler.bmb -Testname 'TestAD'
14 |
15 |
16 | .NOTES
17 |
18 | Unless required by applicable law or agreed to in writing, software
19 | distributed under the License is distributed on an "AS IS" BASIS,
20 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 | See the License for the specific language governing permissions and
22 | limitations under the License.
23 |
24 | #>
25 | [CmdletBinding()]
26 |
27 | param
28 | (
29 | [Parameter(Mandatory = $false,
30 | Position = 1,
31 | HelpMessage = 'Add IP or DNSName of your Domain Controller')]
32 | [Alias('creds')]
33 | [System.String]$TestDC = '10.1.1.10',
34 | [Parameter(Position = 2,
35 | HelpMessage = 'Specify the DN for the domain')]
36 | [System.String]$TestDN = 'domain.com',
37 | [Parameter(Mandatory = $false,
38 | Position = 3,
39 | HelpMessage = 'Use this if you want to specify a drive variable')]
40 | [System.String]$TestName = 'domain'
41 | )
42 | $ADmod = get-module -name activedirectory
43 | if (!$admod) { import-module activedirectory }else {}
44 |
45 | #Name of Drive to spit out later in a write host
46 | $TestFullName = $Testname + ':'
47 |
48 | #What level of domain is this
49 | $level = "Production"
50 |
51 | if (!$domain) {
52 | $domain = $testfullname
53 | $onscreen = 'Attempting to connect to ' + $testdc + '. Connecting to domain named: ' + $testdn
54 | }
55 |
56 | write-host $onscreen -ForegroundColor Yellow
57 |
58 | If (!(Test-Path $TestFullNAME)) { New-PSDrive -Name $TestName -PSProvider ActiveDirectory -Server $testDC -Root "//RootDSE/" -scope Global -Credential $TestDN\ }
59 |
60 | If ((Test-Path $TestFullNAME)) {
61 |
62 | Write-host To change to $level $TestDN $ type `'cd $testfullname`' -f Green
63 | }
64 | else {}
65 |
66 | }
67 | Add-TestDrives
--------------------------------------------------------------------------------
/AD_OU_SetACL/GPO Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | ######
2 | # GPO Tasks
3 | Function LinkGPO($objGroup, $objOU, $inheritanceType) {
4 |
5 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
6 | $objAcl = get-acl $objOU
7 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["gplink"], $inheritanceType))
8 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["gpoptions"], $inheritanceType))
9 |
10 | try {
11 | Set-Acl -AclObject $objAcl -path $objOU
12 | }
13 | catch {
14 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to link group policies on the OU " + $objOU)
15 | }
16 | If (!$error) {
17 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to link group policies on the OU " + $objOU)
18 | }
19 |
20 |
21 | }
22 |
23 | Function GenerateRsopPlanning($objGroup, $objOU, $inheritanceType) {
24 |
25 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
26 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
27 |
28 | $error.Clear()
29 |
30 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
31 | $objAcl = get-acl $objOU
32 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Generate resultant set of policy (Planning)"], $inheritanceType, "00000000-0000-0000-0000-000000000000"))
33 |
34 | try {
35 | Set-Acl -AclObject $objAcl -path $objOU -ErrorAction Stop
36 | }
37 | catch {
38 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " the permission Generate resultant set of policy (Planning) on the OU " + $objOU)
39 | }
40 | If (!$error) {
41 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " the permission Generate resultant set of policy (Planning) on the OU " + $objOU)
42 | }
43 |
44 |
45 | }
46 |
47 | Function GenerateRsopLogging($objGroup, $objOU, $inheritanceType) {
48 |
49 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
50 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
51 |
52 | $error.Clear()
53 |
54 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
55 | $objAcl = get-acl $objOU
56 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Generate resultant set of policy (Logging)"], $inheritanceType, "00000000-0000-0000-0000-000000000000"))
57 |
58 | try {
59 | Set-Acl -AclObject $objAcl -path $objOU -ErrorAction Stop
60 | }
61 | catch {
62 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " the permission Generate resultant set of policy (Logging) on the OU " + $objOU)
63 | }
64 | If (!$error) {
65 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " the permission Generate resultant set of policy (Logging) on the OU " + $objOU)
66 | }
67 |
68 |
69 | }
--------------------------------------------------------------------------------
/02-AD_LAPS_Install/AdmPwd.adml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | LAPS
9 | Enable local admin password management
10 |
11 | Enables management of password for local administrator account
12 |
13 | If you enable this setting, local administrator password is managed
14 |
15 | If you disable or not configure this setting, local administrator password is NOT managed
16 |
17 | Password Settings
18 |
19 | Configures password parameters
20 |
21 | Password complexity: which characters are used when generating a new password
22 | Default: Large letters + small letters + numbers + special characters
23 |
24 | Password length
25 | Minimum: 8 characters
26 | Maximum: 64 characters
27 | Default: 14 characters
28 |
29 | Password age in days
30 | Minimum: 1 day
31 | Maximum: 365 days
32 | Default: 30 days
33 |
34 | At least Microsoft Windows Vista or Windows Server 2003 family
35 | Large letters
36 | Large letters + small letters
37 | Large letters + small letters + numbers
38 | Large letters + small letters + numbers + specials
39 | Name of administrator account to manage
40 |
41 | Administrator account name: name of the local account you want to manage password for.
42 | DO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed
43 |
44 | DO configure when you use custom local admin account
45 |
46 | Do not allow password expiration time longer than required by policy
47 |
48 | When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.
49 |
50 | When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy.
51 |
52 |
53 |
54 |
55 | Password Complexity
56 | Password Length
57 | Password Age (Days)
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/04-AD_Users_Create/Names/names.txt:
--------------------------------------------------------------------------------
1 | Aaliyah
2 | Aaron
3 | Abbey
4 | Abby
5 | Abigail
6 | Adam
7 | Addison
8 | Aidan
9 | Aiden
10 | Alana
11 | Alannah
12 | Alex
13 | Alexander
14 | Alexandra
15 | Alexis
16 | Ali
17 | Alica
18 | Alice
19 | Alicia
20 | Alyssa
21 | Amber
22 | Amelia
23 | Amelie
24 | Amy
25 | Andrew
26 | Angelina
27 | Angus
28 | Anna
29 | Annabelle
30 | Anthony
31 | Archer
32 | Archie
33 | Aria
34 | Ariana
35 | Arlo
36 | Arthur
37 | Ashley
38 | Ashton
39 | Audrey
40 | Aurora
41 | Austin
42 | Ava
43 | Ayla
44 | Bailey
45 | Beau
46 | Bella
47 | Ben
48 | Benjamin
49 | Bethany
50 | Bianca
51 | Billie
52 | Blake
53 | Bodhi
54 | Bonnie
55 | Brayden
56 | Brianna
57 | Brock
58 | Brodie
59 | Brooke
60 | Caitlin
61 | Caitlyn
62 | Caleb
63 | Callum
64 | Cameron
65 | Carter
66 | Charles
67 | Charli
68 | Charlie
69 | Charlotte
70 | Chelsea
71 | Chloe
72 | Christian
73 | Christopher
74 | Claire
75 | Claudia
76 | Cody
77 | Connor
78 | Cooper
79 | Daisy
80 | Dakota
81 | Daniel
82 | Darcy
83 | David
84 | Dean
85 | Declan
86 | Dominic
87 | Dylan
88 | Ebony
89 | Eden
90 | Edward
91 | Eleanor
92 | Elena
93 | Eli
94 | Elijah
95 | Eliza
96 | Elizabeth
97 | Ella
98 | Ellie
99 | Eloise
100 | Elsie
101 | Emilia
102 | Emily
103 | Emma
104 | Erin
105 | Ethan
106 | Eva
107 | Eve
108 | Evelyn
109 | Evie
110 | Felix
111 | Finn
112 | Fletcher
113 | Florence
114 | Flynn
115 | Frankie
116 | Freya
117 | Gabriel
118 | Gabriella
119 | Gabrielle
120 | Gemma
121 | George
122 | Georgia
123 | Grace
124 | Hamish
125 | Hannah
126 | Harley
127 | Harlow
128 | Harper
129 | Harriet
130 | Harrison
131 | Harry
132 | Harvey
133 | Hayden
134 | Hayley
135 | Hazel
136 | Heidi
137 | Henry
138 | Holly
139 | Hudson
140 | Hugo
141 | Hunter
142 | Imogen
143 | Indiana
144 | Isaac
145 | Isabel
146 | Isabella
147 | Isabelle
148 | Isla
149 | Ivy
150 | Jack
151 | Jackson
152 | Jacob
153 | Jade
154 | Jai
155 | Jake
156 | James
157 | Jamie
158 | Jasmine
159 | Jasper
160 | Jaxon
161 | Jayden
162 | Jeremy
163 | Jesse
164 | Jessica
165 | Jett
166 | Joel
167 | John
168 | Jonathan
169 | Jordan
170 | Jorja
171 | Joseph
172 | Joshua
173 | Jude
174 | Julian
175 | Justin
176 | Kai
177 | Kaitlyn
178 | Kate
179 | Katie
180 | Kayla
181 | Keira
182 | Kiara
183 | Koby
184 | Lachlan
185 | Lara
186 | Laura
187 | Lauren
188 | Layla
189 | Leah
190 | Leo
191 | Leon
192 | Levi
193 | Liam
194 | Lilian
195 | Lilly
196 | Lily
197 | Lincoln
198 | Logan
199 | Lola
200 | Louis
201 | Luca
202 | Lucas
203 | Lucinda
204 | Lucy
205 | Luke
206 | Luna
207 | Mackenzie
208 | Maddison
209 | Madeleine
210 | Madeline
211 | Madison
212 | Makayla
213 | Marcus
214 | Mariam
215 | Mary
216 | Mason
217 | Matilda
218 | Matthew
219 | Max
220 | Maya
221 | Mia
222 | Michael
223 | Mikayla
224 | Mila
225 | Milla
226 | Millie
227 | Mitchell
228 | Molly
229 | Muhammad
230 | Natalie
231 | Natasha
232 | Nate
233 | Nathan
234 | Nathaniel
235 | Nicholas
236 | Noah
237 | Olive
238 | Oliver
239 | Olivia
240 | Oscar
241 | Owen
242 | Paige
243 | Parker
244 | Patrick
245 | Penelope
246 | Peyton
247 | Phoebe
248 | Piper
249 | Poppy
250 | Quinn
251 | Rachel
252 | Rebecca
253 | Riley
254 | Rory
255 | Rose
256 | Ruby
257 | Ryan
258 | Ryder
259 | Sam
260 | Samantha
261 | Samuel
262 | Sara
263 | Sarah
264 | Savannah
265 | Scarlett
266 | Sean
267 | Sebastian
268 | Seth
269 | Sher
270 | Sienna
271 | Skye
272 | Sofia
273 | Sonny
274 | Sophia
275 | Sophie
276 | Spencer
277 | Stella
278 | Stephanie
279 | Summer
280 | Tahlia
281 | Taj
282 | Tayla
283 | Taylah
284 | Theodore
285 | Thomas
286 | Timothy
287 | Toby
288 | Tristan
289 | Tyler
290 | Tyson
291 | Victoria
292 | Vincent
293 | Violet
294 | Will
295 | William
296 | Willow
297 | Xavier
298 | Zac
299 | Zachary
300 | Zane
301 | Zara
302 | Zoe
--------------------------------------------------------------------------------
/AD_OU_SetACL/Full Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | ######################################################################################################################
2 | # Full Control permissions
3 | Function FullControl($objGroup, $objOU, $inheritanceType) {
4 |
5 |
6 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
7 | $objAcl = get-acl $objOU
8 |
9 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "GenericAll", "Allow", "00000000-0000-0000-0000-000000000000", $inheritanceType, "00000000-0000-0000-0000-000000000000"))
10 | try {
11 | Set-Acl -AclObject $objAcl -path $objOU
12 | }
13 | catch {
14 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " Full Control permissions")
15 |
16 |
17 | }
18 | If (!$error) {
19 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " Full Control permissions on the OU " + $objOU)
20 | }
21 |
22 |
23 |
24 | }
25 |
26 | Function FullControlUsers($objGroup, $objOU, $inheritanceType) {
27 |
28 |
29 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
30 | $objAcl = get-acl $objOU
31 |
32 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "GenericAll", "Allow", "00000000-0000-0000-0000-000000000000", $inheritanceType, $guidmap["user"]))
33 | try {
34 | Set-Acl -AclObject $objAcl -path $objOU
35 | }
36 | catch {
37 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " Full Control permissions over User Objects on the OU " + $objOU)
38 |
39 |
40 | }
41 | If (!$error) {
42 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " Full Control permissions over User Objects on the OU " + $objOU)
43 | }
44 |
45 |
46 |
47 | }
48 |
49 | Function FullControlGroups($objGroup, $objOU, $inheritanceType) {
50 |
51 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
52 | $objAcl = get-acl $objOU
53 |
54 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "GenericAll", "Allow", "00000000-0000-0000-0000-000000000000", $inheritanceType, $guidmap["group"]))
55 | try {
56 | Set-Acl -AclObject $objAcl -path $objOU
57 | }
58 | catch {
59 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " Full Control permissions over Group Objects on the OU " + $objOU)
60 |
61 |
62 | }
63 | If (!$error) {
64 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " Full Control permissions over Group Objects on the OU " + $objOU)
65 | }
66 |
67 |
68 |
69 | }
70 |
71 | Function FullControlComputers($objGroup, $objOU, $inheritanceType) {
72 |
73 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
74 | $objAcl = get-acl $objOU
75 |
76 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "GenericAll", "Allow", "00000000-0000-0000-0000-000000000000", $inheritanceType, $guidmap["computer"]))
77 | try {
78 | Set-Acl -AclObject $objAcl -path $objOU
79 | }
80 | catch {
81 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " Full Control permissions over Computer Objects on the OU " + $objOU)
82 |
83 |
84 | }
85 | If (!$error) {
86 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " Full Control permissions over Computer Objects on the OU " + $objOU)
87 | }
88 |
89 | }
90 |
--------------------------------------------------------------------------------
/02-AD_LAPS_Install/AdmPwd.admx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
--------------------------------------------------------------------------------
/AD_OU_SetACL/Printer Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | #######
2 | # Printer Tasks
3 | Function CreatePrintQueue($objGroup, $objOU, $inheritanceType) {
4 |
5 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
6 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
7 |
8 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
9 | $objAcl = get-acl $objOU
10 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild", "Allow", $guidmap["printQueue"], $inheritanceType))
11 | try {
12 | Set-Acl -AclObject $objAcl -path $objOU
13 | }
14 | catch {
15 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Create Printer Queues on the OU " + $objOU)
16 | }
17 | If (!$error) {
18 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Create Printer Queues on the OU " + $objOU)
19 | }
20 |
21 |
22 |
23 | }
24 |
25 | Function DeletePrintQueue($objGroup, $objOU, $inheritanceType) {
26 |
27 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
28 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
29 |
30 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
31 | $objAcl = get-acl $objOU
32 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "DeleteChild", "Allow", $guidmap["printQueue"], $inheritanceType))
33 | try {
34 | Set-Acl -AclObject $objAcl -path $objOU
35 | }
36 | catch {
37 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Delete Print Queues on the OU " + $objOU)
38 | }
39 | If (!$error) {
40 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Delete Print Queues on the OU " + $objOU)
41 | }
42 |
43 | }
44 |
45 | Function RenamePrintQueue($objGroup, $objOU, $inheritanceType) {
46 |
47 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
48 | $objAcl = get-acl $objOU
49 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["distinguishedName"], $inheritanceType, $guidmap["printQueue"]))
50 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["cn"], $inheritanceType, $guidmap["printQueue"]))
51 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["name"], $inheritanceType, $guidmap["printQueue"]))
52 | try {
53 | Set-Acl -AclObject $objAcl -path $objOU
54 | }
55 | catch {
56 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Rename Print Queues on the OU " + $objOU)
57 | }
58 | If (!$error) {
59 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Rename Print Queues on the OU " + $objOU)
60 | }
61 |
62 |
63 |
64 |
65 | }
66 |
67 | Function ModifyPrintQueueProperties($objGroup, $objOU, $inheritanceType) {
68 |
69 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
70 | $objAcl = get-acl $objOU
71 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $inheritanceType, $guidmap["printQueue"]))
72 | try {
73 | Set-Acl -AclObject $objAcl -path $objOU
74 | }
75 | catch {
76 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to modify print queue properties on the OU " + $objOU)
77 | }
78 | If (!$error) {
79 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to modify print queue properties on the OU " + $objOU)
80 | }
81 |
82 |
83 | }
84 |
--------------------------------------------------------------------------------
/AD_OU_SetACL/OU Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | ####################
2 | #OU Tasks
3 | #=============================
4 | # Confirm that the modify OU properties function does not allow ACL changes to the OUs
5 | Function CreateOU($objGroup, $objOU, $inheritanceType) {
6 |
7 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
8 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
9 |
10 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
11 | $objAcl = get-acl $objOU
12 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild", "Allow", $guidmap["organizationalUnit"], $inheritanceType))
13 | try {
14 | Set-Acl -AclObject $objAcl -path $objOU
15 | }
16 | catch {
17 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Create OUs on the OU " + $objOU)
18 | }
19 | If (!$error) {
20 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Create OUs on the OU " + $objOU)
21 | }
22 |
23 |
24 | }
25 |
26 | Function DeleteOU($objGroup, $objOU, $inheritanceType) {
27 |
28 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
29 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
30 |
31 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
32 | $objAcl = get-acl $objOU
33 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "DeleteChild", "Allow", $guidmap["organizationalUnit"], $inheritanceType))
34 | try {
35 | Set-Acl -AclObject $objAcl -path $objOU
36 | }
37 | catch {
38 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Delete OUs on the OU " + $objOU)
39 | }
40 | If (!$error) {
41 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Delete OUs on the OU " + $objOU)
42 | }
43 |
44 |
45 | }
46 |
47 | Function RenameOU($objGroup, $objOU, $inheritanceType) {
48 |
49 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
50 | $objAcl = get-acl $objOU
51 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["distinguishedName"], $inheritanceType, $guidmap["organizationalUnit"]))
52 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["cn"], $inheritanceType, $guidmap["organizationalUnit"]))
53 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["name"], $inheritanceType, $guidmap["organizationalUnit"]))
54 | try {
55 | Set-Acl -AclObject $objAcl -path $objOU
56 | }
57 | catch {
58 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Rename OUs on the OU " + $objOU)
59 | }
60 | If (!$error) {
61 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Rename OUs on the OU " + $objOU)
62 | }
63 |
64 |
65 | }
66 |
67 | Function ModifyOUProperties($objGroup, $objOU, $inheritanceType) {
68 |
69 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
70 | $objAcl = get-acl $objOU
71 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $inheritanceType, $guidmap["organizationalUnit"]))
72 | try {
73 | Set-Acl -AclObject $objAcl -path $objOU
74 | }
75 | catch {
76 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Rename OUs on the OU " + $objOU)
77 | }
78 |
79 | If (!$error) {
80 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Rename OUs on the OU " + $objOU)
