Skip to content

Commit

Permalink
Merge pull request #77 from ActiveDirectoryManagementFramework/decemb…
Browse files Browse the repository at this point in the history
…er23

1.8.201
  • Loading branch information
FriedrichWeinmann authored Dec 8, 2023
2 parents 1a1ed0c + 95dd6f9 commit c68d397
Show file tree
Hide file tree
Showing 7 changed files with 48 additions and 30 deletions.
2 changes: 1 addition & 1 deletion DomainManagement/DomainManagement.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
RootModule = 'DomainManagement.psm1'

# Version number of this module.
ModuleVersion = '1.8.199'
ModuleVersion = '1.8.201'

# ID used to uniquely identify this module
GUID = '0a405382-ebc2-445b-8325-541535810193'
Expand Down
5 changes: 5 additions & 0 deletions DomainManagement/changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# Changelog

## 1.8.201 (2023-12-08)

- Upd: Group Policy - will now detect group policies that have been created but not yet linked as created.
- Upd: Group Policy - supports a setting (`-MayModify`) to ignore manual changes after deploying a GPO via ADMF.

## 1.8.199 (2023-09-27)

- Fix: Groups - When renaming a group from a previous name, it will not find other updates to apply
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@
.PARAMETER ExportID
The tracking ID assigned to the GPO in order to detect its revision.
.PARAMETER MayModify
The group policy may be modified manually after deployment.
.PARAMETER WmiFilter
The WmiFilter to apply to the group policy object.
Expand Down Expand Up @@ -58,6 +61,10 @@
[string]
$ExportID,

[Parameter(ValueFromPipelineByPropertyName = $true)]
[switch]
$MayModify,

[Parameter(ValueFromPipelineByPropertyName = $true)]
[string]
$WmiFilter,
Expand All @@ -74,6 +81,7 @@
ID = $ID
Path = $Path
ExportID = $ExportID
MayModify = $MayModify
WmiFilter = $WmiFilter
ContextName = $ContextName
}
Expand Down
49 changes: 26 additions & 23 deletions DomainManagement/functions/grouppolicies/Test-DMGroupPolicy.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -72,23 +72,23 @@

#region Gather data
$desiredPolicies = Get-DMGroupPolicy
$managedPolicies = Get-LinkedPolicy @parameters
foreach ($managedPolicy in $managedPolicies) {
if (-not $managedPolicy.DisplayName) {
Write-PSFMessage -Level Warning -String 'Test-DMGroupPolicy.ADObjectAccess.Failed' -StringValues $managedPolicy.DistinguishedName -Target $managedPolicy
New-TestResult @resultDefaults -Type 'ADAccessFailed' -Identity $managedPolicy.DistinguishedName -ADObject $managedPolicy
$allPolicies = Get-GroupPolicyEx @parameters
foreach ($groupPolicy in $allPolicies) {
if (-not $groupPolicy.DisplayName) {
Write-PSFMessage -Level Warning -String 'Test-DMGroupPolicy.ADObjectAccess.Failed' -StringValues $groupPolicy.DistinguishedName -Target $groupPolicy
New-TestResult @resultDefaults -Type 'ADAccessFailed' -Identity $groupPolicy.DistinguishedName -ADObject $groupPolicy
continue
}
# Resolve-PolicyRevision updates the content of $managedPolicy without producing output
try { Resolve-PolicyRevision -Policy $managedPolicy -Session $session }
catch { Write-PSFMessage -Level Warning -String 'Test-DMGroupPolicy.PolicyRevision.Lookup.Failed' -StringValues $managedPolicies.DisplayName -ErrorRecord $_ -EnableException $EnableException.ToBool() }
# Resolve-PolicyRevision updates the content of $groupPolicy without producing output
try { Resolve-PolicyRevision -Policy $groupPolicy -Session $session }
catch { Write-PSFMessage -Level Warning -String 'Test-DMGroupPolicy.PolicyRevision.Lookup.Failed' -StringValues $allPolicies.DisplayName -ErrorRecord $_ -EnableException $EnableException.ToBool() }
}
$desiredHash = @{ }
$managedHash = @{ }
$policyHash = @{ }
foreach ($desiredPolicy in $desiredPolicies) { $desiredHash[$desiredPolicy.DisplayName] = $desiredPolicy }
foreach ($managedPolicy in $managedPolicies) {
if (-not $managedPolicy.DisplayName) { continue }
$managedHash[$managedPolicy.DisplayName] = $managedPolicy
foreach ($groupPolicy in $allPolicies) {
if (-not $groupPolicy.DisplayName) { continue }
$policyHash[$groupPolicy.DisplayName] = $groupPolicy
}
#endregion Gather data

Expand All @@ -100,20 +100,20 @@
Configuration = $desiredPolicy
}

if (-not $managedHash[$desiredPolicy.DisplayName]) {
if (-not $policyHash[$desiredPolicy.DisplayName]) {
New-TestResult @resultUpdateDefaults -Type 'Create'
continue
}

