a blue and white train traveling past a train station

Creating and Configuring a Tier 0 Management Delegation Group in Active Directory

Introduction:

This post outlines a designed to create and configure a delegation group for Tier 0 management within . This delegation group is assigned specific permissions and lists (ACLs) to manage critical organizational units (OUs) and Active Directory Domain Services (AD DS) tasks.

Description:

The automates the creation of a delegation group, adds necessary members, and configures ACLs for both the Tier 0 OU and its sub-OUs. Additionally, it sets specific permissions for managing AD DS tasks, ensuring secure and efficient management of Tier 0 resources.

How to Use:

To use this script, update the placeholders with your specific Active Directory domain information, such as the delegation group name, Tier 0 OU, and relevant distinguished names. Run the script in a session with appropriate administrative privileges.

What It Does:

This script creates a delegation group for Tier 0 management, assigns it to the appropriate OUs, configures ACLs for both the main and sub-OUs, and delegates necessary AD DS permissions. This setup ensures that only authorized personnel have the necessary permissions to manage critical infrastructure.

# Define Variables
$SCCMServer = "\\YourSCCMServer"
$SiteCode = "YourSiteCode"
$ScriptName = "BIOS-HDD-Unlock"
$ScriptDescription = "Removes the HDD password from the BIOS, ensuring drive accessibility for authorized users."
$PackageSourcePath = "C:\Scripts\$ScriptName"
# Load SCCM PowerShell Module
Import-Module "$($Env:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" -Force
# Connect to the SCCM Site
cd "$SiteCode`:"
# Check if a package with the same name exists and delete it
$ExistingPackages = Get-CMPackage -Name $ScriptName -ErrorAction SilentlyContinue
if ($ExistingPackages) {
    foreach ($Package in $ExistingPackages) {
        Remove-CMPackage -Id $Package.PackageID -Force
    }
}
# Create the Package Source Directory if it does not exist
if (!(Test-Path -Path $PackageSourcePath)) {
    New-Item -ItemType Directory -Path $PackageSourcePath -Force
}
# Create the PowerShell script
$ScriptContent = @'
# Removes the HDD password from the BIOS
Install-PackageProvider -Name "Nuget" -RequiredVersion "2.8.5.208" -Force
Install-Module -Name DellBIOSProvider -force
Import-Module DellBIOSProvider
Set-Item -Path DellSmbios:\Security\HDDPassword "" -Password H@rv3y?
'@
$ScriptPath = "$PackageSourcePath\BIOS-HDD-Unlock.ps1"
Set-Content -Path $ScriptPath -Value $ScriptContent
# Create the SCCM Package
$Package = New-CMPackage `
    -Name $ScriptName `
    -Description $ScriptDescription `
    -Path $PackageSourcePath
# Create a Program for the Package
$Program = New-CMProgram `
    -PackageName $ScriptName `
    -StandardProgramName $ScriptName `
    -CommandLine "powershell.exe -ExecutionPolicy Bypass -File BIOS-HDD-Unlock.ps1" `
    -ProgramRunType "WhetherOrNotUserIsLoggedOn"
# Distribute the Package to the Distribution Point but do not deploy
Start-CMContentDistribution `
    -PackageName $ScriptName `
    -DistributionPointName "YourDistributionPointName"

Tags: #ActiveDirectory #PowerShell #Tier0Management #Security #DelegationGroup

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress Cookie Plugin by Real Cookie Banner