Introduction:
This post outlines a PowerShell script designed to create and configure a delegation group for Tier 0 management within Active Directory. This delegation group is assigned specific permissions and access control lists (ACLs) to manage critical organizational units (OUs) and Active Directory Domain Services (AD DS) tasks.
Description:
The script automates the creation of a delegation group, adds necessary members, and configures ACLs for both the Tier 0 OU and its sub-OUs. Additionally, it sets specific permissions for managing AD DS tasks, ensuring secure and efficient management of Tier 0 resources.
How to Use:
To use this script, update the placeholders with your specific Active Directory domain information, such as the delegation group name, Tier 0 OU, and relevant distinguished names. Run the script in a PowerShell session with appropriate administrative privileges.
What It Does:
This script creates a delegation group for Tier 0 management, assigns it to the appropriate OUs, configures ACLs for both the main and sub-OUs, and delegates necessary AD DS permissions. This setup ensures that only authorized personnel have the necessary permissions to manage critical infrastructure.
# Set the name of the delegation group $delegationGroupName = "" # Set the distinguished name of the Tier 0 OU $tier0OU = " " # Create the delegation group New-ADGroup -Name $delegationGroupName -GroupCategory Security -GroupScope Global -Description "Delegation group for Tier 0 management" -ManagedBy " " # Add members (admin accounts and service accounts) to the delegation group Add-ADGroupMember -Identity $delegationGroupName -Members " ", " " # Set ACLs for the Tier 0 OU $tier0ACL = Get-Acl -Path "AD:\$tier0OU" $delegationGroupSID = (Get-ADGroup -Identity $delegationGroupName).SID $tier0ACL.SetAccessRuleProtection($true, $true) $tier0ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule($delegationGroupSID, "CreateChild,DeleteChild,GenericAll", "Object", "Inherit", "All"))) # Configure ACLs for each SUB OU $subOUs = Get-ADOrganizationalUnit -SearchBase $tier0OU -SearchScope OneLevel foreach ($subOU in $subOUs) { $subOUACL = Get-Acl -Path "AD:\$($subOU.DistinguishedName)" $subOUACL.SetAccessRuleProtection($true, $true) $subOUACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule($delegationGroupSID, "CreateChild,DeleteChild,GenericAll", "Object", "Inherit", "All"))) Set-Acl -Path "AD:\$($subOU.DistinguishedName)" -AclObject $subOUACL } # Delegate permissions for AD DS tasks $adDSPermission = "ManageTopology,DS-Replication-Get-Changes,DS-Replication-Get-Changes-All,DS-Replication-Get-Changes-In-Filtered-Set,DS-Replication-Manage-Topology,DS-Replication-Monitor-Topology,DS-Replication-Replication-Synchronize,DS-Replication-Get-Stats,DS-Replication-Get-Stats-All,DS-Replication-Get-Stats-DS,DS-Replication-Get-Stats-DS-All,DS-Replication-Get-Stats-DS-In-Filter-Set,DS-Replication-Get-Stats-DS-VID,DS-Replication-Get-Stats-Partition,DS-Replication-Get-Stats-Partition-All,DS-Replication-Get-Stats-Partition-In-Filter-Set,DHCP-All,MS-MCS-AdmPwd,RD-License-Server,AD-Management-GUI,Read,Write,Create All Child Objects" Set-Acl -Path "AD:\Sites" -AclObject (New-Object System.DirectoryServices.ActiveDirectoryAccessRule($delegationGroupSID, $adDSPermission, "Object", "None", "All")) Set-Acl -Path "AD:\CN=NetServices,CN=Services,CN=Configuration, " -AclObject
Tags: #ActiveDirectory #PowerShell #Tier0Management #Security #DelegationGroup