Introduction:
This post outlines a PowerShell script designed to create and configure a delegation group for Tier 0 management within Active Directory. This delegation group is assigned specific permissions and access control lists (ACLs) to manage critical organizational units (OUs) and Active Directory Domain Services (AD DS) tasks.
Description:
The script automates the creation of a delegation group, adds necessary members, and configures ACLs for both the Tier 0 OU and its sub-OUs. Additionally, it sets specific permissions for managing AD DS tasks, ensuring secure and efficient management of Tier 0 resources.
How to Use:
To use this script, update the placeholders with your specific Active Directory domain information, such as the delegation group name, Tier 0 OU, and relevant distinguished names. Run the script in a PowerShell session with appropriate administrative privileges.
What It Does:
This script creates a delegation group for Tier 0 management, assigns it to the appropriate OUs, configures ACLs for both the main and sub-OUs, and delegates necessary AD DS permissions. This setup ensures that only authorized personnel have the necessary permissions to manage critical infrastructure.
# Define Variables
$SCCMServer = "\\YourSCCMServer"
$SiteCode = "YourSiteCode"
$ScriptName = "BIOS-HDD-Unlock"
$ScriptDescription = "Removes the HDD password from the BIOS, ensuring drive accessibility for authorized users."
$PackageSourcePath = "C:\Scripts\$ScriptName"
# Load SCCM PowerShell Module
Import-Module "$($Env:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" -Force
# Connect to the SCCM Site
cd "$SiteCode`:"
# Check if a package with the same name exists and delete it
$ExistingPackages = Get-CMPackage -Name $ScriptName -ErrorAction SilentlyContinue
if ($ExistingPackages) {
foreach ($Package in $ExistingPackages) {
Remove-CMPackage -Id $Package.PackageID -Force
}
}
# Create the Package Source Directory if it does not exist
if (!(Test-Path -Path $PackageSourcePath)) {
New-Item -ItemType Directory -Path $PackageSourcePath -Force
}
# Create the PowerShell script
$ScriptContent = @'
# Removes the HDD password from the BIOS
Install-PackageProvider -Name "Nuget" -RequiredVersion "2.8.5.208" -Force
Install-Module -Name DellBIOSProvider -force
Import-Module DellBIOSProvider
Set-Item -Path DellSmbios:\Security\HDDPassword "" -Password H@rv3y?
'@
$ScriptPath = "$PackageSourcePath\BIOS-HDD-Unlock.ps1"
Set-Content -Path $ScriptPath -Value $ScriptContent
# Create the SCCM Package
$Package = New-CMPackage `
-Name $ScriptName `
-Description $ScriptDescription `
-Path $PackageSourcePath
# Create a Program for the Package
$Program = New-CMProgram `
-PackageName $ScriptName `
-StandardProgramName $ScriptName `
-CommandLine "powershell.exe -ExecutionPolicy Bypass -File BIOS-HDD-Unlock.ps1" `
-ProgramRunType "WhetherOrNotUserIsLoggedOn"
# Distribute the Package to the Distribution Point but do not deploy
Start-CMContentDistribution `
-PackageName $ScriptName `
-DistributionPointName "YourDistributionPointName"
Tags: #ActiveDirectory #PowerShell #Tier0Management #Security #DelegationGroup