81 | }
82 |
83 |
84 | }
--------------------------------------------------------------------------------
/AD_OU_SetACL/SetACL on OU.ps1:
--------------------------------------------------------------------------------
1 | $drive = "ad"
2 |
3 | #====================
4 | #Get a reference to the RootDSE of the current domain
5 | $schemaPath = (Get-ADRootDSE)
6 | $schemaobjects = Get-ADObject -filter * -SearchBase $schemaPath.defaultNamingContext -Properties *
7 | #Get a reference to the current domain
8 | $domain = Get-ADDomain
9 | #============================
10 | #Create a hashtable to store the GUID value of each schema class and attribute
11 | $guidmap = @{}
12 | Get-ADObject -SearchBase ($schemaPath.SchemaNamingContext) -LDAPFilter `
13 | "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID |
14 | % { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
15 | #this shows what guids belong to which extended security group
16 | $attributesecurityguid = @{}
17 | Get-ADObject -SearchBase ($schemaPath.SchemaNamingContext) -LDAPFilter `
18 | "(&(schemaidguid=*)(attributeSecurityGUID=*))" -Properties lDAPDisplayName, attributesecurityguid |
19 | % { $attributesecurityguid[$_.lDAPDisplayName] = ([guid]$_.attributesecurityguid).guid }sadfsdgfsdgfsdgfsdgfsdgf
20 | #Create a hashtable to store the GUID value of each extended right in the forest
21 | $extendedrightsmap = @{}
22 | Get-ADObject -SearchBase ($schemaPath.ConfigurationNamingContext) -LDAPFilter `
23 | "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid |
24 | % { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
25 |
26 |
27 | #============================
28 |
29 |
30 | #$schemaobjects| where objectGUID -like '05e3036d-aa7a-49a1-8baf-efaca4f53fa2'|select ldapdisplayname,objectguid
31 | #$schemaobjects| where ldapdisplayname -like 'gecos'|select ldapdisplayname,objectguid
32 |
33 | #attributes to grant permissions to
34 | $AttributestoLookup = @('attname1', 'gecos')
35 |
36 | #apply to what object type
37 | $SchemaobjectToLookup = "user"
38 | $inheritedobjectguid = $schemaobjects | where Name -like $schemaobjecttolookup | select ldapdisplayname, objectGUID
39 |
40 | #group to get access described by attribute and object type above
41 | $group = Get-ADgroup 'ewas-admin'
42 | $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
43 |
44 |
45 | #Domain and OU at which to grant access
46 |
47 | $ou = 'OU=TESTOUNAME,DC=testdomain,DC=edu'
48 | $ou = Get-ADOrganizationalUnit $ou
49 | $acl = Get-ACL ($ou)
50 |
51 |
52 | $access = Get-Acl -Path "$drive`:\\$OU"
53 | #$access.access
54 | <#
55 | #$acl.Access|where-object identityreference -eq $group.sid.value
56 | #############################################################################
57 | ActiveDirectoryRights : ExtendedRight
58 | InheritanceType : None
59 | ObjectType : 00299570-246d-11d0-a768-00aa006e0529
60 | InheritedObjectType : 00000000-0000-0000-0000-000000000000
61 | ObjectFlags : ObjectAceTypePresent
62 | AccessControlType : Allow
63 | IdentityReference : S-1-5-21-870243273-3545234401-3913197981-137845
64 | IsInherited : False
65 | InheritanceFlags : None
66 | PropagationFlags : None
67 | #>
68 |
69 | foreach ($attribute in $AttributestoLookup) {
70 | $objectGUID = (($schemaobjects | where Name -like $attribute).objectGUID).guid
71 | # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
72 | $objectguid = new-object Guid $objectGUID #objectType
73 | $inheritedobjectguid = new-object Guid ($inheritedobjectguid.objectguid).GUID #inheritedobjecttype
74 | #$identity = [System.Security.Principal.IdentityReference] $SID #identityreference group that gains access
75 | $identity = $SID #identityreference group that gains access
76 | $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ReadProperty, WriteProperty" #ActiveDirectoryRights
77 | $type = [System.Security.AccessControl.AccessControlType] "Allow" #AccessControlType
78 | $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents" #InheritanceType
79 |
80 | #$objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"WriteProperty,ReadProperty","Allow",$guidmap["memberOf"],$inheritanceType,$guidmap["user"]))
81 | #$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
82 | $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $guidmap[$attribute], $inheritanceType, $guidmap[$SchemaobjectToLookup]
83 |
84 | $acl.AddAccessRule($ace)
85 |
86 | Set-Acl -path (get-adobject $ou.DistinguishedName) -AclObject $acl
87 |
88 | }
89 |
--------------------------------------------------------------------------------
/03-AD_OU_CreateStructure/CreateOUStructure.ps1:
--------------------------------------------------------------------------------
1 | #
2 | #GET ALL AFFILIATE CODES FROM ALL OUS in production
3 | function Get-ScriptDirectory {
4 | Split-Path -Parent $PSCommandPath
5 | }
6 | $scriptPath = Get-ScriptDirectory
7 |
8 | $TopLevelOUs = @('Admin', 'Global', 'National', 'Staging', 'Quarantine', 'Staff', 'Testing', 'SCADA', 'Russia', 'Australia', 'SouthAmerica', 'Asia', 'Canada', 'UK')
9 |
10 | $AdminSubOUs = @('Enterprise', 'Global', 'National', 'Staging')
11 | #loop before the ou name by making T#-OBJECT name as the OU
12 | $AdminobjectOUs = @('Accounts', 'Servers', 'Devices', 'Permissions', 'Roles')
13 | #########################
14 | $skipSubOUs = @('Disabled', 'Quarantine', 'Groups')
15 | #########################
16 | #$tierOUs = @('Global', 'National')
17 | $ObjectSubOUs = @('ServiceAccounts', 'Groups', 'Devices', 'Test', 'Managed')
18 |
19 |
20 | #Consodated list of all 3 letter codes which IAM uses.
21 | $3LetterCodeCSV = $scriptPath + '\3lettercodes.csv'
22 |
23 |
24 | Set-Location c:
25 | $dn = (Get-ADDomain).distinguishedname
26 | #=============================================
27 | #ROUND:1
28 | #Create Top Level OUS
29 | #=============================================
30 | Write-host "Creating Tiered OU Structure" -ForegroundColor Green
31 | $topOUCount = $TopLevelOUs.count
32 | $x = 1
33 | foreach ($name in $TopLevelOUs) {
34 | Write-Progress -Activity "Deploying OU Structure" -Status "Top Level OU Status:" -PercentComplete ($x / $topOUCount * 100)
35 | New-ADOrganizationalUnit -Name $Name -ProtectedFromAccidentalDeletion:$true
36 | $fulldn = "OU=" + $name + "," + $dn
37 | #$toplevelouinfo = Get-ADOrganizationalUnit $fulldn
38 | #=====================================================================================
39 | #ROUND:2
40 | #Create First level Down Sub OUs in Privileged Access, and Provisioned Users
41 | #=====================================================================================
42 | if ($name -eq $TopLevelOUs[0]) {
43 |
44 | foreach ($adminsubou in $AdminSubOUs) {
45 | New-ADOrganizationalUnit -Name $adminsubou -Path $fulldn
46 | $adminsubfulldn = "OU=" + $adminsubou + "," + $fulldn
47 |
48 | if ($adminsubou -eq "Staging") {
49 | }
50 |
51 | else {
52 | foreach ($AdminobjectOU in $AdminobjectOUs) {
53 | #add name together
54 | if ($adminsubou -eq 'Enterprise') { $adminOUPrefix = "T0-" }
55 | elseif ($adminsubou -eq 'Global') { $adminOUPrefix = "T1-" }
56 | elseif ($adminsubou -eq 'National') { $adminOUPrefix = "T2-" }
57 | $adminobjectoucombo = $adminOUPrefix + $adminobjectou
58 |
59 | New-ADOrganizationalUnit -Name $adminobjectoucombo -Path $adminsubfulldn
60 | }
61 | }
62 | }
63 | }
64 | elseif ($skipSubOUs -contains $name) {
65 | #this skips the creation of the sub containers
66 | }
67 | elseif (($name -eq 'Global') -or ($name -eq 'National') -or ($name -eq 'Stage')) {
68 | $fulldn = "OU=" + $name + "," + $dn
69 | $csvlist = @()
70 | $csvlist = import-csv $3LetterCodeCSV
71 |
72 | foreach ($ou in $csvlist) {
73 | New-ADOrganizationalUnit -Name ($ou.name) -Path $fulldn -Description ($ou.description)
74 | $csvdn = "OU=" + $ou.name + "," + $fulldn
75 |
76 | foreach ($ObjectSubOU in $ObjectSubOUs) {
77 | New-ADOrganizationalUnit -Name $ObjectSubOU -Path $csvdn
78 | $Objectfulldn = "OU=" + $ObjectSubOU + "," + $csvdn
79 | }
80 | }
81 | }
82 |
83 | elseif (($name -eq 'Staff')) {
84 | $fulldn = "OU=" + $name + "," + $dn
85 | $csvlist = @()
86 | $csvlist = import-csv $3LetterCodeCSV
87 |
88 |
89 |
90 | foreach ($ou in $csvlist) {
91 | New-ADOrganizationalUnit -Name ($ou.name) -Path $fulldn -Description ($ou.description)
92 | $csvdn = "OU=" + $ou.name + "," + $fulldn
93 |
94 | }
95 | #Create Two Sub OUs in Staff OU required for IDM provisioning
96 | New-ADOrganizationalUnit -Name 'Disabled' -Path $fulldn -Description 'User account that have been Disabled by the IDM System'
97 | New-ADOrganizationalUnit -Name 'Unassociated' -Path $fulldn -Description 'User Object that do have have any department affliation'
98 | }
99 |
100 | else {}
101 | $x++
102 | }
103 |
104 |
105 |
106 |
107 |
108 |
109 |
--------------------------------------------------------------------------------
/AD_OU_SetACL/Replication Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | ##Replication Tasks - Tier 0 only - do not code in structure
2 | Function ManageReplicationTopology($objGroup, $objOU, $inheritanceType) {
3 |
4 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
5 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
6 |
7 | $error.Clear()
8 |
9 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
10 | $objAcl = get-acl $objOU
11 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Manage Replication Topology"], $inheritanceType, "00000000-0000-0000-0000-000000000000"))
12 |
13 | try {
14 | Set-Acl -AclObject $objAcl -path $objOU -ErrorAction Stop
15 | }
16 | catch {
17 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Manage Replication Topology on the OU " + $objOU)
18 | }
19 | If (!$error) {
20 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Manage Replication Topology on the OU " + $objOU)
21 | }
22 |
23 |
24 | }
25 |
26 | Function ReplicatingDirectoryChanges($objGroup, $objOU, $inheritanceType) {
27 |
28 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
29 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
30 |
31 | $error.Clear()
32 |
33 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
34 | $objAcl = get-acl $objOU
35 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes"], $inheritanceType, "00000000-0000-0000-0000-000000000000"))
36 |
37 | try {
38 | Set-Acl -AclObject $objAcl -path $objOU -ErrorAction Stop
39 | }
40 | catch {
41 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Replicate Directory Changes on the OU " + $objOU)
42 | }
43 | If (!$error) {
44 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Replicate Directory Changes on the OU " + $objOU)
45 | }
46 |
47 |
48 | }
49 |
50 | Function ReplicatingDirectoryChangesAll($objGroup, $objOU, $inheritanceType) {
51 |
52 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
53 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
54 |
55 | $error.Clear()
56 |
57 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
58 | $objAcl = get-acl $objOU
59 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes All"], $inheritanceType, "00000000-0000-0000-0000-000000000000"))
60 |
61 | try {
62 | Set-Acl -AclObject $objAcl -path $objOU -ErrorAction Stop
63 | }
64 | catch {
65 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Replicate Directory Changes (All) on the OU " + $objOU)
66 | }
67 | If (!$error) {
68 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Replicate Directory Changes (All) on the OU " + $objOU)
69 | }
70 |
71 |
72 | }
73 |
74 | Function ReplicatingDirectoryChangesInFilteredSet($objGroup, $objOU, $inheritanceType) {
75 |
76 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
77 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
78 |
79 | $error.Clear()
80 |
81 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
82 | $objAcl = get-acl $objOU
83 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replicating Directory Changes In Filtered Set"], $inheritanceType, "00000000-0000-0000-0000-000000000000"))
84 |
85 | try {
86 | Set-Acl -AclObject $objAcl -path $objOU -ErrorAction Stop
87 | }
88 | catch {
89 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Replicate Directory Changes (In Filtered Set) on the OU " + $objOU)
90 | }
91 | If (!$error) {
92 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Replicate Directory Changes (In Filtered Set) on the OU " + $objOU)
93 | }
94 |
95 |
96 | }
97 |
98 | Function ReplicationSynchronization($objGroup, $objOU, $inheritanceType) {
99 |
100 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
101 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
102 |
103 | $error.Clear()
104 |
105 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
106 | $objAcl = get-acl $objOU
107 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Replication Synchronization"], $inheritanceType, "00000000-0000-0000-0000-000000000000"))
108 |
109 | try {
110 | Set-Acl -AclObject $objAcl -path $objOU -ErrorAction Stop
111 | }
112 | catch {
113 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " the permission Replication Synchronization on the OU " + $objOU)
114 | }
115 | If (!$error) {
116 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " the permission Replication Synchronization on the OU " + $objOU)
117 | }
118 |
119 | }
--------------------------------------------------------------------------------
/AD_OU_SetACL/Group Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | ####################
2 | #Group Tasks
3 | Function CreateGroup($objGroup, $objOU, $inheritanceType) {
4 |
5 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
6 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
7 |
8 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
9 | $objAcl = get-acl $objOU
10 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild", "Allow", $guidmap["group"], $inheritanceType))
11 | try {
12 | Set-Acl -AclObject $objAcl -path $objOU
13 | }
14 | catch {
15 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Create Groups on the OU " + $objOU)
16 | }
17 | If (!$error) {
18 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Create Groups on the OU " + $objOU)
19 | }
20 |
21 |
22 |
23 | }
24 |
25 | Function DeleteGroup($objGroup, $objOU, $inheritanceType) {
26 |
27 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
28 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
29 |
30 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
31 | $objAcl = get-acl $objOU
32 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "DeleteChild", "Allow", $guidmap["group"], $inheritanceType))
33 | try {
34 | Set-Acl -AclObject $objAcl -path $objOU
35 | }
36 | catch {
37 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Delete Groups on the OU " + $objOU)
38 | }
39 | If (!$error) {
40 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Delete Groups on the OU " + $objOU)
41 | }
42 |
43 |
44 | }
45 |
46 | Function RenameGroup($objGroup, $objOU, $inheritanceType) {
47 |
48 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
49 | $objAcl = get-acl $objOU
50 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["distinguishedName"], $inheritanceType, $guidmap["group"]))
51 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["cn"], $inheritanceType, $guidmap["group"]))
52 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["name"], $inheritanceType, $guidmap["group"]))
53 | try {
54 | Set-Acl -AclObject $objAcl -path $objOU
55 | }
56 | catch {
57 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Rename Groups on the OU " + $objOU)
58 | }
59 | If (!$error) {
60 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Rename Groups on the OU " + $objOU)
61 | }
62 |
63 |
64 | }
65 |
66 | Function ModifyGroupProperties($objGroup, $objOU, $inheritanceType) {
67 |
68 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
69 | $objAcl = get-acl $objOU
70 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $inheritanceType, $guidmap["group"]))
71 | try {
72 | Set-Acl -AclObject $objAcl -path $objOU
73 | }
74 | catch {
75 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Modify Group Properties on the OU " + $objOU)
76 | }
77 | If (!$error) {
78 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Modify Group Properties on the OU " + $objOU)
79 | }
80 |
81 | }
82 |
83 | Function ModifyGroupMembership($objGroup, $objOU, $inheritanceType) {
84 |
85 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
86 | $objAcl = get-acl $objOU
87 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["member"], $inheritanceType, $guidmap["group"]))
88 |
89 | try {
90 | Set-Acl -AclObject $objAcl -path $objOU
91 | }
92 | catch {
93 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to modify the members of a group on the OU " + $objOU)
94 | }
95 | If (!$error) {
96 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to modify the members of a group on the OU " + $objOU)
97 | }
98 |
99 |
100 | }
101 |
102 | Function ModifyGroupGroupMembership($objGroup, $objOU, $inheritanceType) {
103 |
104 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
105 | $objAcl = get-acl $objOU
106 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["memberOf"], $inheritanceType, $guidmap["group"]))
107 |
108 | try {
109 | Set-Acl -AclObject $objAcl -path $objOU
110 | }
111 | catch {
112 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to modify the members of a group on the OU " + $objOU)
113 | }
114 | If (!$error) {
115 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to modify the members of a group on the OU " + $objOU)
116 | }
117 |
118 |
119 | }
120 |
--------------------------------------------------------------------------------
/02-AD_LAPS_Install/AdmPwd.PS/AdmPwd.PS.format.ps1xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | ExtendedRightsInfo
6 |
7 | AdmPwd.PSTypes.ExtendedRightsInfo
8 |
9 |
10 |
11 |
12 | 45
13 |
14 |
15 | 60
16 |
17 |
18 |
19 |
20 |
21 |
22 | ObjectDN
23 |
24 |
25 | ExtendedRightHolders
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 | PasswordInfo
34 |
35 | AdmPwd.PSTypes.PasswordInfo
36 |
37 |
38 |
39 |
40 | 20
41 |
42 |
43 | 45
44 |
45 |
46 | 18
47 |
48 |
49 | 20
50 |
51 |
52 |
53 |
54 |
55 |
56 | ComputerName
57 |
58 |
59 | DistinguishedName
60 |
61 |
62 | Password
63 |
64 |
65 | ExpirationTimestamp
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | OrgUnitInfo
74 |
75 | AdmPwd.PSTypes.ObjectInfo
76 |
77 |
78 |
79 |
80 | 20
81 |
82 |
83 | 65
84 |
85 |
86 | 20
87 |
88 |
89 |
90 |
91 |
92 |
93 | Name
94 |
95 |
96 | DistinguishedName
97 |
98 |
99 | Status
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 | OperationStatus
108 |
109 | AdmPwd.PSTypes.DirectoryOperationStatus
110 |
111 |
112 |
113 |
114 | 20
115 |
116 |
117 | 65
118 |
119 |
120 | 25
121 |
122 |
123 |
124 |
125 |
126 |
127 | Operation
128 |
129 |
130 | DistinguishedName
131 |
132 |
133 | Status
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 | PasswordResetStatus
142 |
143 | AdmPwd.PSTypes.PasswordResetStatus
144 |
145 |
146 |
147 |
148 | 65
149 |
150 |
151 | 25
152 |
153 |
154 |
155 |
156 |
157 |
158 | DistinguishedName
159 |
160 |
161 | Status
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
--------------------------------------------------------------------------------
/04-AD_Users_Create/CreateUsers.ps1:
--------------------------------------------------------------------------------
1 | Function CreateUser {
2 |
3 | <#
4 | .SYNOPSIS
5 | Creates a user in an active directory environment based on random data
6 |
7 | .DESCRIPTION
8 | Starting with the root container this tool randomly places users in the domain.
