a blurry photo of a city street with cars

Creating and Configuring Tier 2 Organizational Units and Management Group in Active Directory

Introduction:

This post provides a that automates the creation of a “Tier 2” Organizational Unit (OU) in , along with several sub-OUs and a management group. It also configures custom Lists (ACLs) for the OU and its sub-OUs.

Description:

The script sets up a “Tier 2” OU within your Active Directory environment, creates a list of predefined sub-OUs, and establishes a security group for managing these OUs. Additionally, it applies custom permissions to ensure that the management group has the necessary rights to manage the “Tier 2” OUs effectively.

How to Use:

To use this script, update the placeholders with your specific Active Directory domain information, OU names, and group names. Run the script in a PowerShell session with administrative privileges on a machine that has access to the target Active Directory domain.

What It Does:

This script creates the “Tier 2” OU and its sub-OUs, creates a security group for managing these OUs, and assigns the appropriate permissions to ensure that the management group has full control over the “Tier 2” OUs.

# Set the AD DS domain and root OU path
$domain = "<put your domain here>"
$rootOU = "<put your root OU distinguished name here>"
# Create the "Tier 2" OU
$ouPath = "LDAP://$rootOU"
$rootOUObject = [adsi]"$ouPath"
$ouName = "Tier 2"
$ou = $rootOUObject.Create("OrganizationalUnit", "OU=$ouName")
$ou.SetInfo()
# Define the list of SUB OUs
$subOUs = @(
    "T2-Clients",
    "T2-DisabledObjects",
    "T2-Groups",
    "T2-Users"
)
# Create the SUB OUs under the "Tier 2" OU
foreach ($subOUName in $subOUs) {
    $subOUPath = "LDAP://OU=$subOUName,$rootOU"
    $subOUObject = [adsi]"$subOUPath"
    $subOU = $subOUObject.Create("OrganizationalUnit", "OU=$subOUName")
    $subOU.SetInfo()
}
# Create the "SG-Tier 2 Management Admins" group
$groupOU = "<put your group OU path here>"
$groupCN = "<put your group CN here>"
$groupPath = "LDAP://$groupCN,$groupOU"
$group = [adsi]$groupPath
$groupObjectClass = $group.schemaClassName
if ($groupObjectClass -eq "group") {
    Write-Host "Group '$groupCN' already exists."
} else {
    $group = $groupOUObject.Create("Group", "CN=$groupCN")
    $group.Put("sAMAccountName", $groupCN)
    $group.Put("groupType", 2147483650)  # Universal Security Group
    $group.Put("groupScope", 2)          # Global
    $group.SetInfo()
    Write-Host "Group '$groupCN' created."
}
# Set the appropriate permissions for the "Tier 2" OU and its SUB OUs
$acl = $rootOUObject.Get("ntSecurityDescriptor")
$acl.SetAccessRuleProtection($false, $false)
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ("$groupPath", "GenericAll", "Allow", "Descendents", "All")
$acl.AddAccessRule($ace)
$rootOUObject.Put("ntSecurityDescriptor", $acl)
$rootOUObject.SetInfo()
foreach ($subOUName in $subOUs) {
    $subOUPath = "LDAP://OU=$subOUName,$rootOU"
    $subOUObject = [adsi]$subOUPath
    $acl = $subOUObject.Get("ntSecurityDescriptor")
    $acl.SetAccessRuleProtection($false, $false)
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ("$groupPath", "GenericAll", "Allow", "ThisObjectOnly", "All")
    $acl.AddAccessRule($ace)
    $subOUObject.Put("ntSecurityDescriptor", $acl)
    $subOUObject.SetInfo()
}
Write-Host "Custom ACLs configured for the 'Tier 2' OU and its SUB OUs."

Tags: #ActiveDirectory #PowerShell #Tier2Management #OrganizationalUnits #ITAutomation

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress Cookie Plugin by Real Cookie Banner