Building the delegation structure might be quite challenging. There are plenty of objects that, sooner or latter, will need to be created, as:
- Organizational Units
- Local Groups
- Global Groups
- GPOs
- Specific Configurations
- etc.
And most of those needing an ACL change to accommodate the delegations and implement the security.
All these tasks can be done “by hand”, but risk to have a human mistake is high. Even more, trying to repeat this is prone to error.
Because of these, and other many reasons, 12 years ago I started developing some PowerShell tools. The first versions of those scripts are completely different from the ones I’m presenting here. All these scripts are based on a carefully planned and architected model, always considering Least Privileged Access and Segregation of Duties.
There are 3 PowerShell modules that will help you on this journey:
| EguibarIT | This PowerShell module contains functions to create “Administration” area, “Servers” area and “Sites” areas, with all corresponding groups, GPOs, GPP, and many configurations required for this purpose. Additionally does contains some modules to accommodate Exchange objects or LAPS objects, but also some other roles as Certification Authority, WSUS, AGMP (Advanced Group Policy Management). |
| EguibarIT.Delegation | This C# compiled module contains several functions used to deal with “Access Control Entries” or ACE, and its corresponding Access Control Lists or ACL. It also has some functions used to read and audit the existing configurations. |
| EguibarIT.Housekeeping | This C# compiled module contains many functions used for HouseKeeping. All these tasks are related to the maintenance and compliance of the Delegation Model itself. |
Getting the Modules
The 3 modules available at PowerShell Gallery:
- PowerShell Gallery | EguibarIT 1.45.31
- PowerShell Gallery | EguibarIT.Delegation 1.2.7296.23723
- PowerShell Gallery | EguibarIT.Housekeeping 1.2.7296.23723
and those modules can be installed using the following PowerShell CMDlet:
1 2 3 4 5 6 | # Install the module and the release version you want Install-Module -Name EguibarIT -RequiredVersion 1.45.31 # Or Search on PSGallery, and if found, install the module Find-Module -Name EguibarIT | Install-Module |
However, if you rather prefer to install the modules manually, or even want to contribute on the module maintenance or development, you can find the source code at GitHub