9 |
10 | .PARAMETER Domain
11 | The stored value of get-addomain is used for this. It is used to call the PDC and other items in the domain
12 |
13 | .PARAMETER OUList
14 | The stored value of get-adorganizationalunit -filter *. This is used to place users in random locations.
15 |
16 | .PARAMETER ScriptDir
17 | The location of the script. Pulling this into a parameter to attempt to speed up processing.
18 |
19 | .EXAMPLE
20 |
21 |
22 |
23 | .NOTES
24 |
25 |
26 | Unless required by applicable law or agreed to in writing, software
27 | distributed under the License is distributed on an "AS IS" BASIS,
28 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
29 | See the License for the specific language governing permissions and
30 | limitations under the License.
31 |
32 | #>
33 | [CmdletBinding()]
34 |
35 | param
36 | (
37 | [Parameter(Mandatory = $false,
38 | Position = 1,
39 | HelpMessage = 'Supply a result from get-addomain')]
40 | [Object[]]$Domain,
41 | [Parameter(Mandatory = $false,
42 | Position = 2,
43 | HelpMessage = 'Supply a result from get-adorganizationalunit -filter *')]
44 | [Object[]]$OUList,
45 | [Parameter(Mandatory = $false,
46 | Position = 3,
47 | HelpMessage = 'Supply the script directory for where this script is stored')]
48 | [string]$ScriptDir
49 | )
50 |
51 | if (!$PSBoundParameters.ContainsKey('Domain')) {
52 | $setDC = (Get-ADDomain).pdcemulator
53 | $dnsroot = (get-addomain).dnsroot
54 | }
55 | else {
56 | $setDC = $Domain.pdcemulator
57 | $dnsroot = $Domain.dnsroot
58 | }
59 | if (!$PSBoundParameters.ContainsKey('OUList')) {
60 | $OUsAll = get-adobject -Filter { objectclass -eq 'organizationalunit' } -ResultSetSize 300
61 | }
62 | else {
63 | $OUsAll = $OUList
64 | }
65 | if (!$PSBoundParameters.ContainsKey('ScriptDir')) {
66 | function Get-ScriptDirectory {
67 | Split-Path -Parent $PSCommandPath
68 | }
69 | $scriptPath = Get-ScriptDirectory
70 | }
71 | else {
72 | $scriptpath = $scriptdir
73 | }
74 |
75 | $ouLocation = (Get-Random $OUsAll).distinguishedname
76 |
77 | $accountType = 1..100 | get-random
78 | if ($accountType -le 10) {
79 | # X percent chance of being a service account
80 | #service
81 | $nameSuffix = "SA"
82 | $description = ''
83 | #removing do while loop and making random number range longer, sorry if the account is there already
84 | # this is so that I can attempt to import multithreading on user creation
85 |
86 | $name = "" + (Get-Random -Minimum 100 -Maximum 9999999999) + "$nameSuffix"
87 |
88 |
89 | }
90 | else {
91 | $surname = get-content($scriptpath + '\Names\family_names.txt') | get-random
92 | $genderpreference = 0, 1 | get-random
93 | if ($genderpreference -eq 0) { $givenname = get-content($scriptpath + '\Names\female_names.txt') | get-random }else { $givenname = get-content($scriptpath + '\Names\male_names.txt') | get-random }
94 |
95 | #remove badchars
96 | $usergivenname = $givenname -replace "-|\s|'", ""
97 | $usersurname = $surname -replace "-|\s|'", ""
98 |
99 | $name = $givenname + " " + $surname
100 | $samaccountname = $usergivenname + "." + $usersurname
101 |
102 | #Trim names longer than 20 chars
103 | $samaccountnamecleaned = $samaccountname -replace '(?<=^.{20}).*'
104 | }
105 |
106 | $departmentnumber = [convert]::ToInt32('9999999')
107 |
108 | # This beauty from https://github.com/WazeHell/vulnerable-AD/blob/master/vulnad.ps1
109 | Set-ADDefaultDomainPasswordPolicy -Identity $dnsroot -LockoutDuration 00:01:00 -LockoutObservationWindow 00:01:00 -ComplexityEnabled $false -ReversibleEncryptionEnabled $False -MinPasswordLength 4
110 |
111 | $description = ''
112 | $passStrings = Get-Content ($scriptpath + '\Passwords\passwords.txt')
113 | # Select random object
114 | $pwd = Get-Random -InputObject $passStrings -Count 1
115 |
116 | $passwordSecure = 1..1000 | get-random
117 | if ($passwordSecure -lt 10) {
118 | $pwd = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..9 | sort { Get-Random })[0..20] -join ''
119 | }
120 | else {}
121 |
122 | $passwordinDesc = 1..1000 | get-random
123 | if ($passwordinDesc -lt 10) {
124 | $description = 'The account password is ' + $pwd
125 | }
126 | else {}
127 |
128 | new-aduser -server $setdc -Description $Description -DisplayName $name -Name $name -SamAccountName $samaccountnamecleaned -GivenName $givenname -Surname $surname -Enabled $true -Path $ouLocation -AccountPassword (ConvertTo-SecureString ($pwd) -AsPlainText -force)
129 |
130 | $pwd = ''
131 |
132 | #===============================
133 | #SET ATTRIBUTES - no additional attributes set at this time besides UPN
134 | #Todo: Set SPN for kerberoasting. Example attribute edit is in createcomputers.ps1
135 | #===============================
136 |
137 | $upn = $samaccountnamecleaned + '@' + $dnsroot
138 | try { Set-ADUser -Identity $samaccountnamecleaned -UserPrincipalName "$upn" }
139 | catch {}
140 |
141 | ################################
142 | #End Create User Objects
143 | ################################
144 |
145 | }
146 |
--------------------------------------------------------------------------------
/08-AD_Random_Groups/AddRandomToGroups.ps1:
--------------------------------------------------------------------------------
1 | Function AddRandomToGroups {
2 |
3 | [CmdletBinding()]
4 |
5 | param
6 | (
7 | [Parameter(Mandatory = $false,
8 | Position = 1,
9 | HelpMessage = 'Supply a result from get-addomain')]
10 | [Object[]]$Domain,
11 | [Parameter(Mandatory = $false,
12 | Position = 2,
13 | HelpMessage = 'Supply a result from get-aduser -filter *')]
14 | [Object[]]$UserList,
15 | [Parameter(Mandatory = $false,
16 | Position = 3,
17 | HelpMessage = 'Supply a result from Get-ADGroup -Filter { GroupCategory -eq "Security" -and GroupScope -eq "Global" } -Properties isCriticalSystemObject')]
18 | [Object[]]$GroupList,
19 | [Parameter(Mandatory = $false,
20 | Position = 4,
21 | HelpMessage = 'Supply a result from Get-ADGroup -Filter { GroupScope -eq "domainlocal" } -Properties isCriticalSystemObject')]
22 | [Object[]]$LocalGroupList,
23 | [Parameter(Mandatory = $false,
24 | Position = 5,
25 | HelpMessage = 'Supply a result from Get-ADComputer -f *')]
26 | [Object[]]$CompList
27 | )
28 |
29 | ##BEGIN STUFF
30 | if (!$PSBoundParameters.ContainsKey('Domain')) {
31 | $dom = get-addomain
32 | $setDC = $dom.pdcemulator
33 | $dnsroot = $dom.dnsroot
34 | $dn = $dom.distinguishedname
35 | }
36 | else {
37 | $setDC = $Domain.pdcemulator
38 | $dnsroot = $Domain.dnsroot
39 | }
40 | if (!$PSBoundParameters.ContainsKey('UserList')) {
41 | $allUsers = get-aduser -Filter *
42 | }
43 | else {
44 | $allUsers = $UserList
45 | }
46 | if (!$PSBoundParameters.ContainsKey('GroupList')) {
47 | $allGroups = Get-ADGroup -Filter { GroupCategory -eq "Security" -and GroupScope -eq "Global" } -Properties isCriticalSystemObject
48 | }
49 | else {
50 | $allGroups = $GroupList
51 | }
52 | if (!$PSBoundParameters.ContainsKey('LocalGroupList')) {
53 | $allGroupsLocal = Get-ADGroup -Filter { GroupScope -eq "domainlocal" } -Properties isCriticalSystemObject
54 | }
55 | else {
56 | $allGroupsLocal = $LocalGroupList
57 | }
58 | if (!$PSBoundParameters.ContainsKey('CompList')) {
59 | $allcomps = Get-ADComputer -f *
60 | }
61 | else {
62 | $allcomps = $CompList
63 | }
64 |
65 | cd ad:
66 |
67 | <#Pick X number of random users#>
68 | $UsersInGroupCount = [math]::Round($allusers.count * .8) #need to round to int. need to check this works
69 | $GroupsInGroupCount = [math]::Round($allGroups.count * .2)
70 | $CompsInGroupCount = [math]::Round($allcomps.count * .1)
71 |
72 | $AddUserstoGroups = get-random -count $UsersInGroupCount -InputObject $allUsers
73 | $allGroupsFiltered = $allGroups | where-object -Property iscriticalsystemobject -ne $true
74 |
75 | #add a large number of users to a large number of non critical groups
76 | Foreach ($user in $AddUserstoGroups) {
77 | #get how many groups
78 | $num = 1..10 | Get-Random
79 | $n = 0
80 | do {
81 | $randogroup = $allGroupsFiltered | Get-Random
82 | #add to group
83 | try { Add-ADGroupMember -Identity $randogroup -Members $user }
84 | catch {}
85 | $n++
86 | }while ($n -le $num)
87 | }
88 |
89 | #add a few people to a small number of critical groups
90 | $allGroupsCrit = $allGroups | where-object -Property iscriticalsystemobject -eq $true | Where-Object -Property name -ne "Domain Users" | Where-Object -Property name -ne "Domain Guests"
91 | $allGroupsCrit | % {
92 | $num = 2..5 | Get-Random
93 |
94 | try { Add-ADGroupMember -Identity $_ -Members (get-random -count $num -InputObject $allUsers) }
95 | catch {}
96 |
97 |
98 | }
99 |
100 | #add a few people to a small number of critical local groups
101 | $allGroupsLocal | % {
102 | $num = 1..3 | Get-Random
103 |
104 | try { Add-ADGroupMember -Identity $_ -Members (get-random -count $num -InputObject $allUsers) }
105 | catch {}
106 |
107 | }
108 |
109 | #$AddUserstoGroups = get-random -count (2..8|get-random) -InputObject $allUsers
110 | #do nesting for all groups
111 | #add a large number of users to a large number of non critical groups
112 | #source is the input obj allGroupsFiltered, so i'm basically adding allgroupsfiltered to random non significant groups in AD.
