If you have ever tried 'PowerShell'ing' Group Policies, you know that support from Microsoft is sub-optimal, meaning that there is no support, of course, to fill this gap there are paid 3rd party offerings.
The Task at Hand:
A new 'Member Server' OU and various sub-OU's are needed, as well as their corresponding Group Policies, AD Groups and Restricted Groups. This feels like the millionth time I've manually accomplished this task and it's fairly repetitive and time consuming, alternatively, I can crack open PowerShell. The mantra is 'Why point and click when there's PowerShell' so let's get creative.
Components of a Domain GPO:
A Group Policy Object (GPO) is made up of various file types, strangely enough, the same as local GPO's configured via GPEdit.msc. Having scripted SecEdit, updating both User Rights AssignmenPats (URA) and Services previously the 'ask' should be straightforward.
Basic file layout of a Domain GPO:
C:\Windows\SYSVOL\domain\Policies\{GUID}\
Machine\Registry.pol
User\Registry.pol
Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
Machine\Microsoft\Windows NT\Audit\Audit.csv
GPO security settings are written to GptTmpl.inf, an example of a GptTmpl.inf with Restricted Groups and User Rights Assignments from an SCCM installation including a SQL Member Server.
The above looks a little confusing and here's a quick breakdown to help:
*S-1-5-21-4000739697-4006183653-2191022337-1143
The SID of a Service Account
[Group Membership]
*S-1-5-32-544__Memberof =
*S-1-5-32-544__Members = *S-1-5-21-4000739697-4006183653-2191022337-1143
*S-1-5-32-544 = Builtin\Administrators Group
*S-1-5-32-573__Memberof =
*S-1-5-32-573__Members = *S-1-5-21-4000739697-4006183653-2191022337-1171
*S-1-5-32-573 = Builtin\Event Log Readers
*S-1-5-32-559__Memberof =
*S-1-5-32-559__Members = *S-1-5-21-4000739697-4006183653-2191022337-1171
*S-1-5-32-559 = Builtin\Performance Log Users
[Privilege Rights]
SeServiceLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1170
SeServiceLogonRight = Log on as a service
SeInteractiveLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1169
SeInteractiveLogonRight = Allow log on locally
SeBatchLogonRight = *S-1-5-21-4000739697-4006183653-2191022337-1187
SeBatchLogonRight = Log on as Batch
Overview of script actions:
Execute the script directly on the Domain Controller with the PDC role. The script will create a 'Resources' OU off the root of the Domain, then sub-ou's 'Member Servers' and 'Restricted Groups'. For each application service eg Exchange, SharePoint etc, an additional OU is then created with corresponding AD groups for both Administrator and Remote Desktop User Groups. Finally, GPOs are created for each OU and the AD Groups SID are assigned to both the Restricted Groups and Remote Interactive User Rights Assignment.
The script:
Script Breakdown:
The following are extracts from the script that is accessible from Github.
Resolve the Domain Naming Context.
$rootDSE = (Get-ADRootDSE).rootDomainNamingContext
Resolve the path to Sysvol, just in case it was moved during Domain Controler installation.
$smbSysvol = ((Get-SmbShare -name "sysvol").path).replace("SYSVOL\sysvol","sysvol")
Set 'Resource' OU as a root for all subsequent OU's for member servers etc.
$resRoot = "Resources"
Stitch or join the Root DN and variables to create OU Distinguished Names.
$resourceOU = "OU=$($resRoot),$($rootDSE)"
$memSrvOU = "OU=$($memSrvRoot),OU=$($resRoot),$($rootDSE)"
$ResGroupOU = "OU=$($ResGroupRoot),OU=$($resRoot),$($rootDSE)"
Create an OU called 'Resources' as a top-level OU.
New-ADOrganizationalUnit -Name $resRoot #-ProtectedFromAccidentalDeletion $false
Create a variable based on the OU name for creating an AD group name.
$rgRtAdminGp = "RG_$($MemSrvRoot)_Admin"
Create a new Domain Global group based on the OU name for Admin and Remote user groups. Groups are created in the 'Restricted Groups' OU.
New-ADGroup -Name $rgRtAdminGp –groupscope Global -Path $ResGroupOU -Description $rgRtAdminDescrip
Get the SID of the new Group.
$getRtRGAdminSid = $getRtRGAdmin.SID.Value
Declare the variable for creating an OU.
$GPOName = "GPO_$($MemSrvRoot)_RestrictedGroup"
Create a new OU based on the variable and link to OU.
New-GPO -Name $GPOName | New-GPLink -Target $getOUMS.DistinguishedName
Set delegation permission on the OU so the AD group can edit their own policy.
Set-GPPermission -Guid $getGpoId -PermissionLevel GpoEditDeleteModifySecurity -TargetType Group -TargetName $rgAdminGp
Declared the path to the GPO directory.
$sysvol = "$($smbSysvol)\domain\Policies\{$($getGpoId)}\Machine\Microsoft\Windows NT\SecEdit"
Create a directory and GptTmpl.inf file.
New-Item -Path $sysvol -ItemType Directory -Force
New-Item -Path $sysvol -Name GptTmpl.inf -ItemType File -Force
Declare variables based on the Group SIDs for Admin and Remote Groups.
$addConAdmin = "*S-1-5-32-544__Members = *$($getRtRGAdminSid)"
$addConRDP = "*S-1-5-32-555__Members = *$($getRtRGRDPSid)"
$addConURARemote = "SeRemoteInteractiveLogonRight = *$($getRtRGAdminSid),*$($getRtRGRDPSid)"
Update GptTmpl.inf.
Add-Content -Path $gptFile -Value '[Group Membership]'
Add-Content -Path $gptFile -Value '*S-1-5-32-544__Memberof ='
Add-Content -Path $gptFile -Value $addConAdmin
Add-Content -Path $gptFile -Value $addConURARemote
Write the GPCMachineExtensionName attribute with the Client-Side Extension GUID of the areas of the GPO setting for the GPO. If not the settings won't display in the GPO Management tool and the target server won't be able to read the GPO.
Set-ADObject -Identity $getGPOPath -Replace @{gPCMachineExtensionNames="[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"}
The Client-Side Extensions GUID can be extracted from Polices, there's no need to try and discover those GUIDS. Set the required policies and copy the GUIDs.
The initial scenario of creating Restricted Groups GPO's is complete, with a few alterations, Administrative Template settings could be set by copying Registry.pol into the GPO. A better use would be setting up URAs for service accounts eg SQL and the Logon as a Service right dynamically as part of an automatic installation of Microsoft SQL Server.
Enjoy and hope it proves useful and do give it a go prior to paying for a 3rd party tool.
The script:
Security Identities:
Mapping User Rights Assignments: