Merge pull request #65 from ActiveDirectoryManagementFramework/development

1.13.108

Author: FriedrichWeinmann

ADMF/ADMF.psd1

@@ -3,7 +3,7 @@
 	RootModule = 'ADMF.psm1'
 
 	# Version number of this module.
-	ModuleVersion = '1.13.103'
+	ModuleVersion = '1.13.108'
 
 	# ID used to uniquely identify this module
 	GUID = '43f2a890-942f-4dd7-bad0-b774b44ea849'
@@ -28,13 +28,13 @@
 	RequiredModules = @(
 		@{ ModuleName = 'PSFramework'; ModuleVersion = '1.12.346' }
 		@{ ModuleName = 'ADSec'; ModuleVersion = '1.0.1' }
-		@{ ModuleName = 'string'; ModuleVersion = '1.1.3' }
+		@{ ModuleName = 'string'; ModuleVersion = '1.1.5' }
 		@{ ModuleName = 'ResolveString'; ModuleVersion = '1.0.0' }
 		@{ ModuleName = 'Principal'; ModuleVersion = '1.0.0' }
 		@{ ModuleName = 'ADMF.Core'; ModuleVersion = '1.1.9' }
 		@{ ModuleName = 'DCManagement'; ModuleVersion = '1.2.25' }
-		@{ ModuleName = 'DomainManagement'; ModuleVersion = '1.9.210' }
-		@{ ModuleName = 'ForestManagement'; ModuleVersion = '1.5.78' }
+		@{ ModuleName = 'DomainManagement'; ModuleVersion = '1.9.218' }
+		@{ ModuleName = 'ForestManagement'; ModuleVersion = '1.5.79' }
 	)
 
 	# Assemblies that must be loaded prior to importing this module

ADMF/changelog.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 1.13.108 (2025-05-28)
+
+- New: DefaultGroupMemberships - Added default groupmemberships as a Component
+- Upd: DefaultExchangeSplitPermission - Updated Exchange Split Permission default permissions, to match Exchange 2019 CU 15
+- Upd: DefaultAccessRules - Added default rules for contents of the system container, removing the need to exempt it from the domain content mode.
+- Upd: DefaultAccessRules - Made domain root "everyone deny delete children" undefined, making it tolerated if present but no longer creating it.
+- Fix: Invoke-AdmfItem - Broken WhatIf & Confirm message
+
 ## 1.13.103 (2024-12-13)
 
 - Upd: New-AdmfContext - added `-Components` parameter for adding extra content to newly created Contexts.

ADMF/functions/Invoke-AdmfItem.ps1

@@ -136,7 +136,7 @@
 			#region Execute Test Results
 			try {
 				foreach ($resultItem in $resultGroup.Group) {
-					if (-not (Test-PSFShouldProcess -Target $resultItem -ActionString 'Invoke-AdmfItem.Processing.ShouldProcess' -ActionStringValues $resultItem.Server, $resultItem.ObjectType, $resultItem.Type, $resultItem.Identity -PSCmdlet $PSCmdlet)) {
+					if (-not (Test-PSFShouldProcess -Target $resultItem -ActionString 'ADMF.Invoke-AdmfItem.Processing.ShouldProcess' -ActionStringValues $resultItem.Server, $resultItem.ObjectType, $resultItem.Type, $resultItem.Identity -PSCmdlet $PSCmdlet)) {
 						continue
 					}
 					Write-PSFMessage -Level Host -String 'Invoke-AdmfItem.Processing' -Target $resultItem -StringValues $resultItem.Server, $resultItem.ObjectType, $resultItem.Type, $resultItem.Identity -PSCmdlet $PSCmdlet

ADMF/functions/New-AdmfContext.ps1

@@ -121,14 +121,10 @@
 		[string[]]
 		$MutuallyExclusive = @(),
 
-		[ValidateSet(
-			'DefaultAccessRules',
-			'DefaultSchemaAttributes',
-			'ExchangeDefaultAccessRules',
-			'ExchangeSplitPermissionAccessRules'
-		)]
+		[PSFArgumentCompleter('ADMF.Components')]
+		[PsfValidateSet(TabCompletion = 'ADMF.Components')]
 		[string[]]
-		$Components,
+		$Components = @(),
 