113 | #this is like adding domain admins to 'iis server 1 admins' or 'pwd reset' groups
114 |
115 | $AddGroupstoGroups = get-random -count $GroupsInGroupCount -InputObject $allGroupsFiltered
116 |
117 | Foreach ($group in $AddGroupstoGroups) {
118 | #get how many groups
119 | $num = 1..2 | Get-Random
120 | $n = 0
121 | do {
122 | $randogroup = $allGroupsFiltered | Get-Random
123 | #add to group
124 | try { Add-ADGroupMember -Identity $randogroup -Members $group }
125 | catch {}
126 | $n++
127 | }while ($n -le $num)
128 | }
129 | # add all critical groups to 2-5 other random groups
130 |
131 |
132 | $allGroupsCrit | % {
133 | #get how many groups
134 | $num = 1..3 | Get-Random
135 | $n = 0
136 | do {
137 | $randogroup = $allGroupsFiltered | Get-Random
138 | #add to group
139 | try { Add-ADGroupMember -Identity $randogroup -Members $_ }
140 | catch {}
141 | $n++
142 | }while ($n -le $num)
143 | }
144 |
145 |
146 | $addcompstoGroups = @()
147 | $addcompstogroups = get-random -count $compsInGroupCount -InputObject $allcomps
148 |
149 |
150 | Foreach ($comp in $addcompstogroups) {
151 | #get how many groups
152 | $num = 1..5 | Get-Random
153 | $n = 0
154 | do {
155 | $randogroup = $allGroupsFiltered | Get-Random
156 | #add to group
157 | try { Add-ADGroupMember -Identity $randogroup -Members $comp }
158 | catch {}
159 | $n++
160 | }while ($n -le $num)
161 | }
162 |
163 |
164 |
165 | }
166 |
167 |
--------------------------------------------------------------------------------
/07-AD_Permissions_Randomiser/Create Admin Groups_v2.ps1:
--------------------------------------------------------------------------------
1 | #import config file of group types to create
2 | Import-Module ActiveDirectory
3 | function Get-ScriptDirectory {
4 | Split-Path -Parent $PSCommandPath
5 | }
6 | $scriptPath = Get-ScriptDirectory
7 | $adplatformsourcedir = split-path -Path $scriptPath -Parent
8 | $permissionset = .($adplatformsourcedir + "\AD_Group_CreateAdminGroups\AD Permissions for Group Granular Access.ps1")
9 | #=====================================
10 | #3 letter affiliate codes here
11 | $3LetterCodeCSV = $adplatformsourcedir + '\03-AD_OU_CreateStructure\3lettercodes.csv'
12 |
13 |
14 | #=============================================
15 | #import ACL function files
16 | $ACLScriptspath = $adplatformsourcedir + "\AD_OU_SetACL"
17 |
18 | $files = Get-ChildItem $ACLScriptspath -Name "*permissions.ps1"
19 | foreach ($file in $files) {
20 | .($aclscriptspath + "\" + $file)
21 | }
22 | #=============================================
23 | $dn = (Get-ADDomain).distinguishedname
24 | #ADMIN Group Locations
25 | #=============================================
26 | #Tier 1
27 | $Tier1GroupLocation = "OU=T1-Permissions,OU=Tier 1,OU=Admin" + "," + $dn
28 | #Tier 2
29 | $Tier2GroupLocation = "OU=T2-Permissions,OU=Tier 2,OU=Admin" + "," + $dn
30 | cd ad:
31 | $dc = (get-addomain).PDCEmulator
32 | #=============================================
33 |
34 | #Get a reference to the RootDSE of the current domain
35 | $schemaPath = (Get-ADRootDSE)
36 | $schemaobjects = Get-ADObject -filter * -SearchBase $schemaPath.defaultNamingContext -Properties *
37 | #Get a reference to the current domain
38 | $domain = Get-ADDomain
39 | #============================
40 | #Create a hashtable to store the GUID value of each schema class and attribute
41 | $guidmap = @{}
42 | Get-ADObject -SearchBase ($schemaPath.SchemaNamingContext) -LDAPFilter `
43 | "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID |
44 | % { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
45 |
46 | #Create a hashtable to store the GUID value of each extended right in the forest
47 | $extendedrightsmap = @{}
48 | Get-ADObject -SearchBase ($schemaPath.ConfigurationNamingContext) -LDAPFilter `
49 | "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid |
50 | % { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
51 |
52 |
53 |
54 |
55 |
56 | #split csv lists into separate csvs because of the different OU structure
57 | $csvlist = @()
58 | $csvlist = import-csv $3LetterCodeCSV
59 |
60 | #=============================================
61 | #Permission set to OU names
62 | #The function names in the formulas that grant acl permissions do not match our OU naming structure
63 | $PermissionsToOUMapping = @{}
64 | $PermissionsToOUMapping.Add('User', 'ServiceAccounts')
65 | $PermissionsToOUMapping.Add('Computer', 'Devices')
66 | $PermissionsToOUMapping.Add('Group', 'Groups')
67 | $PermissionsToOUMapping.Add('OU', 'OU') #this mapping doesnt entirely matter since on line 94 OU permissions are applied directly to the OU containing the affiliate code
68 | $PermissionsToOUMapping.Add('Printer', 'Devices')
69 | #=============================================
70 | #BEGIN MAKING GROUPS AND SETTING ACLS
71 | $CSVCount = $csvlist.count
72 | $x = 1
73 | foreach ($3lettercode in $csvlist) {
74 | Write-Progress -Activity "Deploying OU Structure" -Status "Affiliate Permissions Set Deploy Status:" -PercentComplete ($x / $CSVCount * 100)
75 | $code = $3lettercode.name
76 | $toplevelTier1OUDN = 'OU=Tier 1,' + $dn
77 | $toplevelTier2OUDN = 'OU=Tier 2,' + $dn
78 | foreach ($permission in $permissionset) {
79 | if ($permission.APPLY -eq 'TRUE') {
80 | $t1groupname = ($code + "_T1_" + ($permission.FunctionSet.Split( ))[0] + "_" + $permission.FunctionName)
81 | New-ADGroup -Description ($permission.Functionset + " " + $permission.FunctionName) -Name $t1groupname -Path $Tier1GroupLocation -GroupCategory Security -GroupScope Global -Server $dc
82 | $adgroup = get-adgroup $t1groupname -Server $DC
83 | #================================================================================
84 | #SET ACLS if first word of functionset equals a value in $permissionstoOUmapping
85 | if ($PermissionsToOUMapping.keys -contains ($permission.FunctionSet.Split( ))[0]) {
86 | #apply GPO Set of Permissions and OU set of permissions to the Code level OU not the sub OUs
87 | if (($permission.FunctionSet.Split( ))[0] -eq "OU") {
88 | $t1OU = "OU=" + $code + "," + $toplevelTier1OUDN
89 | $t1ou = Get-ADOrganizationalUnit $t1ou
90 | #createcomputeraccount -objGroup $adgroup -objOU $ou -inheritanceType "Descendents"
91 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$t1OU' + " -inheritanceType `'Descendents`'")
92 | }
93 |
94 | else {
95 | $t1OU = "OU=" + $PermissionsToOUMapping[($permission.FunctionSet.Split( ))[0]] + ",OU=" + $code + "," + $toplevelTier1OUDN
96 | $t1ou = Get-ADOrganizationalUnit $t1ou
97 | #createcomputeraccount -objGroup $adgroup -objOU $ou -inheritanceType "Descendents"
98 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$t1OU' + " -inheritanceType `'Descendents`'")
99 |
100 |
101 | }
102 |
103 | }
104 | #END T1 ACLs
105 | #BEGIN T2 Group creation and ACLs
106 | $t2groupname = ($code + "_T2_" + ($permission.FunctionSet.Split( ))[0] + "_" + $permission.FunctionName)
107 | New-ADGroup -Description ($permission.Functionset + " " + $permission.FunctionName) -Name $t2groupname -Path $Tier2GroupLocation -GroupCategory Security -GroupScope Global -Server $dc
108 | $adgroup = get-adgroup $t2groupname -Server $dc
109 | #================================================================================
110 | #SET ACLS if first word of functionset equals a value in $permissionstoOUmapping
111 | if ($PermissionsToOUMapping.keys -contains ($permission.FunctionSet.Split( ))[0]) {
112 | if (($permission.FunctionSet.Split( ))[0] -eq "OU") {
113 | $t2OU = "OU=" + $code + "," + $toplevelTier2OUDN
114 | $t2OU = Get-ADOrganizationalUnit $t2OU
115 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$t2OU' + " -inheritanceType `'Descendents`'")
116 |
117 | }
118 | else {
119 | $t2OU = "OU=" + $PermissionsToOUMapping[($permission.FunctionSet.Split( ))[0]] + ",OU=" + $code + "," + $toplevelTier2OUDN
120 | $t2OU = Get-ADOrganizationalUnit $t2OU
121 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$t2OU' + " -inheritanceType `'Descendents`'")
122 | }
123 |
124 | }
125 | }
126 | }
127 | $x++
128 | }
129 |
130 |
--------------------------------------------------------------------------------
/09-AD_Misc_Vulns/Add-MiscVulns.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .Synopsis
3 | Adds a bunch of vulns to the DC
4 | .DESCRIPTION
5 | The script was derived from @WazeHell's vulnerable-AD (https://github.com/WazeHell/vulnerable-AD)
6 | #>
7 |
8 | #Base Lists
9 | $BadPasswords = @('redwings');
10 | $BadACL = @('GenericAll', 'GenericWrite', 'WriteOwner', 'WriteDACL', 'Self');
11 | $ServicesAccountsAndSPNs = @('mssql_svc,mssqlserver', 'http_svc,httpserver', 'exchange_svc,exserver');
12 | $CreatedUsers = @();
13 | $AllObjects = @();
14 | $Domain = (get-addomain).dnsroot;
15 |
16 | function GetRandom {
17 | Param(
18 | [array]$InputList
19 | )
20 | return Get-Random -InputObject $InputList
21 | }
22 |
23 | function AddADGroup {
24 | Param(
25 | [array]$GroupList
26 | )
27 | foreach ($group in $GroupList) {
28 | Write-Host "Creating $group Group"
29 | Try { New-ADGroup -name $group -GroupScope Global } Catch {}
30 | for ($i = 1; $i -le (Get-Random -Maximum 20); $i = $i + 1 ) {
31 | $randomuser = (GetRandom -InputList $CreatedUsers)
32 | Write-Host "Adding $randomuser to $group"
33 | Try { Add-ADGroupMember -Identity $group -Members $randomuser } Catch {}
34 | }
35 | $AllObjects += $group;
36 | }
37 | }
38 | function AddACL {
39 | [CmdletBinding()]
40 | param(
41 | [Parameter(Mandatory = $true)]
42 | [ValidateNotNullOrEmpty()]
43 | [string]$Destination,
44 |
45 | [Parameter(Mandatory = $true)]
46 | [ValidateNotNullOrEmpty()]
47 | [System.Security.Principal.IdentityReference]$Source,
48 |
49 | [Parameter(Mandatory = $true)]
50 | [ValidateNotNullOrEmpty()]
51 | [string]$Rights
52 |
53 | )
54 | $ADObject = [ADSI]("LDAP://" + $Destination)
55 | $identity = $Source
56 | $adRights = [System.DirectoryServices.ActiveDirectoryRights]$Rights
57 | $type = [System.Security.AccessControl.AccessControlType] "Allow"
58 | $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
59 | $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $inheritanceType
60 | $ADObject.psbase.ObjectSecurity.AddAccessRule($ACE)
61 | $ADObject.psbase.commitchanges()
62 | }
63 | function BadACLs {
64 | foreach ($abuse in $BadACL) {
65 | $ngroup = GetRandom -InputList NormalGroups
66 | $mgroup = GetRandom -InputList MidGroups
67 | $DstGroup = Get-ADGroup -Identity $mgroup
68 | $SrcGroup = Get-ADGroup -Identity $ngroup
69 | AddACL -Source $SrcGroup.sid -Destination $DstGroup.DistinguishedName -Rights $abuse
70 | Write-Host "$BadACL $abuse $ngroup to $mgroup"
71 | }
72 | foreach ($abuse in $BadACL) {
73 | $hgroup = GetRandom -InputList HighGroups
74 | $mgroup = GetRandom -InputList MidGroups
75 | $DstGroup = Get-ADGroup -Identity $hgroup
76 | $SrcGroup = Get-ADGroup -Identity $mgroup
77 | AddACL -Source $SrcGroup.sid -Destination $DstGroup.DistinguishedName -Rights $abuse
78 | Write-Host "$BadACL $abuse $mgroup to $hgroup"
79 | }
80 | for ($i = 1; $i -le (Get-Random -Maximum 25); $i = $i + 1 ) {
81 | $abuse = (GetRandom -InputList $BadACL);
82 | $randomuser = GetRandom -InputList $CreatedUsers
83 | $randomgroup = GetRandom -InputList AllObjects
84 | if ((Get-Random -Maximum 2)) {
85 | $Dstobj = Get-ADUser -Identity $randomuser
86 | $Srcobj = Get-ADGroup -Identity $randomgroup
87 | }
88 | else {
89 | $Srcobj = Get-ADUser -Identity $randomuser
90 | $Dstobj = Get-ADGroup -Identity $randomgroup
91 | }
92 | AddACL -Source $Srcobj.sid -Destination $Dstobj.DistinguishedName -Rights $abuse
93 | Write-Host "$BadACL $abuse $randomuser and $randomgroup"
94 | }
95 | }
96 | function Kerberoasting {
97 | $selected_service = (GetRandom -InputList $ServicesAccountsAndSPNs)
98 | $svc = $selected_service.split(',')[0];
99 | $spn = $selected_service.split(',')[1];
100 | $password = GetRandom -InputList $BadPasswords;
101 | Write-Host "Kerberoasting $svc $spn"
102 | Try { New-ADServiceAccount -Name $svc -ServicePrincipalNames "$svc/$spn.$Domain" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -RestrictToSingleComputer -PassThru } Catch {}
103 | foreach ($sv in $ServicesAccountsAndSPNs) {
104 | if ($selected_service -ne $sv) {
105 | $svc = $sv.split(',')[0];
106 | $spn = $sv.split(',')[1];
107 | Write-Host "Creating $svc services account"
108 | $password = ([System.Web.Security.Membership]::GeneratePassword(12, 2))
109 | Try { New-ADServiceAccount -Name $svc -ServicePrincipalNames "$svc/$spn.$Domain" -RestrictToSingleComputer -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru } Catch {}
110 |
111 | }
112 | }
113 | }
114 | function ASREPRoasting {
115 | for ($i = 1; $i -le (Get-Random -Maximum 6); $i = $i + 1 ) {
116 | $randomuser = (GetRandom -InputList $CreatedUsers)
117 | $password = GetRandom -InputList $BadPasswords;
118 | Set-AdAccountPassword -Identity $randomuser -Reset -NewPassword (ConvertTo-SecureString $password -AsPlainText -Force)
119 | Set-ADAccountControl -Identity $randomuser -DoesNotRequirePreAuth 1
120 | Write-Host "AS-REPRoasting $randomuser"
121 | }
122 | }
123 | function DnsAdmins {
124 | for ($i = 1; $i -le (Get-Random -Maximum 6); $i = $i + 1 ) {
125 | $randomuser = (GetRandom -InputList $CreatedUsers)
126 | Add-ADGroupMember -Identity "DnsAdmins" -Members $randomuser
127 | Write-Host "DnsAdmins : $randomuser"
128 | }
129 | $randomg = (GetRandom -InputList MidGroups)
130 | Add-ADGroupMember -Identity "DnsAdmins" -Members $randomg
131 | Write-Host "DnsAdmins Nested Group : $randomg"
132 | }
133 | function DCSync {
134 | for ($i = 1; $i -le (Get-Random -Maximum 6); $i = $i + 1 ) {
135 | $randomuser = (GetRandom -InputList $CreatedUsers)
136 |
137 | $userobject = (Get-ADUser -Identity $randomuser).distinguishedname
138 | $ACL = Get-Acl -Path "AD:\$userobject"
139 | $sid = (Get-ADUser -Identity $randomuser).sid
140 |
141 | $objectGuidGetChanges = New-Object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
142 | $ACEGetChanges = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, 'ExtendedRight', 'Allow', $objectGuidGetChanges)
143 | $ACL.psbase.AddAccessRule($ACEGetChanges)
144 |
145 | $objectGuidGetChanges = New-Object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
146 | $ACEGetChanges = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, 'ExtendedRight', 'Allow', $objectGuidGetChanges)
147 | $ACL.psbase.AddAccessRule($ACEGetChanges)
148 |
149 | $objectGuidGetChanges = New-Object Guid 89e95b76-444d-4c62-991a-0facbeda640c
150 | $ACEGetChanges = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid, 'ExtendedRight', 'Allow', $objectGuidGetChanges)
151 | $ACL.psbase.AddAccessRule($ACEGetChanges)
152 |
153 | Set-ADUser $randomuser -Description "Replication Account"
154 | Write-Host "Giving DCSync to : $randomuser"
155 | }
156 | }
157 | function DisableSMBSigning {
158 | Set-SmbClientConfiguration -RequireSecuritySignature 0 -EnableSecuritySignature 0 -Confirm -Force
159 | }
160 |
161 | $BadACLs
162 | Write-Host "$BadACL Done"
163 | Kerberoasting
164 | Write-Host "Kerberoasting Done"
165 | ASREPRoasting
166 | Write-Host "AS-REPRoasting Done"
167 | DnsAdmins
168 | Write-Host "DnsAdmins Done"
169 | DCSync
170 | Write-Host "DCSync Done"
171 | DisableSMBSigning
172 | Write-Host "SMB Signing Disabled"
--------------------------------------------------------------------------------
/Invoke-Sparkler.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .Synopsis
3 | Generates users, groups, OUs, computers in an active directory domain. Then places ACLs on random OUs.
4 | .DESCRIPTION
5 | This tool is for research purposes and training only. Intended only for personal use. This adds a large number of objects into a domain, and should never be run in production.
6 | .EXAMPLE
7 | There are currently no parameters for the tool. Simply run the ps1 as a DA and it begins. Follow the prompts and type 'yes' when appropriate and the tool runs.
8 | .OUTPUTS
9 | [String]
10 | .NOTES
11 | Forked from BadBlood which was written by David Rowe and mashed together with kurobeats' Active-Directory-User-Script.
12 | None of the authors, contributors, sponsors, or anyone else connected with Sparkler in any way whatsoever can be responsible for any damage caused by using this tool. Sparkler is designed to create randomised active directory deployments to enable learning.
13 | .FUNCTIONALITY
14 | Adds Users, Groups, OUs, Computers, and a vast amount of ACLs in a domain.
15 | .LINK
16 | https://github.com/kurobeats/Sparkler
17 | #>
18 |
19 | function Get-Agreement {
20 | <#
21 | .DESCRIPTION
22 | Used to let the user know that we are starting, what the script does and gets the to confirm that they want to run the script.