$resultUpdateDefaults.ADObject = $managedHash[$desiredPolicy.DisplayName]
$resultUpdateDefaults.ADObject = $policyHash[$desiredPolicy.DisplayName]

switch ($managedHash[$desiredPolicy.DisplayName].State) {
switch ($policyHash[$desiredPolicy.DisplayName].State) {
'ConfigError' { New-TestResult @resultUpdateDefaults -Type 'ConfigError' }
'CriticalError' { New-TestResult @resultUpdateDefaults -Type 'CriticalError' }
'Healthy' {
$changes = [System.Collections.ArrayList]@()
$policyObject = $managedHash[$desiredPolicy.DisplayName]
if ($policyObject.Version -ne $policyObject.ADVersion) {
$policyObject = $policyHash[$desiredPolicy.DisplayName]
if (-not $desiredPolicy.MayModify -and $policyObject.Version -ne $policyObject.ADVersion) {
$change = New-Change -Property Modified -OldValue $policyObject.Version -NewValue $policyObject.ADVersion -Identity $desiredPolicy.DisplayName -Type AdmfVersion
$null = $changes.Add($change)
}
Expand All @@ -128,8 +128,8 @@
$null = $changes.Add($change)
}
}
if ("$($desiredPolicy.WmiFilter)" -ne "$($managedHash[$desiredPolicy.DisplayName].WmiFilter)") {
$change = New-Change -Property WmiFilter -OldValue $managedHash[$desiredPolicy.DisplayName].WmiFilter -NewValue $desiredPolicy.WmiFilter -Identity $desiredPolicy.DisplayName -Type WmiFilterAssignment
if ("$($desiredPolicy.WmiFilter)" -ne "$($policyHash[$desiredPolicy.DisplayName].WmiFilter)") {
$change = New-Change -Property WmiFilter -OldValue $policyHash[$desiredPolicy.DisplayName].WmiFilter -NewValue $desiredPolicy.WmiFilter -Identity $desiredPolicy.DisplayName -Type WmiFilterAssignment
$null = $changes.Add($change)
}
if ($changes.Count -gt 0) {
Expand All @@ -144,10 +144,13 @@
#endregion Compare configuration to actual state

#region Compare actual state to configuration
foreach ($managedPolicy in $managedHash.Values) {
if ($desiredHash[$managedPolicy.DisplayName]) { continue }
if ($managedPolicy.IsCritical) { continue }
New-TestResult @resultDefaults -Type 'Delete' -Identity $managedPolicy.DisplayName -ADObject $managedPolicy
foreach ($groupPolicy in $policyHash.Values) {
if ($desiredHash[$groupPolicy.DisplayName]) { continue }
if ($groupPolicy.IsCritical) { continue }

# Don't delete any GPOs that have not been linked under a managed OU while not being desired
if (-not $groupPolicy.IsManageLinked) { continue }
New-TestResult @resultDefaults -Type 'Delete' -Identity $groupPolicy.DisplayName -ADObject $groupPolicy
}
#endregion Compare actual state to configuration
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
function Get-LinkedPolicy {
function Get-GroupPolicyEx {
<#
.SYNOPSIS
Scans all managed OUs and returns linked GPOs.
Expand All @@ -14,7 +14,7 @@
The credentials to use for this operation.
.EXAMPLE
PS C:\> Get-LinkedPolicy @parameters
PS C:\> Get-GroupPolicyEx @parameters
Returns all group policy objects that are linked to OUs under management.
#>
Expand Down Expand Up @@ -47,10 +47,11 @@
$adObjects = foreach ($searchBase in (Resolve-ContentSearchBase @parameters)) {
Get-ADObject @parameters -LDAPFilter '(gPLink=*)' -SearchBase $searchBase.SearchBase -SearchScope $translateScope[$searchBase.SearchScope] -Properties gPLink
}
$managedGPs = $adObjects.gPLink | Split-GPLink | Sort-Object -Unique
foreach ($adObject in $adObjects) {
Add-Member -InputObject $adObject -MemberType NoteProperty -Name LinkedGroupPolicyObjects -Value ($adObject.gPLink | Split-GPLink) -Force
}
foreach ($adPolicyObject in ($adObjects.LinkedGroupPolicyObjects | Select-Object -Unique | Get-ADObject @parameters -Properties $gpoProperties)) {
foreach ($adPolicyObject in Get-ADObject @parameters -LDAPFilter '(objectCategory=groupPolicyContainer)' -Properties $gpoProperties) {
$result = [PSCustomObject]@{
PSTypeName = 'DomainManagement.GroupPolicy.Linked'
DisplayName = $adPolicyObject.DisplayName
Expand All @@ -63,6 +64,7 @@
Path = $adPolicyObject.gPCFileSysPath
ObjectGUID = $adPolicyObject.ObjectGUID
IsCritical = $adPolicyObject.isCriticalSystemObject
IsManageLinked = $adPolicyObject.DistinguishedName -in $managedGPs
ADVersion = $adPolicyObject.VersionNumber
ExportID = $null
ImportTime = $null
Expand All @@ -74,7 +76,7 @@
if ($adPolicyObject.gPCWQLFilter) {
$result.WmiFilter = "<unknown: $($adPolicyObject.gPCWQLFilter))=>"
$registeredID = ($adPolicyObject.gPCWQLFilter -split ";")[1]
$wmiFilter = $wmiFilters | Where-Object ID -eq $registeredID
$wmiFilter = $wmiFilters | Where-Object ID -EQ $registeredID
if ($wmiFilter) { $result.WmiFilter = $wmiFilter.Name }
}
$result
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
PowerShell remoting session to the server on which to perform the operation.
.PARAMETER ADObject
AD object data retrieved when scanning the domain using Get-LinkedPolicy.
AD object data retrieved when scanning the domain using Get-GroupPolicyEx.
.EXAMPLE
PS C:\> Remove-GroupPolicy -Session $session -ADObject $testItem.ADObject -ErrorAction Stop
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
else {
$Policy.State = 'CriticalError'
Write-PSFMessage -Level Debug -String 'Resolve-PolicyRevision.Result.PolicyError' -StringValues $Policy.DisplayName -Target $Policy
throw "Policy object not found in filesystem. Check existence and permissions!"
throw "Policy object not found in filesystem. Check existence and permissions! $($Policy.DisplayName) ($($Policy.ObjectGUID))"
}
}
else {
Expand Down

0 comments on commit c68d397

Please sign in to comment.