zydronium/websitepanel
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Excluding local admins group from users GPO

Browse source
This commit is contained in:
vfedosevich 2015-05-25 06:28:51 -07:00
parent ddcd9ca2db
commit bbce2a9916
1 changed files with 39 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

42
WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs
View file

@ -379,7 +379,7 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
string collectionComputersPath = GetComputerGroupPath(organizationId, collection.Name); string collectionComputersPath = GetComputerGroupPath(organizationId, collection.Name);
CreatePolicy(runSpace, organizationId, string.Format("{0}-administrators", collection.Name), CreatePolicy(runSpace, organizationId, string.Format("{0}-administrators", collection.Name),
new DirectoryEntry(GetGroupPath(organizationId, collection.Name, GetLocalAdminsGroupName(collection.Name))), new DirectoryEntry(collectionComputersPath), collection.Name); new DirectoryEntry(GetGroupPath(organizationId, collection.Name, GetLocalAdminsGroupName(collection.Name))), new DirectoryEntry(collectionComputersPath), collection.Name);
CreatePolicy(runSpace, organizationId, string.Format("{0}-users", collection.Name), new DirectoryEntry(GetUsersGroupPath(organizationId, collection.Name)) CreateUsersPolicy(runSpace, organizationId, string.Format("{0}-users", collection.Name), new DirectoryEntry(GetUsersGroupPath(organizationId, collection.Name))
, new DirectoryEntry(collectionComputersPath), collection.Name); , new DirectoryEntry(collectionComputersPath), collection.Name);
CreateHelpDeskPolicy(runSpace, new DirectoryEntry(GetHelpDeskGroupPath(RDSHelpDeskGroup)), new DirectoryEntry(collectionComputersPath), organizationId, collection.Name); CreateHelpDeskPolicy(runSpace, new DirectoryEntry(GetHelpDeskGroupPath(RDSHelpDeskGroup)), new DirectoryEntry(collectionComputersPath), organizationId, collection.Name);
} }
@ -1137,7 +1137,7 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
CreatePolicy(runspace, organizationId, string.Format("{0}-administrators", collectionName), CreatePolicy(runspace, organizationId, string.Format("{0}-administrators", collectionName),
new DirectoryEntry(GetGroupPath(organizationId, collectionName, GetLocalAdminsGroupName(collectionName))), new DirectoryEntry(collectionComputersPath), collectionName); new DirectoryEntry(GetGroupPath(organizationId, collectionName, GetLocalAdminsGroupName(collectionName))), new DirectoryEntry(collectionComputersPath), collectionName);
CreatePolicy(runspace, organizationId, string.Format("{0}-users", collectionName), CreateUsersPolicy(runspace, organizationId, string.Format("{0}-users", collectionName),
new DirectoryEntry(GetUsersGroupPath(organizationId, collectionName)), new DirectoryEntry(collectionComputersPath), collectionName); new DirectoryEntry(GetUsersGroupPath(organizationId, collectionName)), new DirectoryEntry(collectionComputersPath), collectionName);
CreateHelpDeskPolicy(runspace, new DirectoryEntry(GetHelpDeskGroupPath(RDSHelpDeskGroup)), new DirectoryEntry(collectionComputersPath), organizationId, collectionName); CreateHelpDeskPolicy(runspace, new DirectoryEntry(GetHelpDeskGroupPath(RDSHelpDeskGroup)), new DirectoryEntry(collectionComputersPath), organizationId, collectionName);
RemoveRegistryValue(runspace, ScreenSaverGpoKey, administratorsGpo); RemoveRegistryValue(runspace, ScreenSaverGpoKey, administratorsGpo);
@ -1329,6 +1329,13 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
} }
} }
private string CreateUsersPolicy(Runspace runspace, string organizationId, string gpoName, DirectoryEntry entry, DirectoryEntry collectionComputersEntry, string collectionName)
{
string gpoId = CreatePolicy(runspace, organizationId, gpoName, entry, collectionComputersEntry, collectionName);
ExcludeAdminsFromUsersPolicy(runspace, gpoId, collectionName);
