Introduction:

This post provides a PowerShell script that automates the creation of a “Tier 2” Organizational Unit (OU) in Active Directory, along with several sub-OUs and a management group. It also configures custom Access Control Lists (ACLs) for the OU and its sub-OUs.

Description:

The script sets up a “Tier 2” OU within your Active Directory environment, creates a list of predefined sub-OUs, and establishes a security group for managing these OUs. Additionally, it applies custom permissions to ensure that the management group has the necessary rights to manage the “Tier 2” OUs effectively.

How to Use:

To use this script, update the placeholders with your specific Active Directory domain information, OU names, and group names. Run the script in a PowerShell session with administrative privileges on a machine that has access to the target Active Directory domain.

What It Does:

This script creates the “Tier 2” OU and its sub-OUs, creates a security group for managing these OUs, and assigns the appropriate permissions to ensure that the management group has full control over the “Tier 2” OUs.

# Set the AD DS domain and root OU path
$domain = ""
$rootOU = ""

# Create the "Tier 2" OU
$ouPath = "LDAP://$rootOU"
$rootOUObject = [adsi]"$ouPath"
$ouName = "Tier 2"
$ou = $rootOUObject.Create("OrganizationalUnit", "OU=$ouName")
$ou.SetInfo()

# Define the list of SUB OUs
$subOUs = @(
    "T2-Clients",
    "T2-DisabledObjects",
    "T2-Groups",
    "T2-Users"
)

# Create the SUB OUs under the "Tier 2" OU
foreach ($subOUName in $subOUs) {
    $subOUPath = "LDAP://OU=$subOUName,$rootOU"
    $subOUObject = [adsi]"$subOUPath"
    $subOU = $subOUObject.Create("OrganizationalUnit", "OU=$subOUName")
    $subOU.SetInfo()
}

# Create the "SG-Tier 2 Management Admins" group
$groupOU = ""
$groupCN = ""
$groupPath = "LDAP://$groupCN,$groupOU"
$group = [adsi]$groupPath
$groupObjectClass = $group.schemaClassName

if ($groupObjectClass -eq "group") {
    Write-Host "Group '$groupCN' already exists."
} else {
    $group = $groupOUObject.Create("Group", "CN=$groupCN")
    $group.Put("sAMAccountName", $groupCN)
    $group.Put("groupType", 2147483650)  # Universal Security Group
    $group.Put("groupScope", 2)          # Global
    $group.SetInfo()
    Write-Host "Group '$groupCN' created."
}

# Set the appropriate permissions for the "Tier 2" OU and its SUB OUs
$acl = $rootOUObject.Get("ntSecurityDescriptor")
$acl.SetAccessRuleProtection($false, $false)
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ("$groupPath", "GenericAll", "Allow", "Descendents", "All")
$acl.AddAccessRule($ace)
$rootOUObject.Put("ntSecurityDescriptor", $acl)
$rootOUObject.SetInfo()

foreach ($subOUName in $subOUs) {
    $subOUPath = "LDAP://OU=$subOUName,$rootOU"
    $subOUObject = [adsi]$subOUPath
    $acl = $subOUObject.Get("ntSecurityDescriptor")
    $acl.SetAccessRuleProtection($false, $false)
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ("$groupPath", "GenericAll", "Allow", "ThisObjectOnly", "All")
    $acl.AddAccessRule($ace)
    $subOUObject.Put("ntSecurityDescriptor", $acl)
    $subOUObject.SetInfo()
}

Write-Host "Custom ACLs configured for the 'Tier 2' OU and its SUB OUs."

Tags: #ActiveDirectory #PowerShell #Tier2Management #OrganizationalUnits #ITAutomation