 		[switch]
 		$DefaultAccessRules,
@@ -169,6 +165,11 @@
 			}
 			$resolvedPath = Resolve-PSFPath -Provider FileSystem -Path $storeObject.Path -SingleItem
 		}
+
+		if ($DefaultAccessRules) { $Components += 'DefaultAccessRules' }
+		if ($ExchangeAccessRules -eq 'Default') { $Components += 'ExchangeDefaults' }
+		if ($ExchangeAccessRules -eq 'SplitPermission') { $Components += 'ExchangeSPDefaults' }
+		$Components = $Components | Remove-PSFNull -Enumerate | Sort-Object -Unique
 	}
 	process
 	{
@@ -180,32 +181,12 @@
 		$contextFolder = New-Item -Path $resolvedPath -Name $Name -ItemType Directory
 		$contextVersionFolder = New-Item -Path $contextFolder.FullName -Name '1.0.0' -ItemType Directory
 		Copy-Item -Path "$script:ModuleRoot\internal\data\context\*" -Destination "$($contextVersionFolder.FullName)\" -Recurse
-		
-		#region Default Access Rules
-		if ($DefaultAccessRules -or $Components -contains 'DefaultAccessRules'){
-			Copy-Item -Path "$script:ModuleRoot\internal\data\domainDefaults\accessRules\*.json" -Destination "$($contextVersionFolder.FullName)\domain\accessrules\"
-			Copy-Item -Path "$script:ModuleRoot\internal\data\domainDefaults\objectCategories\*.psd1" -Destination "$($contextVersionFolder.FullName)\domain\objectcategories\"
-			Copy-Item -Path "$script:ModuleRoot\internal\data\domainDefaults\gppermissions\*.json" -Destination "$($contextVersionFolder.FullName)\domain\gppermissions\"
-			Copy-Item -Path "$script:ModuleRoot\internal\data\domainDefaults\gppermissionfilters\*.json" -Destination "$($contextVersionFolder.FullName)\domain\gppermissionfilters\"
-			
-			Copy-Item -Path "$script:ModuleRoot\internal\data\forestDefaults\schemaDefaultPermissions\*.json" -Destination "$($contextVersionFolder.FullName)\forest\schemaDefaultPermissions\"
-		}
-		#endregion Default Access Rules
 
-		#region Default Schema Attributes
-		if ($Components -contains 'DefaultSchemaAttributes') {
-			Copy-Item -Path "$script:ModuleRoot\internal\data\forestDefaults\schema\*.json" -Destination "$($contextVersionFolder.FullName)\forest\schema\"
-		}
-		#endregion Default Schema Attributes
-
-		#region Exchange Access Rules
-		if ($ExchangeAccessRules -eq 'SplitPermission' -or $Components -contains 'ExchangeSplitPermissionAccessRules') {
-			Copy-Item -Path "$script:ModuleRoot\internal\data\exchangeSPDefaults\accessRules\*.json" -Destination "$($contextVersionFolder.FullName)\domain\accessrules\"
-		}
-		elseif ($ExchangeAccessRules -eq 'Default' -or $Components -contains 'ExchangeDefaultAccessRules') {
-			Copy-Item -Path "$script:ModuleRoot\internal\data\exchangeDefaults\accessRules\*.json" -Destination "$($contextVersionFolder.FullName)\domain\accessrules\"
+		#region Process Components
+		foreach ($component in $Components) {
+			Copy-Item -Path "$script:ModuleRoot\internal\components\$component\*" -Destination "$($contextVersionFolder.FullName)" -Recurse -Force
 		}
-		#endregion Exchange Access Rules
+		#endregion Process Components
 
 		$contextJson = [pscustomobject]@{
 			Version	      = '1.0.0'

ADMF/internal/components/DefaultAccessRules/domain/accessRules/addefault_adminSDHolder.json

@@ -0,0 +1,201 @@
+[
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner",
+        "InheritanceType":  "None",
+        "ObjectType":  "<All>",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-544"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner",
+        "InheritanceType":  "None",
+        "ObjectType":  "<All>",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "%DomainSID%-512"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "GenericAll",
+        "InheritanceType":  "None",
+        "ObjectType":  "<All>",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "%DomainSID%-512",
+        "Present":  "false"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner",
+        "InheritanceType":  "None",
+        "ObjectType":  "<All>",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "%RootDomainSID%-519"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ExtendedRight",
+        "InheritanceType":  "None",
+        "ObjectType":  "ab721a53-1e2f-11d0-9819-00aa0040529b",
+        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-1-0"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty, WriteProperty, ExtendedRight",
+        "InheritanceType":  "All",
+        "ObjectType":  "Private-Information",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-10"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ExtendedRight",
+        "InheritanceType":  "None",
+        "ObjectType":  "User-Change-Password",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-10"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "RAS-Information",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "RAS-Information",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "User-Account-Restrictions",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "General-Information",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "Membership",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "Membership",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "GenericRead",
+        "InheritanceType":  "None",
+        "ObjectType":  "<All>",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "GenericRead",
+        "InheritanceType":  "None",
+        "ObjectType":  "<All>",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "General-Information",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "User-Logon",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "User-Account-Restrictions",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-554"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "Token-Groups-Global-And-Universal",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-560"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty, WriteProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "Terminal-Server",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-561"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty, WriteProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "Terminal-Server-License-Server",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "S-1-5-32-561"
+    },
+    {
+        "Path":  "CN=AdminSDHolder,CN=System,%DomainDN%",
+        "ActiveDirectoryRights":  "ReadProperty, WriteProperty",
+        "InheritanceType":  "None",
+        "ObjectType":  "X509-Cert",
+        "InheritedObjectType":  "<All>",
+        "AccessControlType":  "Allow",
+        "Identity":  "%DomainSID%-517"
+    }
+]