return gpoId;
}
private string CreatePolicy(Runspace runspace, string organizationId, string gpoName, DirectoryEntry entry, DirectoryEntry collectionComputersEntry, string collectionName) private string CreatePolicy(Runspace runspace, string organizationId, string gpoName, DirectoryEntry entry, DirectoryEntry collectionComputersEntry, string collectionName)
{ {
string gpoId = GetPolicyId(runspace, gpoName); string gpoId = GetPolicyId(runspace, gpoName);
@ -1360,6 +1367,22 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
Collection<PSObject> result = ExecuteRemoteShellCommand(runspace, PrimaryDomainController, cmd); Collection<PSObject> result = ExecuteRemoteShellCommand(runspace, PrimaryDomainController, cmd);
} }
private void ExcludeAdminsFromUsersPolicy(Runspace runspace, string gpoId, string collectionName)
{
var scripts = new List<string>
{
string.Format("$adgpo = [ADSI]\"{0}\"", GetGpoPath(gpoId)),
string.Format("$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule([System.Security.Principal.NTAccount]\"{0}\\{1}\",\"ExtendedRight\",\"Deny\",[GUID]\"edacfd8f-ffb3-11d1-b41d-00a0c968f939\")",
RootDomain.Split('.').First(), GetLocalAdminsGroupName(collectionName)),
string.Format("$acl = $adgpo.ObjectSecurity"),
string.Format("$acl.AddAccessRule($rule)"),
string.Format("$adgpo.CommitChanges()")
};
object[] errors = null;
ExecuteRemoteShellCommand(runspace, PrimaryDomainController, scripts, out errors);
}
private void SetPolicyPermissions(Runspace runspace, string gpoName, DirectoryEntry entry, DirectoryEntry collectionComputersEntry) private void SetPolicyPermissions(Runspace runspace, string gpoName, DirectoryEntry entry, DirectoryEntry collectionComputersEntry)
{ {
var scripts = new List<string> var scripts = new List<string>
@ -1752,7 +1775,7 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
string collectionComputersPath = GetComputerGroupPath(organizationId, collection.Name); string collectionComputersPath = GetComputerGroupPath(organizationId, collection.Name);
CreatePolicy(runSpace, organizationId, string.Format("{0}-administrators", collection.Name), CreatePolicy(runSpace, organizationId, string.Format("{0}-administrators", collection.Name),
new DirectoryEntry(GetGroupPath(organizationId, collection.Name, GetLocalAdminsGroupName(collection.Name))), new DirectoryEntry(collectionComputersPath), collection.Name); new DirectoryEntry(GetGroupPath(organizationId, collection.Name, GetLocalAdminsGroupName(collection.Name))), new DirectoryEntry(collectionComputersPath), collection.Name);
CreatePolicy(runSpace, organizationId, string.Format("{0}-users", collection.Name), new DirectoryEntry(GetUsersGroupPath(organizationId, collection.Name)) CreateUsersPolicy(runSpace, organizationId, string.Format("{0}-users", collection.Name), new DirectoryEntry(GetUsersGroupPath(organizationId, collection.Name))
, new DirectoryEntry(collectionComputersPath), collection.Name); , new DirectoryEntry(collectionComputersPath), collection.Name);
CreateHelpDeskPolicy(runSpace, new DirectoryEntry(GetHelpDeskGroupPath(RDSHelpDeskGroup)), new DirectoryEntry(collectionComputersPath), organizationId, collection.Name); CreateHelpDeskPolicy(runSpace, new DirectoryEntry(GetHelpDeskGroupPath(RDSHelpDeskGroup)), new DirectoryEntry(collectionComputersPath), organizationId, collection.Name);
@ -2434,6 +2457,19 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
return sb.ToString(); return sb.ToString();
} }
private string GetGpoPath(string gpoId)
{
StringBuilder sb = new StringBuilder();
AppendProtocol(sb);
AppendCNPath(sb, gpoId);
AppendCNPath(sb, "Policies");
AppendCNPath(sb, "System");
AppendDomainPath(sb, RootDomain);
return sb.ToString();
}
internal string GetTenantComputerGroupPath(string organizationId) internal string GetTenantComputerGroupPath(string organizationId)
{ {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();