Merge pull request #621 from ministryofjustice/DSO/DSOS-2627/pwsh-ad-…

…module Dso/dsos 2627/pwsh ad module
ministryofjustice · Mar 15, 2024 · a068b29 · a068b29
2 parents 8bdcd57 + ea1ba03
commit a068b29
Show file tree

Hide file tree

Showing 6 changed files with 198 additions and 0 deletions.
diff --git a/powershell/Configs/ADConfigDevTest.yaml b/powershell/Configs/ADConfigDevTest.yaml
@@ -0,0 +1,30 @@
+ActiveDirectory:
+  DomainNameFQDN: "test.loc"
+  OUs:
+    - name: "ModPlatformComputers"
+      description: "Modernisation Platform Computers"
+      GPOs:
+        - "SetScreenSaverTimeout"
+        - "SetScreenSaverActive"
+      children:
+        - name: "corporate-staff-rostering"
+          description: "Corporate Staff Rostering"
+          children:
+            - name: "corporate-staff-rostering-development"
+              description: "Corporate Staff Rostering Development"
+            - name: "corporate-staff-rostering-test"
+              description: "Corporate Staff Rostering Test"
+        - name: "planetfm"
+          description: "PlanetFM"
+          children:
+            - name: "planetfm-development"
+              description: "PlanetFM Development"
+            - name: "planetfm-test"
+              description: "PlanetFM Test"
+    - name: "ModPlatformUsers"
+      description: "Modernisation Platform Users"
+      GPOs:
+        - "SetScreenSaverTimeout"
+      children:
+        - name: "mod-platform-users"
+          description: "Modernisation Platform Users"
diff --git a/powershell/Configs/ADConfigProdPreProd.yaml b/powershell/Configs/ADConfigProdPreProd.yaml
@@ -0,0 +1,21 @@
+ActiveDirectory:
+  DomainNameFQDN: "prod.loc"
+  OUs:
+    - name: "ModPlatformComputers"
+      description: "Modernisation Platform Computers"
+      GPOs:
+      children:
+        - name: "corporate-staff-rostering"
+          description: "Corporate Staff Rostering"
+          children:
+            - name: "corporate-staff-rostering-preproduction"
+              description: "Corporate Staff Rostering Preproduction"
+            - name: "corporate-staff-rostering-production"
+              description: "Corporate Staff Rostering Production"
+        - name: "planetfm"
+          description: "PlanetFM"
+          children:
+            - name: "planetfm-preproduction"
+              description: "PlanetFM Preproduction"
+            - name: "planetfm-production"
+              description: "PlanetFM Production"
diff --git a/powershell/Configs/GPOs.yaml b/powershell/Configs/GPOs.yaml
@@ -0,0 +1,13 @@
+GPOs:
+  - name: SetScreenSaverTimeout
+    comment: Set timeout to 900 seconds
+    key: HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
+    valuename: ScreenSaverTimeout
+    type: String
+    value: 900
+  - name: SetScreenSaverActive
+    comment: Set screen saver to active
+    key: HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
+    valuename: ScreenSaveActive
+    type: String
+    value: 1
diff --git a/powershell/Modules/ModPlatformAD/ModPlatformADOU.psm1 b/powershell/Modules/ModPlatformAD/ModPlatformADOU.psm1
@@ -0,0 +1,50 @@
+function Set-OUsAndApplyGPOs {
+<#
+.SYNOPSIS
+    Recursively creates Organizational Units (OUs) and applies Group Policy Objects (GPOs) to the given domain
+.DESCRIPTION
+    Recursively creates Organizational Units (OUs) and applies Group Policy Objects (GPOs) to the given domain
+.PARAMETER Ou
+    The OU to create
+.PARAMETER Path
+    The path of the OU to create
+.PARAMETER ProtectedFromAccidentalDeletion
+    Whether the OU should be protected from accidental deletion, defaults to false
+    In production environments, it is recommended to set this to true
+.OUTPUTS
+    OU folder created
+#>
+    param (
+        [Parameter(Mandatory=$true)]
+        [psobject]$Ou,
+        [Parameter(Mandatory=$true)]
+        [string]$Path, # Adjusts the base domain DN as necessary