23 | .OUTPUTS
24 | [Boolean]
25 | .FUNCTIONALITY
26 | Prints a warning and asks the user for enter yes to continue.
27 | #>
28 |
29 | Write-Host "Welcome to Sparkler"
30 | Write-Host "You are responsible for how you use this tool. It is intended for personal use only "
31 | Write-Host "and will leave a Production Active Directory server in an irreparable state."
32 | Write-Host "It is not intended for commercial use."
33 | $agreement = Read-Host -Prompt "Type `'yes`' to get this party started."
34 | $agreement.tolower()
35 | $result = $false
36 | if ($agreement -eq 'yes') {
37 | $result = $true
38 | }
39 | return $result
40 | }
41 |
42 | function Add-Domain {
43 | <#
44 | .DESCRIPTION
45 | Creates a new domain by calling the DCSetup script
46 | #>
47 |
48 | .($basescriptPath + '\01-AD_Setup_Domain\DCSetup.ps1')
49 | $ii = 0
50 | # Not sure why we record progress here when it is going to restart and lose state...
51 | Write-Progress -Activity "Task: Deploying a fresh domain." -Status "Progress:" -PercentComplete ($ii / $totalscripts * 100)
52 | Write-Host "OK, fresh domain is setup, we need to reboot. Run Invoke-Sparkler.ps1 after reboot."
53 | Start-Sleep -Second 10
54 | Restart-Computer -f
55 | }
56 |
57 | function Install-LAPSSchema {
58 | <#
59 | .DESCRIPTION Installs the LASPSchema using the InstallLAPSSchema script
60 | #>
61 |
62 | .($basescriptPath + '\02-AD_LAPS_Install\InstallLAPSSchema.ps1')
63 | Write-Progress -Activity "Task: Install LAPS" -Status "Progress:" -PercentComplete ($ii / $totalscripts * 100)
64 | }
65 |
66 | function Add-OUStructure {
67 | <#
68 | .DESCRIPTION Adds OUs using the CreateOUStructure script
69 | #>
70 |
71 | .($basescriptPath + '\03-AD_OU_CreateStructure\CreateOUStructure.ps1')
72 | Write-Progress -Activity "Task: Creating OUs" -Status "Progress:" -PercentComplete ($ii / $totalscripts * 100)
73 | }
74 |
75 | function Add-Users {
76 | <#
77 | .DESCRIPTION Adds Users using the AD_Users_Create script
78 | #>
79 |
80 | Write-Host "Creating Users on Domain" -ForegroundColor Green
81 | $NumOfUsers = 1000..5000 | Get-Random #this number is the random number of users to create on a domain. Todo: Make process createusers.ps1 in a parallel loop
82 | $X = 1
83 | Write-Progress -Activity "Task: Creating Users" -Status "Progress:" -PercentComplete ($ii / $totalscripts * 100)
84 | $ii++
85 |
86 | .($basescriptPath + '\04-AD_Users_Create\CreateUsers.ps1')
87 | $createuserscriptpath = $basescriptPath + '\04-AD_Users_Create\'
88 |
89 | $ousAll = Get-ADOrganizationalUnit -filter *
90 |
91 | do {
92 | createuser -Domain $Domain -OUList $ousAll -ScriptDir $createuserscriptpath
93 | Write-Progress -Activity "Task: Creating $NumOfUsers Users" -Status "Progress:" -PercentComplete ($jj / $NumOfUsers * 100)
94 | $jj++
95 | }while ($jj -lt $NumOfUsers)
96 | }
97 |
98 | function Add-Groups {
99 | <#
100 | .DESCRIPTION Adds Groups using the CreateGroups script
101 | #>
102 |
103 | Write-Host "Creating Groups on Domain" -ForegroundColor Green
104 | $NumOfGroups = 100..500 | Get-Random
105 | $jj = 1
106 | Write-Progress -Activity "Task: Creating $NumOfGroups Groups" -Status "Progress:" -PercentComplete ($ii / $totalscripts * 100)
107 |
108 | .($basescriptPath + '\05-AD_Groups_Create\CreateGroups.ps1')
109 |
110 | do {
111 | Creategroup
112 | Write-Progress -Activity "Task: Creating $NumOfGroups Groups" -Status "Progress:" -PercentComplete ($jj / $NumOfGroups * 100)
113 | $jj++
114 | }while ($jj -lt $NumOfGroups)
115 | }
116 |
117 | function Add-Computers {
118 | <#
119 | .DESCRIPTION Adds Computers using the CreateComputers script
120 | #>
121 |
122 | Write-Host "Creating Computers on Domain" -ForegroundColor Green
123 | $NumOfComps = 50..150 | Get-Random
124 | $jj = 1
125 | Write-Progress -Activity "Task: Creating Computers" -Status "Progress:" -PercentComplete ($ii / $totalscripts * 100)
126 |
127 | .($basescriptPath + '\06-AD_Computers_Create\CreateComputers.ps1')
128 | do {
129 | Write-Progress -Activity "Task: Creating $NumOfComps computers" -Status "Progress:" -PercentComplete ($jj / $NumOfComps * 100)
130 | createcomputer
131 | $jj++
132 | }while ($jj -lt $NumOfComps)
133 | }
134 |
135 | function Add-Permissions {
136 | <#
137 | .DESCRIPTION Adds Permissions using the GenerateRandomPermissions and AddToRandomGroups scripts script
138 | #>
139 |
140 | $AllUsers = Get-ADUser -Filter *
141 | $Grouplist = Get-ADGroup -Filter { GroupCategory -eq "Security" -and GroupScope -eq "Global" } -Properties isCriticalSystemObject
142 | $LocalGroupList = Get-ADGroup -Filter { GroupScope -eq "domainlocal" } -Properties isCriticalSystemObject
143 | $Complist = Get-ADComputer -filter *
144 |
145 | Write-Host "Creating Permissions on Domain" -ForegroundColor Green
146 | Write-Progress -Activity "Task: Creating Random Permissions" -Status "Progress:" -PercentComplete ($ii / $totalscripts * 100)
147 |
148 | .($basescriptPath + '\07-AD_Permissions_Randomiser\GenerateRandomPermissions.ps1')
149 | $ii++
150 | Write-Host "Nesting objects into groups on Domain" -ForegroundColor Green
151 | }
152 |
153 | function Add-ToGroups {
154 | <#
155 | .DESCRIPTION Adds Random things to groups using the AddToRandomGroups script
156 | #>
157 |
158 | .($basescriptPath + '\08-AD_Random_Groups\AddRandomToGroups.ps1')
159 | Write-Progress -Activity "Task: Adding Stuff to Stuff and Things" -Status "Progress:" -PercentComplete ($ii / $totalscripts * 100)
160 | AddRandomToGroups -Domain $Domain -Userlist $AllUsers -GroupList $Grouplist -LocalGroupList $LocalGroupList -complist $Complist
161 | }
162 |
163 | function Invoke-Sparkler {
164 | <#
165 | .DESCRIPTION
166 | Used to get the script rolling. Only responsible for handling basic logic around how the script runs and the order that other functions are called.
167 | .OUTPUTS
168 | [String]
169 | .FUNCTIONALITY
170 | Adds Users, Groups, OUs, Computers, and a vast amount of ACLs in a domain.
171 | #>
172 | if (Get-Agreement) {
173 | $basescriptPath = Split-Path -Parent $PSCommandPath
174 | $totalscripts = 9
175 | $ii = 0
176 | $Domain = Get-ADDomain
177 | # cls
178 | if (!$Domain) {
179 | Add-Domain
180 | }
181 | # I would prefer a different way of recording progress than this but it will do for now.
182 | Install-LAPSSchema
183 | $ii++
184 | Add-OUStructure
185 | $ii++
186 | Add-Users
187 | $ii++
188 | Add-Groups
189 | $ii++
190 | Add-Computers
191 | $ii++
192 | Add-Permissions
193 | $ii++
194 | Add-ToGroups
195 | }
196 | else {
197 | exit
198 | }
199 | }
200 |
201 | Invoke-Sparkler
--------------------------------------------------------------------------------
/AD_OU_SetACL/Site and Subnet Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | ##Site Tasks - Tier 0 only - do not code in structure
2 | Function CreateSiteObjects($objGroup, $objOU, $inheritanceType) {
3 |
4 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
5 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
6 |
7 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
8 | $objAcl = get-acl $objOU
9 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild", "Allow", $guidmap["site"], $inheritanceType))
10 | try {
11 | Set-Acl -AclObject $objAcl -path $objOU
12 | }
13 | catch {
14 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Create Site Objects on the OU " + $objOU)
15 | }
16 | If (!$error) {
17 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Create Site Objects on the OU " + $objOU)
18 | }
19 |
20 |
21 |
22 | }
23 |
24 | Function DeleteSiteObjects($objGroup, $objOU, $inheritanceType) {
25 |
26 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
27 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
28 |
29 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
30 | $objAcl = get-acl $objOU
31 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "DeleteChild", "Allow", $guidmap["site"], $inheritanceType))
32 | try {
33 | Set-Acl -AclObject $objAcl -path $objOU
34 | }
35 | catch {
36 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Delete Site Objects on the OU " + $objOU)
37 | }
38 | If (!$error) {
39 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Delete Site Objects on the OU " + $objOU)
40 | }
41 |
42 |
43 |
44 | }
45 |
46 | Function ModifySiteProperties($objGroup, $objOU, $inheritanceType) {
47 |
48 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
49 | $objAcl = get-acl $objOU
50 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $inheritanceType, $guidmap["site"]))
51 | try {
52 | Set-Acl -AclObject $objAcl -path $objOU
53 | }
54 | catch {
55 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to modify site properties on the OU " + $objOU)
56 | }
57 | If (!$error) {
58 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to modify site properties on the OU " + $objOU)
59 | }
60 |
61 |
62 | }
63 |
64 |
65 | ##Subnet Tasks - Tier 0 only - do not code in structure
66 | Function CreateSubnetObjects($objGroup, $objOU, $inheritanceType) {
67 |
68 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
69 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
70 |
71 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
72 | $objAcl = get-acl $objOU
73 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild", "Allow", $guidmap["subnet"], $inheritanceType))
74 | try {
75 | Set-Acl -AclObject $objAcl -path $objOU
76 | }
77 | catch {
78 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Create Subnet Objects on the OU " + $objOU)
79 | }
80 | If (!$error) {
81 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Create Subnet Objects on the OU " + $objOU)
82 | }
83 |
84 |
85 |
86 | }
87 |
88 | Function DeleteSubnetObjects($objGroup, $objOU, $inheritanceType) {
89 |
90 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
91 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
92 |
93 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
94 | $objAcl = get-acl $objOU
95 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "DeleteChild", "Allow", $guidmap["subnet"], $inheritanceType))
96 | try {
97 | Set-Acl -AclObject $objAcl -path $objOU
98 | }
99 | catch {
100 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Delete Subnet Objects on the OU " + $objOU)
101 | }
102 | If (!$error) {
103 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Delete Subnet Objects on the OU " + $objOU)
104 | }
105 |
106 |
107 |
108 | }
109 |
110 | Function ModifySubnetProperties($objGroup, $objOU, $inheritanceType) {
111 |
112 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
113 | $objAcl = get-acl $objOU
114 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $inheritanceType, $guidmap["subnet"]))
115 | try {
116 | Set-Acl -AclObject $objAcl -path $objOU
117 | }
118 | catch {
119 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to modify subnet properties on the OU " + $objOU)
120 | }
121 | If (!$error) {
122 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to modify subnet properties on the OU " + $objOU)
123 | }
124 |
125 |
126 | }
127 |
128 | ##SiteLink Tasks - Tier 0 only - do not code in structure
129 | Function CreateSiteLinkObjects($objGroup, $objOU, $inheritanceType) {
130 |
131 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
132 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
133 |
134 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
135 | $objAcl = get-acl $objOU
136 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild", "Allow", $guidmap["sitelink"], $inheritanceType))
137 | try {
138 | Set-Acl -AclObject $objAcl -path $objOU
139 | }
140 | catch {
141 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Create SiteLink Objects on the OU " + $objOU)
142 | }
143 | If (!$error) {
144 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Create SiteLink Objects on the OU " + $objOU)
145 | }
146 |
147 |
148 |
149 | }
150 |
151 | Function DeleteSiteLinkObjects($objGroup, $objOU, $inheritanceType) {
152 |
153 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
154 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
155 |
156 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
157 | $objAcl = get-acl $objOU
158 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "DeleteChild", "Allow", $guidmap["sitelink"], $inheritanceType))
159 | try {
160 | Set-Acl -AclObject $objAcl -path $objOU
161 | }
162 | catch {
163 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Delete SiteLink Objects on the OU " + $objOU)
164 | }
165 | If (!$error) {
166 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Delete SiteLink Objects on the OU " + $objOU)
167 | }
168 |
169 |
170 |
171 | }
172 |
173 | Function ModifySiteLinkProperties($objGroup, $objOU, $inheritanceType) {
174 |
175 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
176 | $objAcl = get-acl $objOU
177 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $inheritanceType, $guidmap["sitelink"]))
178 | try {
179 | Set-Acl -AclObject $objAcl -path $objOU
180 | }
181 | catch {
182 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to modify SiteLink properties on the OU " + $objOU)
183 | }
184 | If (!$error) {
185 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to modify SiteLink properties on the OU " + $objOU)
186 | }
187 |
188 |
189 | }
--------------------------------------------------------------------------------
/05-AD_Groups_Create/groups.txt:
--------------------------------------------------------------------------------
1 | Account Collectors
2 | Account Executives
3 | Account Managers
4 | Account Representatives
5 | Accountants
6 | Accounting
7 | Accounting Analysts
8 | Accounting Directors
9 | Accounting Staff
10 | Accounts Payable/Receivable Clerks
11 | Actors
12 | Actuarys
13 | Addiction Counselors
14 | Administrative Analysts
15 | Administrative Assistants
16 | Administrative Managers
17 | Administrative Specialists
18 | Administrators
19 | Animal Breeders
20 | Animal Control Officers
21 | Animal Shelter Board Members
22 | Animal Shelter Managers
23 | Animal Shelter Volunteers
24 | Animal Shelter Workers
25 | Animal Trainers
26 | Application Developers
27 | Architects
28 | Archivists
29 | Area Sales Managers
30 | Artificial Intelligence Engineers
31 | Artists
32 | Assistant Engineers
33 | Assistant Golf Professionals
34 | Assistant Managers
35 | Assistant Professors
36 | Astronomers
37 | Atmospheric Scientists
38 | Attorneys
39 | Auditing Clerks
40 | Auditors
41 | B2B Sales Specialists
42 | Bank Tellers
43 | Barbers
44 | Baristas
45 | Beauticians
46 | Bellhops
47 | Benefits Managers
48 | Biological Engineers
49 | Biologists
50 | Biostatisticians
51 | Board of Directors
52 | Boilermakers
53 | Bookkeepers
54 | Branch Managers
55 | Brand Managers
56 | Brand Strategists
57 | Budget Analysts
58 | Building Inspectors
59 | Bus Drivers
60 | Bus Persons
61 | Business Analysts
62 | Business Managers
63 | C-Suite
64 | Cab Drivers
65 | Cafeteria Workers
66 | Call Center Representatives
67 | Camera Operators
68 | Caregivers
69 | Caretaker or House Sitters
70 | Carpenters
71 | Cashiers
72 | Casino Hosts
73 | Chefs
74 | Chemical Engineers
75 | Chemists
76 | Chief Engineers
77 | Chief Executive Officers
78 | Chiefs
79 | Church Volunteers
80 | Civil Engineers
81 | Client Service Specialists
82 | Cloud Architects
83 | CNAs
84 | Columnists
85 | Commercial Loan Officers
86 | Community Food Project Workers
87 | Computer Animators
88 | Computer Programmers
89 | Computer Scientists
90 | Concierge
91 | Concierges
92 | Conservation Scientists
93 | Conservation Volunteers
94 | Construction Workers
95 | Content Creators
96 | Content Marketing Managers
97 | Content Strategists
98 | Continuous Improvement Consultants
99 | Continuous Improvement Leads
100 | Contractors
101 | Controllers
102 | Coordinators
103 | Copy Editors
104 | Copywriters
105 | Cosmetologists
106 | Counselors
107 | Couples Counselors
108 | Couriers
109 | Crane Operators
110 | Credit Authorisers
111 | Credit Counselors
112 | Cruise Directors
113 | Cruise Ship Attendants
114 | Customer Care Associates
115 | Customer Service
116 | Customer Service Managers
117 | Customer Services
118 | Customer Support
119 | Customer Support Representatives
120 | Data Analysts
121 | Data Entry
122 | Delivery Drivers
123 | Dental Hygienists
124 | DevOps Engineers
125 | Digital Marketing Managers
126 | Direct Salespersons
127 | Director of Inside Sales
128 | Director of Maintenance
129 | Director of Photography
130 | Directors
131 | Dispatcher for Trucks or Taxis
132 | Doctors
133 | Dog Walkers/Pet Sitters
134 | Drafters
135 | eCommerce Marketing Specialists
136 | Economists
137 | Editor/Proofreaders
138 | Electrical Engineers
139 | Electricians
140 | Emergency Relief Workers
141 | Engineering
142 | Engineering Technicians
143 | Engineers
144 | Entertainment Specialists
145 | Entrepreneurs
146 | Estheticians
147 | Event Planners
148 | Events Managers
149 | Executive Assistants
150 | Executives
151 | Farm Workers
152 | Fast Food Workers
153 | File Clerks
154 | Film Critics
155 | Finance Directors
156 | Finance Managers
157 | Financial Analysts
158 | Financial Planners
159 | Financial Services Representatives
160 | Flight Attendants
161 | Food Kitchen Workers
162 | Foremans
163 | Founders
164 | Front Desk Associates
165 | Front Desk Managers
166 | Front-Line Employees
167 | Funeral Attendants
168 | Geological Engineers
169 | Geologists
170 | Ghostwriters
171 | Grant Writers
172 | Graphic Designers
173 | Group Sales
174 | Guidance Counselors
175 | Habitat for Humanity Builders
176 | Hair Stylists
177 | Heads
178 | Heavy Equipment Operators
179 | Help Desk
180 | Help Desk Worker/Desktop Support
181 | Homeless Shelter Workers
182 | Hospital Volunteers
183 | Hotel Front Door Greeters
184 | Hotel Managers
185 | Hotel Receptionists
186 | Housekeepers
187 | Human Resources
188 | HVAC Technicians
189 | Information Security Analysts
190 | Information Technology
191 | Interior Designers
192 | Iron Workers
193 | IT Admins
194 | IT Managers
195 | IT Professionals
196 | Journalists
197 | Landscaping Assistants
198 | Landscaping Workers
199 | Leads
200 | Library Assistants
201 | Life Coaches
202 | Line Cooks
203 | Locksmiths
204 | Lodging Managers
205 | Machinery Operators
206 | Mail Carriers
207 | Maintenance Engineers
208 | Makeup Artists
209 | Management
210 | Management Consultants
211 | Managers
212 | Managing Members
213 | Managing Partners
214 | Manicurists
215 | Manufacturing Assemblers
216 | Market Development Managers
217 | Market Researchers
218 | Marketing
219 | Marketing Communications Managers
220 | Marketing Consultants
221 | Marketing Directors
222 | Marketing Managers
223 | Marketing Research Analysts
224 | Marketing Specialists
225 | Marketing Staff
226 | Massage Therapys
227 | Mathematicians
228 | Meals on Wheels Drivers
229 | Mechanical Engineers
230 | Mechanics
231 | Media Buyers
232 | Media Relations Coordinators
233 | Medical Administrators
234 | Medical Laboratory Techs
235 | Medical Researchers
236 | Medical Transcriptionists
237 | Meeting Planners
238 | Mental Health Counselors
239 | Mentors
240 | Merchandising Associates
241 | Mining Engineers
242 | Molecular Scientists
243 | Mortgage Loan Processors
244 | Motion Picture Directors
245 | Movers
246 | Music Producers
247 | Musicians
248 | Nail Technicians
249 | Network Administrators
250 | Novelist/Writers
251 | Nuclear Engineers
252 | Nurse Practitioners
253 | Nurses
254 | Office Admin
255 | Office Assistants
256 | Office Clerks
257 | Office Managers
258 | Office Volunteers
259 | Officers
260 | Online ESL Instructors
261 | Operations
262 | Operations Analysts
263 | Operations Assistants
264 | Operations Coordinators
265 | Operations Directors
266 | Operations Managers
267 | Operations Professionals
268 | Orderlys
269 | Organisers
270 | Outside Sales Managers
271 | Over the Phone Interpreters
272 | Overseers
273 | Owners
274 | Painters
275 | Paralegals
276 | Parking Attendants
277 | Payroll Clerks
278 | Payroll Managers
279 | Personal Assistants
280 | Personal Trainers
281 | Petroleum Engineers
282 | Pharmacists
283 | Pharmacy Assistants
284 | Phlebotomists
285 | Phone Sales Specialists
286 | Phone Survey Conductors
287 | Photographers
288 | Physical Therapists
289 | Physical Therapy Assistants
290 | Physicists
291 | Pipefitters
292 | Plant Engineers
293 | Playwrights
294 | Plumbers
295 | Political Scientists
296 | Porters
297 | Preschool Teachers
298 | Presidents
299 | Principals
300 | Product Managers
301 | Production Engineers
302 | Professors
303 | Program Administrators
304 | Program Managers
305 | Project Management
306 | Proposal Writers
307 | Proprietors
308 | Public Relations
309 | Public Relations Specialists
310 | Purchasing Staff
311 | Quality Control
312 | Quality Control Coordinators
313 | Quality Engineers
314 | Real Estate Brokers
315 | Receptionists
316 | Recruiters
317 | Recyclables Collectors
318 | Red Cross Volunteers
319 | Reiki Practitioners
320 | Research Assistants
321 | Researchers
322 | Reservationists
323 | Restaurant Chain Executives
324 | Restaurant Managers
325 | Retail Workers
326 | Risk Managers
327 | Roofers
328 | Safety Engineers
329 | Sales
330 | Sales Analysts
331 | Sales Associates
332 | Sales Engineers
333 | Sales Managers
334 | Sales Representatives
335 | Salon Managers
336 | School Bus Drivers
337 | School Counselors
338 | School Volunteers
339 | Screenwriters
340 | Scrum Masters
341 | Secretarys
342 | Security Guards
343 | Senior Management
344 | SEO Managers
345 | Servers
346 | Service Accounts
347 | Service Dog Trainers
348 | Shareholders
349 | Sheet Metal Workers
350 | Shelf Stockers
351 | Shipping and Receiving Staff
352 | Skin Care Specialists
353 | Social Media Assistants
354 | Social Media Specialists
355 | Social Workers
356 | Sociologists
357 | Software Engineers
358 | Solar Photovoltaic Installers
359 | Sound Engineers
360 | Spa Managers
361 | Speech Pathologists
362 | Speechwriters
363 | Sports Volunteers
364 | SQL Developers
365 | Store Managers
366 | Substitute Teachers
367 | Suicide Hotline Volunteers
368 | Superintendents
369 | Supervisors
370 | Tapers
371 | Teachers
372 | Teaching Assistants
373 | Team Leaders
374 | Technical Specialists
375 | Technical Support Specialists
376 | Technical Writers
377 | Telemarketers
378 | Telephone Operators
379 | Telework Nurse/Doctors
380 | Test Scorers
381 | Therapists
382 | Title Analysts
383 | Title Researchers
384 | Tow Truck Operators
385 | Translators
386 | Travel Agents
387 | Travel Nurses
388 | Travel Writers
389 | Truck Drivers
390 | Tutor/Online Tutors
391 | UPS Drivers
392 | UX Designer & UI Developers
393 | Valets
394 | Vehicle or Equipment Cleaners
395 | Veterinary Assistants
396 | Vice President of Operations
397 | Video Editors
398 | Video Game Writers
399 | Video or Film Producers
400 | Virtual Assistants
401 | Wait Staff Managers
402 | Waiter/Waitress
403 | Warehouse Workers
404 | Web Designers
405 | Web Developers
406 | Wedding Coordinators
407 | Welders
408 | Weldings
409 | Well Drillers
410 | Yoga Instructors
411 | Youth Volunteers
412 | Zoologists
413 |
--------------------------------------------------------------------------------
/AD_OU_SetACL/User Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | Function CreateUserAccount($objGroup, $objOU, $inheritanceType) {
2 |
3 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
4 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
5 |
6 | $error.Clear()
7 |
8 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
9 | $objAcl = get-acl $objOU
10 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild", "Allow", $guidmap["user"], $inheritanceType))
11 | try {
12 | Set-Acl -AclObject $objAcl -path $objOU
13 | }
14 | catch {
15 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Create User Accounts on the OU " + $objOU)
16 | }
17 | If (!$error) {
18 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Create User Accounts on the OU " + $objOU)
19 | }
20 |
21 |
22 | }
23 |
24 | Function DeleteUserAccount($objGroup, $objOU, $inheritanceType) {
25 |
26 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
27 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
28 |
29 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
30 | $objAcl = get-acl $objOU
31 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "DeleteChild", "Allow", $guidmap["user"], $inheritanceType))
32 | try {
33 | Set-Acl -AclObject $objAcl -path $objOU
34 | }
35 | catch {
36 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Delete User Accounts on the OU " + $objOU)
37 | }
38 | If (!$error) {
39 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Delete User Accounts on the OU " + $objOU)
40 | }
41 |
42 |
43 | }
44 |
45 | Function RenameUserAccount($objGroup, $objOU, $inheritanceType) {
46 |
47 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
48 | $objAcl = get-acl $objOU
49 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["distinguishedName"], $inheritanceType, $guidmap["user"]))
50 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["cn"], $inheritanceType, $guidmap["user"]))
51 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["name"], $inheritanceType, $guidmap["user"]))
52 | try {
53 | Set-Acl -AclObject $objAcl -path $objOU
54 | }
55 | catch {
56 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Rename User Accounts on the OU " + $objOU)
57 | }
58 | If (!$error) {
59 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Rename User Accounts on the OU " + $objOU)
60 | }
61 |
62 |
63 |
64 | }
65 |
66 | Function DisableUserAccount($objGroup, $objOU, $inheritanceType) {
67 |
68 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
69 | $objAcl = get-acl $objOU
70 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["userAccountControl"], $inheritanceType, $guidmap["user"]))
71 | try {
72 | Set-Acl -AclObject $objAcl -path $objOU
73 | }
74 | catch {
75 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Disable User Accounts on the OU " + $objOU)
76 | }
77 | If (!$error) {
78 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Disable User Accounts on the OU " + $objOU)
79 | }
80 |
81 |
82 |
83 | }
84 |
85 | Function UnlockUserAccount($objGroup, $objOU, $inheritanceType) {
86 |
87 |
88 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
89 | $objAcl = get-acl $objOU
90 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["lockoutTime"], $inheritanceType, $guidmap["user"]))
91 | try {
92 | Set-Acl -AclObject $objAcl -path $objOU
93 | }
94 | catch {
95 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Unlock User Accounts on the OU " + $objOU)
96 | }
97 | If (!$error) {
98 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Unlock User Accounts on the OU " + $objOU)
99 | }
100 |
101 |
102 | }
103 |
104 | Function EnableDisabledUserAccount($objGroup, $objOU, $inheritanceType) {
105 |
106 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
107 | $objAcl = get-acl $objOU
108 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["userAccountControl"], $inheritanceType, $guidmap["user"]))
109 | try {
110 | Set-Acl -AclObject $objAcl -path $objOU
111 | }
112 | catch {
113 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Enable Disabled User Accounts on the OU " + $objOU)
114 | }
115 | If (!$error) {
116 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Enable Disabled User Accounts on the OU " + $objOU)
117 | }
118 |
119 |
120 | }
121 |
122 | Function ResetUserPasswords($objGroup, $objOU, $inheritanceType) {
123 |
124 |
125 | $error.Clear()
126 |
127 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
128 | $objAcl = get-acl $objOU
129 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Reset Password"], $inheritanceType, $guidmap["user"]))
130 |
131 | try {
132 | Set-Acl -AclObject $objAcl -path $objOU -ErrorAction Stop
133 | }
134 | catch {
135 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Reset User Passwords on the OU " + $objOU)
136 | }
137 | If (!$error) {
138 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Reset User Passwords on the OU " + $objOU)
139 | }
140 |
141 |
142 | }
143 |
144 | Function ForcePasswordChangeAtLogon($objGroup, $objOU, $inheritanceType) {
145 |
146 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
147 | $objAcl = get-acl $objOU
148 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["pwdLastSet"], $inheritanceType, $guidmap["user"]))
149 |
150 | try {
151 | Set-Acl -AclObject $objAcl -path $objOU
152 | }
153 | catch {
154 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Force Password Change at Logon on the OU " + $objOU)
155 | }
156 | If (!$error) {
157 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Force Password Change at Logon on the OU " + $objOU)
158 | }
159 |
160 | }
161 |
162 | Function ModifyUserGroupMembership($objGroup, $objOU, $inheritanceType) {
163 |
164 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
165 | $objAcl = get-acl $objOU
166 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["memberOf"], $inheritanceType, $guidmap["user"]))
167 | try {
168 | Set-Acl -AclObject $objAcl -path $objOU
169 | }
170 | catch {
171 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to modify a users group membership on the OU " + $objOU)
172 | }
173 | If (!$error) {
174 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to modify a users group membership on the OU " + $objOU)
175 | }
176 |
177 | }
178 |
179 | Function ModifyUserProperties($objGroup, $objOU, $inheritanceType) {
180 |
181 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
182 | $objAcl = get-acl $objOU
183 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $inheritanceType, $guidmap["user"]))
184 | try {
185 | Set-Acl -AclObject $objAcl -path $objOU
186 | }
187 | catch {
188 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Modify User Properties on " + $objOU)
189 | }
190 | If (!$error) {
191 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Modify User Properties on " + $objOU)
192 | }
193 |
194 |
195 | }
196 |
197 | Function DenyModifyLogonScript($objGroup, $objOU, $inheritanceType) {
198 |
199 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
200 | $objAcl = get-acl $objOU
201 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Deny", $guidmap["scriptPath"], $inheritanceType, $guidmap["user"]))
202 | try {
203 | Set-Acl -AclObject $objAcl -path $objOU
204 | }
205 | catch {
206 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " deny permissions to Modify User Logon Script on " + $objOU)
207 | }
208 | If (!$error) {
209 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " deny permissions to Modify User Logon Script on " + $objOU)
210 | }
211 |
212 |
213 | }
214 |
215 | Function DenySetUserSPN($objGroup, $objOU, $inheritanceType) {
216 |
217 | $error.Clear()
218 |
219 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
220 | $objAcl = get-acl $objOU
221 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Deny", $guidmap["servicePrincipalName"], $inheritanceType, $guidmap["user"]))
222 |
223 |
224 | try {
225 | Set-Acl -AclObject $objAcl -path $objOU
226 | }
227 | catch {
228 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " deny permissions to Create User SPNs on OU " + $objOU)
229 | }
230 | If (!$error) {
231 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " deny permissions to Create User SPNs on OU " + $objOU)
232 | }
233 |
234 | }
--------------------------------------------------------------------------------
/AD_OU_SetACL/Computer Control Permissions.ps1:
--------------------------------------------------------------------------------
1 | ######################################################################################################################
2 | # Computer object permissions
3 | Function CreateComputerAccount($objGroup, $objOU, $inheritanceType) {
4 |
5 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
6 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
7 |
8 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
9 | $objAcl = get-acl $objOU
10 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild", "Allow", $guidmap["computer"], $inheritanceType))
11 | try {
12 | Set-Acl -AclObject $objAcl -path $objOU
13 | }
14 | catch {
15 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Create Computer Accounts on the OU " + $objOU)
16 | }
17 | If (!$error) {
18 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Create Computer Accounts on the OU " + $objOU)
19 | }
20 |
21 |
22 |
23 |
24 | }
25 |
26 | Function DeleteComputerAccount($objGroup, $objOU, $inheritanceType) {
27 |
28 | If ($inheritanceType -eq "Descendents") { $inheritanceType = "All" }
29 | ElseIf ($inheritanceType -eq "Children") { $inheritanceType = "None" }
30 |
31 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
32 | $objAcl = get-acl $objOU
33 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "DeleteChild", "Allow", $guidmap["computer"], $inheritanceType))
34 | try {
35 | Set-Acl -AclObject $objAcl -path $objOU
36 | }
37 | catch {
38 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Delete Computer Accounts on the OU " + $objOU)
39 | }
40 | If (!$error) {
41 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Delete Computer Accounts on the OU " + $objOU)
42 | }
43 |
44 |
45 | }
46 |
47 | Function RenameComputerAccount($objGroup, $objOU, $inheritanceType) {
48 |
49 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
50 | $objAcl = get-acl $objOU
51 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["distinguishedName"], $inheritanceType, $guidmap["computer"]))
52 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["cn"], $inheritanceType, $guidmap["computer"]))
53 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["name"], $inheritanceType, $guidmap["computer"]))
54 | try {
55 | Set-Acl -AclObject $objAcl -path $objOU
56 | }
57 | catch {
58 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Rename Computer Accounts on the OU " + $objOU)
59 | }
60 | If (!$error) {
61 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Rename Computer Accounts on the OU " + $objOU)
62 | }
63 |
64 |
65 |
66 | }
67 |
68 | Function DisableComputerAccount($objGroup, $objOU, $inheritanceType) {
69 |
70 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
71 | $objAcl = get-acl $objOU
72 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["userAccountControl"], $inheritanceType, $guidmap["computer"]))
73 | try {
74 | Set-Acl -AclObject $objAcl -path $objOU
75 | }
76 | catch {
77 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Disable Computer Accounts on the OU " + $objOU)
78 | }
79 | If (!$error) {
80 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Disable Computer Accounts on the OU " + $objOU)
81 | }
82 |
83 |
84 |
85 | }
86 |
87 | Function EnableDisabledComputerAccount($objGroup, $objOU, $inheritanceType) {
88 |
89 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
90 | $objAcl = get-acl $objOU
91 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["userAccountControl"], $inheritanceType, $guidmap["computer"]))
92 | try {
93 | Set-Acl -AclObject $objAcl -path $objOU
