- Published on
Create File Access Groups
- Authors
- Name
- Jackson Chen
cls
Import-Module ActiveDirectory
# Variables
$Date = Get-Date -Format "yyyy-MM-dd"
$timestamp = Get-Date -UFormat "%d/%m/%Y %R"
$datestamp = Get-Date -UFormat "%d/%m/%Y"
# Group scope and category
$DomainLocal_scope = "DomainLocal"
$Global_scope = "Global"
$Group_categlory = "Security"
$DFS_Groups_Path = "\\LAB.net\groups\"
$Group_Description_prefix = 'Member has Read/Write access to \\LAB.net\groups\'
# Group type
$FP_group_prefix = "FP_"
$Role_group_prefix = "Role_"
$ACC_group_prefix = "ACC_"
$FileSecurityGroups = ($FP_group_prefix,$Role_group_prefix,$ACC_group_prefix)
# maximum characters for folder name
$FolderName_max_length = "30"
# Job Number
$JobNum = ""
#************************************** File Group OU **************************************
# CSD Operations
$OPS_FileGroupOU = "OU=OPS_File_Groups,OU=Operations,OU=Test,DC=LAB,DC=NET"
# Company 02
#********************************************************************************************
# List of Company
$OPS_Company = "OPS"
$Computer = $env:COMPUTERNAME
$LAB_FileGroups_List = "\\$Computer\D$\Inputs\LAB_File_Group_List\LAB_File_Groups.csv"
$Report = "\\$Computer\D$\Logs\LAB_File_Groups_Reports\LAB-File-Groups-Creation-$Date.txt"
#************************************
#
# Main
#
#************************************
# Import LAB groups CSN file
$groups = Import-Csv $LAB_FileGroups_List
# Process if input group file is not empty
If ($groups -ne $null) {
# Update log file
"`nCreate groups on $timestamp" | Add-Content $Report
"" | Add-Content $Report
# Process file security groups
ForEach ($group in $groups) {
$Company = $group.Company_name
# Folder Name standard - <Company-Name>_<Folder-Name>
$FolderName = $Company + "_" + $group.folder_short_name
Write-Host "`nProcess - Company Name: $Company & Folder Name: $FolderName`n" -ForegroundColor Yellow
# Obtain the OU for Company file security grouop depends on the Company
# Create OPS group in OPS file group OU
If ($Company -eq $OPS_Company) {
$GroupPath = $OPS_FileGroupOU
}
<# TBA - Other Companys
# ElseIf () {
}
#>
# Validate new folder name length not exceeding 30 characters
If ($FolderName.Length -gt $FolderName_max_length) {
Write-Host "Error: The folder name exceed 30 characters length. Please update folder name and try again." -ForegroundColor Red
}
Else {
# Process "OPS" - Classified Systems Delivery
If ($Company -eq $OPS_Company) {
Write-Host "Create security groups for Operational"
"Create security groups for Operational" | Add-Content $Report
"" | Add-Content $Report
}
<#
Update for other Companys
#>
# DFS folder required to be created
$New_DFS_Folder = $DFS_Groups_Path + $FolderName
Write-Host "New DFS path to be created: " $New_DFS_Folder `n
# Warning user that the DFS folder already exist
If (Test-Path $New_DFS_Folder) {
Write-Host "Warning: Please check and try again. DFS folder already exist - $New_DFS_Folder" -ForegroundColor Red
}
# If the DFS folder does not exist, then create the file security groups
Else {
# Process each file group type at a time
ForEach ($filegroup in $FileSecurityGroups) {
# Process File Permission group FP_<Folder-Name>
If ($filegroup -eq $FP_group_prefix) {
$GroupSAMAccountName = $FP_group_prefix + $FolderName
$FP_group = $FP_group_prefix + $FolderName
$FP_group_DN = "CN=" + $FP_group_prefix + $FolderName + "," + $GroupPath
}
Elseif ($filegroup -eq $Role_group_prefix) {
$GroupSAMAccountName = $Role_group_prefix + $FolderName
$Role_group = $Role_group_prefix + $FolderName
$Role_group_DN = "CN=" + $Role_group_prefix + $FolderName + "," + $GroupPath
}
Elseif ($filegroup -eq $ACC_group_prefix) {
$GroupSAMAccountName = $ACC_group_prefix + $FolderName
$ACC_group = $ACC_group_prefix + $FolderName
$ACC_group_DN = "CN=" + $ACC_group_prefix + $FolderName + "," + $GroupPath
}
# Write-Host "Group SAMAccountName: "$GroupSAMAccountName
# Verify whether the file security groups already exist before creating the security groups
$GroupExist = $false
Try {
$GroupExist = Get-ADGroup -Identity $GroupSAMAccountName -ErrorAction SilentlyContinue
Write-Host "Warning: Group exist - $GroupSAMAccountName" -ForegroundColor red
}
Catch {
# Do nothing
}
# Create file security group if it does not exist
If (!$GroupExist) {
# Configure security group attributes and values
$GroupName = $GroupSAMAccountName
If ($GroupName -like "FP_*") {
$GroupScope = $DomainLocal_scope
}
Elseif (($GroupName -like "Role_*") -or ($GroupName -like "ACC_*") ) {
$GroupScope = $Global_scope
}
$GroupCategory = "Security"
$GroupDescription = $Group_Description_prefix + $FolderName
# Create OPS group in OPS file group OU
If ($Company -eq $OPS_Company) {
$GroupPath = $OPS_FileGroupOU
}
<# TBA - Other Companys
# ElseIf () {
}
#>
Write-Host "Creating the required security group $GroupName, please wait ....." -ForegroundColor Green
Write-Host "`nGroupName: $GroupName`nGroupPath: $GroupPath`nGroupScope: $GroupScope`nGroupCategory: $GroupCategory`nGroupDescription: $GroupDescription`n"
# Create file security group
New-ADGroup -Name $GroupName -Path $GroupPath -GroupScope $GroupScope -GroupCategory $GroupCategory -Description $GroupDescription
# Wait for security group creation
Start-Sleep 10
# Record the group creation in log file
"GroupName: $GroupName" | Add-Content $Report
"GroupPath: $GroupPath" | Add-Content $Report
"GroupScope: $GroupScope" | Add-Content $Report
"GroupCategory: $GroupCategory" | Add-Content $Report
"GroupDescription: $GroupDescription" | Add-Content $Report
"" | Add-Content $Report
}
}
}
}
# Update FP_<Folder-Name> group membership
# Add Role_<Folder-Name> and ACC_<Folder-Name> to FP_<Folder-Name>
Write-Host "`nUpdate group membership for file permission group: $FP_group " -ForegroundColor Green
Write-Host "Add member: $Role_group"
Write-Host "Add member: $ACC_group"
Get-ADGroup -Identity $FP_group | Add-ADGroupMember -Members $Role_group_DN -Confirm:$false
Get-ADGroup -Identity $FP_group | Add-ADGroupMember -Members $ACC_group_DN -Confirm:$false
# Update log file
"Update group membership for file permission group: $FP_group " | Add-Content $Report
"Add member: $Role_group" | Add-Content $Report
"Add member: $ACC_group" | Add-Content $Report
}
}
Else {
Write-Host "There is no groups to be created, please verify group files in $LAB_FileGroups_List" -ForegroundColor Red
}