+        [bool]$ProtectedFromAccidentalDeletion = $false 
+    )
+    Write-Debug "Creating OU: $($ou.name)"
+    Write-Debug "Creating Path: $Path"
+    Write-Debug "Description: $($ou.description)"
+
+    # Create the OU in AD
+    New-ADOrganizationalUnit -Name $ou.name -Path $path -Description $ou.description -ProtectedFromAccidentalDeletion $ProtectedFromAccidentalDeletion
+
+    # Append the OU name to the path for the next level
+    $ouPath = "OU=$($ou.name),$path"
+
+    if ($ou.gpos) {
+        foreach ($gpo in $ou.gpos) {
+            Write-Debug "Applying GPO: $gpo to Target OU: $ouPath"
+            # Apply the GPO to the OU
+            New-GPLink -Name $gpo -Target $ouPath
+        }
+    }
+
+    # If the OU has children, call the function recursively
+    if ($ou.children) {
+        foreach ($child in $ou.children) {
+            Set-OUsAndApplyGPOs -ou $child -path $ouPath
+        }
+    }
+}
+
+# Export-ModuleMember -Function Set-OUsAndApplyGPOs
diff --git a/powershell/Scripts/ModPlatformAD/New-ModPlatformGPO.ps1 b/powershell/Scripts/ModPlatformAD/New-ModPlatformGPO.ps1
@@ -0,0 +1,41 @@
+<#
+.SYNOPSIS
+    Create Group Policy Objects (GPOs) for the given Modernisation Platform environment
+    GPO's need to be created BEFORE they can be linked to an OU.
+
+.DESCRIPTION
+    Pulls in the GPO definitions from the given YAML file and creates the GPOs in the given domain.
+
+.PARAMETER DomainNameFQDN
+    Specify the FQDN of the domain name to join
+
+.PARAMETER ConfigFilePath
+    Specify the *.yaml config file path for the given AD configuration
+
+.EXAMPLE
+    ./New-ModPlatformGPO.ps1 -DomainNameFQDN "test.loc" -ConfigFilePath "config.yaml"
+
+.OUTPUTS
+    Check Group Policy Management tools on the server to see the GPOs created
+    
+#>
+
+[CmdletBinding()]
+param (
+    [Parameter(Mandatory=$true)][string]$DomainNameFQDN,
+    [Parameter(Mandatory=$true)][string]$ConfigFilePath
+)
+
+Install-Module -Name powershell-yaml -Force -SkipPublisherCheck
+
+Import-Module ModPlatformAD -Force
+
+Import-Module powershell-yaml -Force
+
+# Load YAML
+$config = Get-Content -Raw -Path $ConfigFilePath | ConvertFrom-Yaml
+
+foreach ($gpo in $config.GPOs) {
+    New-GPO -Name $gpo.name -Domain $DomainNameFQDN -Comment $gpo.comment
+    Set-GPRegistryValue -Name $gpo.name -Key $gpo.key -ValueName $gpo.valuename -Type $gpo.type -Value $gpo.value
+}
diff --git a/powershell/Scripts/ModPlatformAD/Set-ModPlatformADOUStructure.ps1 b/powershell/Scripts/ModPlatformAD/Set-ModPlatformADOUStructure.ps1
@@ -0,0 +1,43 @@
+<#
+.SYNOPSIS
+    Applies the OU and GPO structure to the given domain based on a yaml config file.
+
+.DESCRIPTION
+    Either pass in the domain name as a parameter, or derive the AD configuration
+    from EC2 tags (environment-name or domain-name).
+    EC2 requires permissions to get tags and the aws cli.
+
+.PARAMETER DomainNameFQDN
+    Specify the FQDN of the domain name to join
+
+.PARAMETER ConfigFilePath
+    Path to the yaml definition of the OU/GPO structure. See ../../Configs/ADConfigDevTest.yaml for example
+
+.EXAMPLE
+    ./Set-ModPlatformADOUStructure.ps1 -DomainNameFQDN "test.loc" -ConfigFilePath "../../Configs/ADConfigDevTest.yaml"
+
+.NOTES
+    GPO's referenced in the script have to have been created FIRST before running this, otherwise GPO's will not be applied
+    
+#>
+
+[CmdletBinding()]
+param (
+    [Parameter(Mandatory=$true)][string]$DomainNameFQDN,
+    [Parameter(Mandatory=$true)][string]$ConfigFilePath
+)
+
+Install-Module -Name powershell-yaml -Force -SkipPublisherCheck
+
+Import-Module ModPlatformAD -Force
+
+Import-Module powershell-yaml -Force
+
+$ParentDN = ($DomainNameFQDN -split "\." | ForEach-Object { "DC=$_" }) -join ","
+
+# Load YAML
+$config = Get-Content -Raw -Path $ConfigFilePath | ConvertFrom-Yaml
+
+foreach ($ou in $config.ActiveDirectory.OUs) {
+    Set-OUsAndApplyGPOs -OU $Ou -Path $ParentDN
+}