94 | }
95 | catch {
96 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Enable Disabled Computer Accounts on the OU " + $objOU)
97 | }
98 | If (!$error) {
99 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Enable Disabled Computer Accounts on the OU " + $objOU)
100 | }
101 |
102 |
103 | }
104 |
105 | Function ModifyComputerProperties($objGroup, $objOU, $inheritanceType) {
106 |
107 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
108 | $objAcl = get-acl $objOU
109 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $inheritanceType, $guidmap["computer"]))
110 | try {
111 | Set-Acl -AclObject $objAcl -path $objOU
112 | }
113 | catch {
114 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Modify Computer Properties on the OU " + $objOU)
115 | }
116 | If (!$error) {
117 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Modify Computer Properties on the OU " + $objOU)
118 | }
119 |
120 |
121 | }
122 |
123 | Function ResetComputerAccount($objGroup, $objOU, $inheritanceType) {
124 |
125 | $error.Clear()
126 |
127 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
128 | $objAcl = get-acl $objOU
129 | $objacl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Reset Password"], $inheritanceType, $guidmap["computer"]))
130 |
131 | try {
132 | Set-Acl -AclObject $objAcl -path $objOU
133 | }
134 | catch {
135 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Reset Computer Passwords on the OU " + $objOU)
136 | }
137 | If (!$error) {
138 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Reset Computer Passwords on the OU " + $objOU)
139 | }
140 |
141 | }
142 |
143 | Function ModifyComputerGroupMembership($objGroup, $objOU, $inheritanceType) {
144 |
145 | $error.Clear()
146 |
147 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
148 | $objAcl = get-acl $objOU
149 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["memberOf"], $inheritanceType, $guidmap["computer"]))
150 |
151 | try {
152 | Set-Acl -AclObject $objAcl -path $objOU
153 | }
154 | catch {
155 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to modify the computer group membership on OU " + $objOU)
156 | }
157 | If (!$error) {
158 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to modify the computer group membership on OU " + $objOU)
159 | }
160 |
161 |
162 |
163 |
164 | }
165 |
166 | Function SetComputerSPN($objGroup, $objOU, $inheritanceType) {
167 |
168 | $error.Clear()
169 |
170 |
171 |
172 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
173 | $objAcl = get-acl $objOU
174 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ReadProperty,WriteProperty", "Allow", $guidmap["servicePrincipalName"], $inheritanceType, $guidmap["computer"]))
175 |
176 | try {
177 | Set-Acl -AclObject $objAcl -path $objOU
178 | }
179 | catch {
180 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to Set Computer SPN on OU " + $objOU)
181 | }
182 | If (!$error) {
183 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to Set Computer SPN on OU " + $objOU)
184 | }
185 |
186 | }
187 |
188 | Function ReadComputerTPMBitLockerInfo($objGroup, $objOU, $inheritanceType) {
189 | $error.Clear()
190 |
191 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
192 | $objAcl = get-acl $objOU
193 |
194 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ReadProperty", "Allow", $guidmap["msTPM-OwnerInformation"], $inheritanceType, $guidmap["computer"]))
195 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ReadProperty", "Allow", $guidmap["msFVE-KeyPackage"], $inheritanceType, $guidmap["msFVE-RecoveryInformation"]))
196 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ReadProperty", "Allow", $guidmap["msFVE-RecoveryPassword"], $inheritanceType, $guidmap["msFVE-RecoveryInformation"]))
197 |
198 | try {
199 | Set-Acl -AclObject $objAcl -path $objOU
200 | }
201 | catch {
202 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to read BitLocker and TPM Information on OU " + $objOU)
203 | }
204 | If (!$error) {
205 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to read BitLocker and TPM Information on OU " + $objOU)
206 | }
207 |
208 | }
209 |
210 | Function ReadComputerAdmPwd($objGroup, $objOU, $inheritanceType) {
211 | $error.Clear()
212 |
213 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
214 | $objAcl = get-acl $objOU
215 |
216 | # The schema must be extended for LAPS
217 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ReadProperty", "Allow", $guidmap["ms-Mcs-AdmPwd"], $inheritanceType, $guidmap["computer"]))
218 | #Added by JMN. Need All Extended Rights on computer object to be able to Read LAPS password. LAPS password is Confidential attribute
219 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $inheritanceType, $guidmap["computer"]))
220 |
221 | try {
222 | Set-Acl -AclObject $objAcl -path $objOU
223 | }
224 | catch {
225 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to read local administrator password on OU" + $objOU)
226 | }
227 | If (!$error) {
228 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to read local administrator password on OU " + $objOU)
229 | }
230 |
231 | }
232 |
233 | Function ResetComputerAdmPwd($objGroup, $objOU, $inheritanceType) {
234 | $error.Clear()
235 |
236 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
237 | $objAcl = get-acl $objOU
238 |
239 | # The schema must be extended for LAPS
240 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "WriteProperty,ReadProperty", "Allow", $guidmap["ms-Mcs-AdmPwdExpirationTime"], $inheritanceType, $guidmap["computer"]))
241 |
242 | try {
243 | Set-Acl -AclObject $objAcl -path $objOU
244 | }
245 | catch {
246 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to reset local administrator password on OU" + $objOU)
247 | }
248 | If (!$error) {
249 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to reset local administrator password on OU " + $objOU)
250 | }
251 |
252 | }
253 |
254 | Function DomainJoinComputers($objGroup, $objOU, $inheritanceType) {
255 | $error.Clear()
256 |
257 | $rootdse = Get-ADRootDSE
258 |
259 | $groupSID = New-Object System.Security.Principal.SecurityIdentifier $objGroup.SID
260 | $objAcl = get-acl $objOU
261 |
262 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "CreateChild,DeleteChild", "Allow", $guidmap["computer"], "All"))
263 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Reset Password"], $inheritanceType, $guidmap["computer"]))
264 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Account Restrictions"], $inheritanceType, $guidmap["computer"]))
265 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Validated write to DNS host name"], $inheritanceType, $guidmap["computer"]))
266 | $objAcl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID, "ExtendedRight", "Allow", $extendedrightsmap["Validated write to service principal name"], $inheritanceType, $guidmap["computer"]))
267 |
268 | try {
269 | Set-Acl -AclObject $objAcl -path $objOU
270 | }
271 | catch {
272 | Write-Host -ForegroundColor Red ("ERROR: Unable to grant the group " + $objGroup.Name + " permissions to join computers to the domain in OU" + $objOU)
273 | }
274 | If (!$error) {
275 | Write-Host -ForegroundColor Green ("INFORMATION: Granted the group " + $objGroup.Name + " permissions to join computers to the domain in OU " + $objOU)
276 | }
277 |
278 | }
--------------------------------------------------------------------------------
/06-AD_Computers_Create/CreateComputers.ps1:
--------------------------------------------------------------------------------
1 | ################################
2 | #Create Computer Objects
3 | ################################
4 | Function CreateComputer {
5 |
6 | param(
7 |
8 | $Owner,
9 | $Creator,
10 | $WorkstationOrServer,
11 | $OUlocation,
12 | $Make,
13 | $Model,
14 | $SN,
15 | $IP,
16 | $DNS,
17 | $Gateway,
18 | $WorkstationType,
19 | $ServerApplication,
20 | $Description,
21 | $debug,
22 | $HideResults
23 | )
24 |
25 |
26 | #=======================================================================
27 |
28 |
29 | $setDC = (Get-ADDomain).pdcemulator
30 | $userlist = get-adobject -Filter { objectclass -eq 'user' } -ResultSetSize 2500 -Server $setdc | Where-object -Property objectclass -eq user
31 | function Get-ScriptDirectory {
32 | Split-Path -Parent $PSCommandPath
33 | }
34 | $scriptPath = Get-ScriptDirectory
35 | $scriptparent = (get-item $scriptpath).parent.fullname
36 | $3lettercodes = import-csv ($scriptparent + "\03-AD_OU_CreateStructure\3lettercodes.csv")
37 | #=======================================================================
38 | $dn = (get-addomain).distinguishedname
39 |
40 | #get owner all parameters and store as variable to call upon later
41 | $ownerinfo = Get-Random $userlist
42 | if ($PSBoundParameters.ContainsKey('Creator') -eq $true) {
43 | $adminID = $Creator
44 | }
45 | else { $adminID = $wtfwasthis = ((whoami) -split '\\')[1] }
46 |
47 |
48 | #=======================================================================
49 | #name workflow
50 | #get aduser who is the administratorid/ownerid ($Owner) and use their 1st part of for the prefix
51 |
52 |
53 | $computernameprefix1 = (Get-Random $3lettercodes).NAME
54 |
55 | $computernameprefix2 = 'W'
56 |
57 | #=======================================================================
58 | #WorkstationorServer 0 (workstation) prefix name workflow
59 | #=======================================================================
60 | $WorkstationOrServer = 0, 1 | get-random #work =0, server = 1
61 | $WorkstationType = 0, 1, 2 | get-random # desktop = 0 , laptop = 1, vm = 2
62 | if ($WorkstationOrServer -eq 0) {
63 | if ($WorkstationType -eq 0) {
64 | #desktop
65 | $computernameprefix2 = "WS"
66 | }
67 |
68 |
69 | elseif ($WorkstationType -eq 1) {
70 | #laptop workflow
71 | $computernameprefix2 = "LT"
72 | }
73 |
74 | else {
75 | $computernameprefix2 = "SRV"
76 | }
77 | }
78 |
79 |
80 | #=======================================================================
81 | #WorkstationorServer 1 (server) prefix name workflow
82 | #=======================================================================
83 | else {
84 | $ServerApplication = 0, 1, 2, 3, 4, 5 | get-random
85 | if ($ServerApplication -eq 0) { $computernameprefix3 = "APPS" }
86 | elseif ($ServerApplication -eq 1) { $computernameprefix3 = "WEBS" }
87 | elseif ($ServerApplication -eq 2) { $computernameprefix3 = "DBAS" }
88 | elseif ($ServerApplication -eq 3) { $computernameprefix3 = "SECS" }
89 | elseif ($ServerApplication -eq 4) { $computernameprefix3 = "CTRX" }
90 | else { $computernameprefix3 = "APPS" }
91 | }
92 |
93 |
94 |
95 | $computernameprefixfull = $computernameprefix1 + $computernameprefix2 + $computernameprefix3
96 | $cnSearch = $computernameprefixfull + "*"
97 | #=======================================================================
98 | #End workstationorserver prefix name workflow
99 | #=======================================================================
100 |
101 |
102 |
103 | #Set OU Location - first test for parameter
104 | if ($PSBoundParameters.ContainsKey('OUlocation') -eq $true) {
105 | $ouLocation = $OUlocation
106 | #$computernameprefixfull = "RADWHWKS"
107 |
108 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true) {
109 | write-host OULocation for search $OUlocation -ForegroundColor Green
110 | Write-host Computername Search string $cnSearch -ForegroundColor Green
111 | }
112 |
113 |
114 | $comps = Get-ADComputer -SearchBase $ouLocation -f { (name -like $cnsearch) -and (name -notlike "*9999*") } | sort name | select name
115 | if ($comps.count -eq 0) { $compname = $computernameprefixfull + [convert]::ToInt32('1000000') }
116 | else {
117 | try { $compname = $computernameprefixfull + ([convert]::ToInt32((($comps[($comps.count - 1)].name).Substring(($computernameprefixfull.Length), ((($comps[($comps.count - 1)].name).length) - ($computernameprefixfull.Length)))), 10) + 1) }
118 | catch { $compname = $computernameprefixfull + [convert]::ToInt32('1000000') }
119 | }
120 |
121 | }
122 | else {
123 |
124 | #workstation or server
125 | if ($WorkstationOrServer -eq 0) {
126 | #workstation build
127 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true) {
128 | write-host Workstation Build Chosen
129 | write-host `n
130 | }
131 |
132 |
133 | #end of name is 7 numbers characters 0-9
134 | #select all computers in the OU, sort by create date, filter out *9999*, filter out machines with letters at the end, get most recent add a digit to it
135 |
136 |
137 | #ou root created above
138 | if ($WorkstationType -eq 0) {
139 | #desktop workflow
140 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true)
141 | { write-host "Workstation Type 0 chosen. Desktop value selected" }
142 | $ouLocation = 'OU=Desktops,OU=Technology,' + $dnstring
143 | #test for OU existence, if not exist, put in Admin OU
144 | try { Get-ADOrganizationalUnit $oulocation | Out-Null }
145 | catch { $OUlocation = 'OU=Admin,' + (Get-ADDomain).distinguishedname }
146 |
147 | }
148 | elseif ($WorkstationType -eq 1) {
149 | #laptop workflow
150 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true)
151 | { write-host "Workstation Type 1 chosen. Laptop value selected" }
152 |
153 | $ouLocation = 'OU=Laptops,OU=Technology,' + $dnstring
154 | #test for OU existence, if not exist, put in Admin OU
155 | try { Get-ADOrganizationalUnit $oulocation }
156 | catch { $OUlocation = 'OU=Admin,' + (Get-ADDomain).distinguishedname }
157 |
158 |
159 | }
160 |
161 | else {
162 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true)
163 | { write-host "Workstation Type 2 or higher chosen. VM or other value selected" }
164 |
165 | $ouLocation = 'OU=Desktops,OU=Technology,' + $dnstring
166 | try { Get-ADOrganizationalUnit $oulocation }
167 | #test for OU existence, if not exist, put in Admin OU
168 | catch { $OUlocation = 'OU=Admin,' + (Get-ADDomain).distinguishedname }
169 |
170 | }
171 |
172 |
173 |
174 | }
175 | #=========================================
176 | # END WORKSTATION OU identification
177 | #=========================================
178 | <#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#>
179 | #=========================================
180 | #SERVER OU identification BEGINS HERE
181 | else {
182 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true) {
183 | write-host Server Build Chosen
184 | write-host `n
185 | }
186 | #=======================================================================
187 |
188 | #=======================================================================
189 |
190 |
191 | }
192 | #=========================================
193 | # END SERVER OU identification
194 | #=========================================
195 | <#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#>
196 | $OUsAll = get-adobject -Filter { objectclass -eq 'organizationalunit' } -ResultSetSize 300
197 | # removing containers right now. will add later $ousall += get-adobject -Filter {objectclass -eq 'container'} -ResultSetSize 300|where-object -Property objectclass -eq 'container'|where-object -Property distinguishedname -notlike "*}*"|where-object -Property distinguishedname -notlike "*DomainUpdates*"
198 |
199 | $ouLocation = (Get-Random $OUsAll).distinguishedname
200 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true) {
201 | write-host DNString equals $dnstring -ForegroundColor Green
202 | write-host OWNER equals $owner
203 |
204 | write-host OULocation for search $OUlocation -ForegroundColor Green
205 | }
206 | }
207 | #Write-host Getting list of servers in the server OU to create a unique name -ForegroundColor Green
208 | $comps = Get-ADComputer -server $setdc -f { (name -like $cnsearch) -and (name -notlike "*9999*") } | sort name | select name
209 | #Write-host List complete -ForegroundColor white
210 |
211 | #write-host on line 325
212 | $checkforDupe = 0
213 | if ($comps.name.count -eq 0) {
214 |
215 | $i = 0
216 | $i = [convert]::ToInt32($i)
217 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true) {
218 | write-host in the compname creation loop at line 329
219 | }
220 | do {
221 | $compname = $computernameprefixfull + ([convert]::ToInt32('1000000') + ($i))
222 |
223 | $i = $i + (random -Minimum 1 -Maximum 10)
224 | try {
225 | #write-host doing TRY get-adcomputer $compname
226 | $z = get-adcomputer $compname -server $setdc
227 | $checkforDupe = 0
228 | }
229 | catch {
230 | #write-host doing Catch
231 | $checkforDupe = 1
232 | }
233 | }
234 |
235 | while ($checkforDupe -eq 0)
236 |
237 | }
238 | else {
239 | $i = 1
240 | $i = [convert]::ToInt32($i)
241 | do {
242 |
243 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true) {
244 | write-host in the compname creation loop at line 393
245 | }
246 | else {}
247 |
248 | #write-host first try catch at 411
249 | try { $compname = $computernameprefixfull + ([convert]::ToInt32((($comps[($comps.count - 1)].name).Substring(($computernameprefixfull.Length), ((($comps[($comps.count - 1)].name).length) - ($computernameprefixfull.Length)))), 10) + $i) }
250 | catch { $compname = $computernameprefixfull + ([convert]::ToInt32('1000000') + ($i)) }
251 |
252 |
253 | try {
254 | $z = get-adcomputer $compname -server $setdc
255 | $checkfordupe = 0
256 | }
257 | catch { $checkforDupe = 1 }
258 | $i++
259 |
260 |
261 | }
262 |
263 |
264 | while ($checkforDupe -eq 0)
265 |
266 | }
267 |
268 |
269 |
270 |
271 | #Windows apple or Unix
272 | #infrastructure or application
273 |
274 |
275 | $ou = $oulocation
276 | [System.Collections.ArrayList]$att_to_add = @('servicePrincipalName')
