########################################################################################################
# This scripts creates groups based on best practise and the current naming convention at <company>
# 3 groups will be created, on Global for user memberships, one Universal for cross domain
# memberships and a Domain Local group for rights assignement.
#
# When executing the script, you will be asked for a group name. Only write the name of the resource
# you like to secure
. The string "FILE_" will be added in front, and "_G", "_U" and "_DL" will be
# added to each of the 3 groups respectivly based on their type
.
# Interlinking group memberships are added automatically, but users will need to be added to the
# group ending with "_G" (Global).
#
# No rights are assigned on resources. Assign the requested rights on the group ending with "_DL". As
# a result of the interlinking group memberships, the members of the "_G" group and groups made a
# member of the "_U" group will also gain or be denied access to the resource based on the rights
# assigned to the "_DL" group.
########################################################################################################
# Add Quest ADmanager Snapin
Start-Transcript -Path 'C:PowershellAD_File_Group_Creationaction.log'
Add-PSSnapin Quest.Activeroles.ADManagement
# Nulling out variables to avoid left over values being used in script run
$inputname = $null
$domain = $null
$name = $null
$domain = $null
$G = $null
$U = $null
$DL = $null
$counter = $null
$acl = $null
$ar = $null
$folder = $null
$rights = $null
$sign = $null
# Get information on group name and format group name to current naming convention
$folder = Read-Host 'Please type or copy in the full and correct path to the share and folder the groups will assign rights to. This will be used for the description fields and rights assignement'
$rights = Read-Host 'Enter R for Read, W for Write and/or M for Modify to rights on the target folder'
$inputname = Read-Host 'Name of security group'
$inputname = $inputname.ToUpper()
$name = "FILE_"
$name = $name+$inputname
$domain = "nordic"
$G = $name+"_G"
$U = $name+"_U"
$DL= $name+"_DL"
# Check if the group already exists
$GroupExists = Get-QADGroup $name
IF ( $GroupExists -eq $null ) {
# Add groups
Write-Host "Creating new groups"
New-QADGroup -Name $G -SamAccountName $G -GroupScope 'Global' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"
New-QADGroup -Name $U -SamAccountName $U -GroupScope 'Universal' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"
New-QADGroup -Name $DL -SamAccountName $DL -GroupScope 'DomainLocal' -ParentContainer 'OU=Organizational Unit,DC=domain,DC=com' -Description "Users have access to $folder"
sleep 2
cls
# Assign standard group memberships
Write-Host "Assigning interlinking group memberships"
Add-QADGroupMember $domain$DL $domain$U
Add-QADGroupMember $domain$U $domain$G
sleep 2
# Add rights on the folder
# Read
IF ($rights -like "*R*" ) {
$rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Read","ContainerInherit,ObjectInherit","None","Allow")
$acl = Get-Acl $folder
$acl.AddAccessRule($rule)
Set-Acl $folder $acl
}
# Write
IF ( $rights -like "*W*" ) {
$rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Write","ContainerInherit,ObjectInherit","None","Allow")
$acl = Get-Acl $folder
$acl.AddAccessRule($rule)
Set-Acl $folder $acl
}
# Modify
IF ( $rights -like "*M*" ) {
$rule = New-Object system.security.accesscontrol.filesystemaccessrule($DL,"Modify","ContainerInherit,ObjectInherit","None","Allow")
$acl = Get-Acl $folder
$acl.AddAccessRule($rule)
Set-Acl $folder $acl
}
cls
$sign = "."
$signs = "."
$counter = 0
while ( $counter -lt 10 ) {
cls
write-host "All done$signs"
$signs = $sign+$signs
$counter = $counter+1
sleep 1
}
}
ELSE {
$counter = 11
while ( $counter -gt 0 ) {
$counter = $counter-1
CLS
Write-Host "The groups beginning with" $name "already exists. Please select another group name"
$counter
Sleep 1
}
}
Stop-Transcript