277 |
278 |
279 | $division = $computernameprefix1
280 |
281 | $manager = $ownerinfo.distinguishedname
282 | $sam = ($CompName) + "$"
283 |
284 | $DNS = 1..100 | get-random
285 | if ($DNS -le 10) {
286 | $servicePrincipalName = "HOST/" + $compname
287 | }
288 | else {
289 | $att_to_add.Remove('servicePrincipalName')
290 | }
291 |
292 | #make the machine in this decision
293 |
294 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true) {
295 | write-host `n
296 | write-host "New-ADComputer -server $setdc -Name $CompName -DisplayName $CompName -Enabled $true -path $ou -ManagedBy $manager -owner $owner -SAMAccountName $sam"
297 | write-host `n
298 | }
299 | $description = ''
300 | #something is up with system containers i pull in earlier. try the random path. if doesnt work set to default computer container
301 | try { New-ADComputer -server $setdc -Name $CompName -DisplayName $CompName -Enabled $true -path $ou -ManagedBy $manager -SAMAccountName $sam -Description $Description }
302 | catch { New-ADComputer -server $setdc -Name $CompName -DisplayName $CompName -Enabled $true -ManagedBy $manager -SAMAccountName $sam -Description $Description }
303 |
304 |
305 | #Check for machine. if it does not exist, skip this next parameter setting stuff
306 | $results = $null
307 | try {
308 | $results = Get-ADComputer $sam -server $setdc
309 | foreach ($a in $att_to_add) {
310 | $var = iex $("$" + $a)
311 | #comment out bottom line once debugging complete
312 | if ($PSBoundParameters.ContainsKey('Debug') -eq $true) {
313 | # write-host on $a parameter with variable $var
314 | }
315 | get-adcomputer $sam -server $setdc | Set-ADComputer -server $setdc -replace @{$a = $($var) }
316 | }
317 | #write-host `n
318 |
319 | #$results = Get-ADComputer $sam -server $setdc -Properties *
320 | #$results |select CN,department,departmentNumber,Description,DisplayName,DistinguishedName,division,DNSHostName,ManagedBy,Name,SamAccountName,serialNumber,servicePrincipalName,ServicePrincipalNames
321 |
322 |
323 |
324 | #write-host `n
325 | #write-host Machine $results.samaccountname created in ((get-addomain).distinguishedname) in OU $OUlocation
326 |
327 |
328 | }
329 | catch {
330 | #write-host Machine $sam was not created with code:
331 | #write-host "`t`t`tNew-ADComputer -Name $CompName -DisplayName $CompName -Enabled $true -path $ou -ManagedBy $manager -SAMAccountName $sam"
332 | }
333 |
334 |
335 | $done = @()
336 |
337 |
338 | }
339 | Function NewComputers {
340 | param(
341 |
342 | $NumberOfMachines
343 | )
344 |
345 | if ($PSBoundParameters.ContainsKey('NumberOfMachines') -eq $false) {
346 | $NumberofMachines = 5
347 | #write-host No number specified. Defaulting to create 5 machines
348 | }
349 |
350 |
351 | $i = 1
352 | do {
353 | CreateComputer
354 | $i++
355 |
356 | }
357 | while ($i -le $NumberOfMachines)
358 |
359 |
360 | }
361 |
--------------------------------------------------------------------------------
/07-AD_Permissions_Randomiser/GenerateRandomPermissions.ps1:
--------------------------------------------------------------------------------
1 | #import scripts
2 | function Get-ScriptDirectory {
3 | Split-Path -Parent $PSCommandPath
4 | }
5 | $scriptPath = Get-ScriptDirectory
6 | $adplatformsourcedir = split-path -Path $scriptPath -Parent
7 |
8 |
9 | #=============================================
10 | #import ACL function files
11 | $ACLScriptspath = $adplatformsourcedir + "\AD_OU_SetACL"
12 |
13 |
14 | $files = Get-ChildItem $ACLScriptspath -Name "*permissions.ps1"
15 | foreach ($file in $files) {
16 | .($aclscriptspath + "\" + $file)
17 | }
18 |
19 | Function Create-PermissionSet {
20 | $Permissions = @()
21 | $row = @()
22 |
23 | #===================================================================
24 | #Full Control PERMISSIONS
25 | $FunctionSet = "Full Control Permissions"
26 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'FullControl'; APPLY = 'FALSE' }
27 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'FullControlUsers'; APPLY = 'FALSE' }
28 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'FullControlGroups'; APPLY = 'FALSE' }
29 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'FullControlComputers'; APPLY = 'FALSE' }
30 |
31 | #===================================================================
32 | #USER PERMISSIONS
33 | $FunctionSet = "User Control Permissions"
34 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'CreateUserAccount'; APPLY = 'FALSE' }
35 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DeleteUserAccount'; APPLY = 'FALSE' }
36 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'RenameUserAccount'; APPLY = 'FALSE' }
37 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DisableUserAccount'; APPLY = 'FALSE' }
38 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'UnlockUserAccount'; APPLY = 'FALSE' }
39 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'EnableDisabledUserAccount'; APPLY = 'FALSE' }
40 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ResetUserPasswords'; APPLY = 'FALSE' }
41 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ForcePasswordChangeAtLogon'; APPLY = 'FALSE' }
42 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyUserGroupMembership'; APPLY = 'FALSE' }
43 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyUserProperties'; APPLY = 'FALSE' }
44 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DenyModifyLogonScript'; APPLY = 'FALSE' }
45 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DenySetUserSPN'; APPLY = 'FALSE' }
46 |
47 | #END USER PERMISSIONS
48 | #===================================================================
49 | #COMPUTER PERMISSIONS
50 | $FunctionSet = "Computer Control Permissions"
51 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'CreateComputerAccount'; APPLY = 'FALSE' }
52 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DeleteComputerAccount'; APPLY = 'FALSE' }
53 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'RenameComputerAccount'; APPLY = 'FALSE' }
54 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DisableComputerAccount'; APPLY = 'FALSE' }
55 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'EnableDisabledComputerAccount'; APPLY = 'FALSE' }
56 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyComputerProperties'; APPLY = 'FALSE' }
57 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ResetComputerAccount'; APPLY = 'FALSE' }
58 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyComputerGroupMembership'; APPLY = 'FALSE' }
59 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'SetComputerSPN'; APPLY = 'FALSE' }
60 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ReadComputerTPMBitLockerInfo'; APPLY = 'FALSE' }
61 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ReadComputerAdmPwd'; APPLY = 'FALSE' }
62 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ResetComputerAdmPwd'; APPLY = 'FALSE' }
63 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DomainJoinComputers'; APPLY = 'FALSE' }
64 | #END COMPUTER PERMISSIONS
65 | #===================================================================
66 | #GROUP PERMISSIONS
67 | $FunctionSet = "Group Control Permissions"
68 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'CreateGroup'; APPLY = 'FALSE' }
69 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DeleteGroup'; APPLY = 'FALSE' }
70 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'RenameGroup'; APPLY = 'FALSE' }
71 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyGroupProperties'; APPLY = 'FALSE' }
72 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyGroupMembership'; APPLY = 'FALSE' }
73 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyGroupGroupMembership'; APPLY = 'FALSE' }
74 |
75 | #END GROUP PERMISSIONS
76 | #===================================================================
77 | #OU PERMISSIONS
78 | $FunctionSet = "OU Control Permissions"
79 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'CreateOU'; APPLY = 'FALSE' }
80 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DeleteOU'; APPLY = 'FALSE' }
81 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'RenameOU'; APPLY = 'FALSE' }
82 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyOUProperties'; APPLY = 'FALSE' }
83 | #END OU PERMISSIONS
84 | #===================================================================
85 | # GPO PERMISSIONS
86 | $FunctionSet = "OU Control Permissions"
87 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'LinkGPO'; APPLY = 'FALSE' }
88 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'GenerateRsopPlanning'; APPLY = 'FALSE' }
89 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'GenerateRsopLogging'; APPLY = 'FALSE' }
90 | #END GPO PERMISSIONS
91 | #===================================================================
92 | # PRINTER PERMISSIONS
93 | $FunctionSet = "Printer Control Permissions"
94 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'CreatePrintQueue'; APPLY = 'FALSE' }
95 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DeletePrintQueue'; APPLY = 'FALSE' }
96 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'RenamePrintQueue'; APPLY = 'FALSE' }
97 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifyPrintQueueProperties'; APPLY = 'FALSE' }
98 | #END PRINTER PERMISSIONS
99 | #===================================================================
100 | # Replication PERMISSIONS
101 | $FunctionSet = "Replication Control Permissions"
102 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ManageReplicationTopology'; APPLY = 'FALSE' }
103 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ReplicatingDirectoryChanges'; APPLY = 'FALSE' }
104 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ReplicatingDirectoryChangesAll'; APPLY = 'FALSE' }
105 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ReplicatingDirectoryChangesInFilteredSet'; APPLY = 'FALSE' }
106 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ReplicationSynchronization'; APPLY = 'FALSE' }
107 | #END Replication PERMISSIONS
108 | #===================================================================
109 | # Site and Subnet PERMISSIONS
110 | $FunctionSet = "Site and Subnet Control Permissions"
111 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'CreateSiteObjects'; APPLY = 'FALSE' }
112 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DeleteSiteObjects'; APPLY = 'FALSE' }
113 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifySiteProperties'; APPLY = 'FALSE' }
114 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'CreateSubnetObjects'; APPLY = 'FALSE' }
115 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DeleteSubnetObjects'; APPLY = 'FALSE' }
116 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifySubnetProperties'; APPLY = 'FALSE' }
117 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'CreateSiteLinkObjects'; APPLY = 'FALSE' }
118 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'DeleteSiteLinkObjects'; APPLY = 'FALSE' }
119 | $row += new-object PSObject -Property @{FunctionSet = $FunctionSet; FunctionName = 'ModifySiteLinkProperties'; APPLY = 'FALSE' }
120 |
121 | #===========================================
122 | #ADD ALL PARAMETERS TO $PERMISSIONS
123 | $Permissions += $row
124 | $permissions
125 | $permINT = 1..100 | get-random
126 | if ($permint -gt 25) {
127 | #if gt this number, assign random permissions
128 | $howmanypermissions = 1..60 | get-random
129 | $p = 1
130 | do {
131 | $randoperm = 0..(($permissions.count) - 1) | Get-random
132 | $permissions[$randoperm].APPLY = 'TRUE'
133 | $p++
134 | }while ($P -le $howmanypermissions)
135 | }
136 | $permissions
137 |
138 | }
139 |
140 |
141 | #=================
142 | #Rando permissions now set to the $permissions variable. Time to do some random admin damage
143 | #=================
144 |
145 | $PermissionsToOUMapping = @{}
146 | $PermissionsToOUMapping.Add('User', 'ServiceAccounts')
147 | $PermissionsToOUMapping.Add('Computer', 'Devices')
148 | $PermissionsToOUMapping.Add('Group', 'Groups')
149 | $PermissionsToOUMapping.Add('OU', 'OU') #this mapping doesnt entirely matter since on line 94 OU permissions are applied directly to the OU containing the affiliate code
150 | $PermissionsToOUMapping.Add('Printer', 'Devices')
151 | #=============================================
152 | #BEGIN MAKING GROUPS AND SETTING ACLS
153 | $dom = get-addomain
154 | $setdc = $dom.pdcemulator
155 | cd ad:
156 | $dn = $dom.distinguishedname
157 | $AllOUs = Get-ADOrganizationalUnit -Filter *
158 | $allUsers = get-adobject -Filter { objectclass -eq 'user' } -ResultSetSize 2500 -Server $setdc | Where-object -Property objectclass -eq user
159 |
160 | ## Create guidmap for acl functions
161 | cd ad:
162 | #=============================================
163 |
164 | #Get a reference to the RootDSE of the current domain
165 | $schemaPath = (Get-ADRootDSE)
166 | #$schemaobjects = Get-ADObject -filter * -SearchBase $schemaPath.defaultNamingContext -Properties *
167 | #Get a reference to the current domain
168 | $domain = Get-ADDomain
169 | #============================
170 | #Create a hashtable to store the GUID value of each schema class and attribute
171 | $guidmap = @{}
172 | Get-ADObject -SearchBase ($schemaPath.SchemaNamingContext) -LDAPFilter `
173 | "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID |
174 | % { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
175 |
176 | #Create a hashtable to store the GUID value of each extended right in the forest
177 | $extendedrightsmap = @{}
178 | Get-ADObject -SearchBase ($schemaPath.ConfigurationNamingContext) -LDAPFilter `
179 | "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid |
180 | % { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
181 |
182 | <#Pick X number of random users#>
183 | $permint = 5..100 | get-random
184 | $objwithPerms = @()
185 | $z = 1
186 | do {
187 | $objwithPerms += $allUsers | Get-Random
188 | $z++
189 | }while ($z -le $permint)
190 |
191 | foreach ($obj in $objwithPerms) {
192 | $permissions = Create-PermissionSet
193 | $adgroup = get-aduser $obj
194 | foreach ($permission in $permissions) {
195 | if ($permissions.count -gt 0) {
196 | #Do this permissions thing on the other spots too.
197 | if ($permission.APPLY -eq 'TRUE') {
198 | #apply directly to OU first choice, apply to computer,group,user second choice
199 | if ($permission.functionset -eq 'Full Control Permissions') {
200 |
201 | #FullControl
202 | $OUorRootRando = 1..100 | get-random
203 | if ($OUorRootRando -le 3) {
204 | #lets do root here
205 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$dn' + " -inheritanceType `'Descendents`'")
206 |
207 | }
208 | else {
209 | $OUPicked = $allOUs | Get-random
210 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$OUPicked' + " -inheritanceType `'Descendents`'")
211 | }
212 | }
213 | }
214 | else {}
215 | }
216 | }
217 | }
218 | #===========================
219 | #End user piece here
220 | #===========================
221 | $AllGroups = get-adgroup -f * -ResultSetSize 2500
222 | <#Pick X number of random groups#>
223 | $permint = 5..100 | get-random
224 | $objwithPerms = @()
225 | $z = 1
226 | do {
227 | $objwithPerms += $AllGroups | Get-Random
228 | $z++
229 | }while ($z -le $permint)
230 |
231 | foreach ($obj in $objwithPerms) {
232 | $permissions = Create-PermissionSet
233 | $adgroup = get-adgroup $obj
234 | foreach ($permission in $permissions) {
235 | if ($permissions.count -gt 0) {
236 | if ($permission.APPLY -eq 'TRUE') {
237 | #apply directly to OU first choice, apply to computer,group,user second choice
238 | if ($permission.functionset -eq 'Full Control Permissions') {
239 |
240 | #FullControl
241 | $OUorRootRando = 1..100 | get-random
242 | if ($OUorRootRando -le 5) {
243 | #lets do root here
244 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$dn' + " -inheritanceType `'Descendents`'")
245 |
246 | }
247 | else {
248 | $OUPicked = $allOUs | Get-random
249 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$OUPicked' + " -inheritanceType `'Descendents`'")
250 | }
251 | }
252 | }
253 | }
254 | }
255 | }
256 | #===========================
257 | #End group piece here
258 | #===========================
259 | $AllComputers = get-adcomputer -f * -ResultSetSize 2500
260 | <#Pick X number of random groups#>
261 | $permint = 5..100 | get-random
262 | $objwithPerms = @()
263 | $z = 1
264 | do {
265 | $objwithPerms += $AllComputers | Get-Random
266 | $z++
267 | }while ($z -le $permint)
268 |
269 | foreach ($obj in $objwithPerms) {
270 | $permissions = Create-PermissionSet
271 | $adgroup = get-adcomputer $obj
272 | foreach ($permission in $permissions) {
273 | if ($permissions.count -gt 0) {
274 | if ($permission.APPLY -eq 'TRUE') {
275 | #apply directly to OU first choice, apply to computer,group,user second choice
276 | if ($permission.functionset -eq 'Full Control Permissions') {
277 |
278 | #FullControl
279 | $OUorRootRando = 1..100 | get-random
280 | if ($OUorRootRando -le 5) {
281 | #lets do root here
282 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$dn' + " -inheritanceType `'Descendents`'")
283 |
284 | }
285 | else {
286 | $OUPicked = $allOUs | Get-random
287 | iex ($permission.FunctionName + " -objgroup " + '$adgroup' + " -objou " + '$OUPicked' + " -inheritanceType `'Descendents`'")
288 | }
289 | }
290 | }
291 | }
292 | }
293 | }
294 | #===========================
295 | #End group piece here
296 | #===========================
297 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------