From 898ed7dd8e65ccb936b528e605104a615a340004 Mon Sep 17 00:00:00 2001 From: Meik Date: Mon, 4 May 2026 13:54:27 +0200 Subject: [PATCH] Add LIAM permission validation script --- Sonstiges/Set-LiamTestDelegation.ps1 | 265 +++++++++++++++++++++++++++ 1 file changed, 265 insertions(+) create mode 100644 Sonstiges/Set-LiamTestDelegation.ps1 diff --git a/Sonstiges/Set-LiamTestDelegation.ps1 b/Sonstiges/Set-LiamTestDelegation.ps1 new file mode 100644 index 0000000..02441e4 --- /dev/null +++ b/Sonstiges/Set-LiamTestDelegation.ps1 @@ -0,0 +1,265 @@ +<# +.SYNOPSIS +Creates or uses a dedicated LIAM test account and delegates limited AD and NTFS rights for validation. + +.DESCRIPTION +Use this script to verify whether the reduced LIAM service-user permissions are sufficient. +Run with -WhatIf first, then without -WhatIf, configure the account in LIAM, and execute the relevant workflows. + +Requirements: +- RSAT ActiveDirectory module +- Run as an account allowed to create users and edit ACLs on the target OU and NTFS paths +#> + +[CmdletBinding(SupportsShouldProcess = $true)] +param( + [Parameter(Mandatory = $true)] + [string]$SamAccountName, + + [Parameter(Mandatory = $true)] + [string]$TargetGroupOuDN, + + [string[]]$ReadSearchBaseDNs = @(), + + [string[]]$NtfsReadAclPaths = @(), + + [string[]]$NtfsManageAclPaths = @(), + + [string[]]$NtfsCreateParentPaths = @(), + + [switch]$CreateUser, + + [switch]$GrantDeleteGroupObjects +) + +Set-StrictMode -Version Latest +$ErrorActionPreference = "Stop" + +Import-Module ActiveDirectory -ErrorAction Stop + +function Get-SchemaGuid { + param( + [Parameter(Mandatory = $true)] + [string]$LdapDisplayName + ) + + $schemaNc = (Get-ADRootDSE).schemaNamingContext + $object = Get-ADObject -SearchBase $schemaNc ` + -LDAPFilter "(lDAPDisplayName=$LdapDisplayName)" ` + -Properties schemaIDGUID + + if (-not $object) { + throw "Schema object not found: $LdapDisplayName" + } + + return [Guid]::new([byte[]]$object.schemaIDGUID) +} + +function Add-LiamAdAccessRule { + param( + [Parameter(Mandatory = $true)] + [string]$TargetDN, + + [Parameter(Mandatory = $true)] + [System.Security.Principal.IdentityReference]$Identity, + + [Parameter(Mandatory = $true)] + [System.DirectoryServices.ActiveDirectoryRights]$Rights, + + [Parameter(Mandatory = $true)] + [System.Security.AccessControl.AccessControlType]$AccessType, + + [Guid]$ObjectType = [Guid]::Empty, + + [System.DirectoryServices.ActiveDirectorySecurityInheritance]$Inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None, + + [Guid]$InheritedObjectType = [Guid]::Empty + ) + + $entry = [ADSI]"LDAP://$TargetDN" + $acl = $entry.ObjectSecurity + + if ($InheritedObjectType -ne [Guid]::Empty) { + $rule = [System.DirectoryServices.ActiveDirectoryAccessRule]::new( + $Identity, + $Rights, + $AccessType, + $ObjectType, + $Inheritance, + $InheritedObjectType + ) + } + elseif ($ObjectType -ne [Guid]::Empty) { + $rule = [System.DirectoryServices.ActiveDirectoryAccessRule]::new( + $Identity, + $Rights, + $AccessType, + $ObjectType + ) + } + else { + $rule = [System.DirectoryServices.ActiveDirectoryAccessRule]::new( + $Identity, + $Rights, + $AccessType, + $Inheritance + ) + } + + $acl.AddAccessRule($rule) + + if ($PSCmdlet.ShouldProcess($TargetDN, "Add AD ACL: $Rights / $ObjectType / $Inheritance")) { + $entry.ObjectSecurity = $acl + $entry.CommitChanges() + } +} + +function Grant-LiamNtfsRights { + param( + [Parameter(Mandatory = $true)] + [string]$Path, + + [Parameter(Mandatory = $true)] + [string]$Account, + + [Parameter(Mandatory = $true)] + [System.Security.AccessControl.FileSystemRights]$Rights, + + [System.Security.AccessControl.InheritanceFlags]$InheritanceFlags = "ContainerInherit,ObjectInherit", + + [System.Security.AccessControl.PropagationFlags]$PropagationFlags = "None" + ) + + if (-not (Test-Path -LiteralPath $Path)) { + throw "Path not found: $Path" + } + + $acl = Get-Acl -LiteralPath $Path + $rule = [System.Security.AccessControl.FileSystemAccessRule]::new( + $Account, + $Rights, + $InheritanceFlags, + $PropagationFlags, + [System.Security.AccessControl.AccessControlType]::Allow + ) + + $acl.AddAccessRule($rule) + + if ($PSCmdlet.ShouldProcess($Path, "Grant NTFS rights '$Rights' to '$Account'")) { + Set-Acl -LiteralPath $Path -AclObject $acl + } +} + +$domain = Get-ADDomain +$netbiosName = $domain.NetBIOSName +$accountName = "$netbiosName\$SamAccountName" + +if ($CreateUser) { + $existingUser = Get-ADUser -LDAPFilter "(sAMAccountName=$SamAccountName)" -ErrorAction SilentlyContinue + if (-not $existingUser) { + $password = Read-Host "Password for $SamAccountName" -AsSecureString + + if ($PSCmdlet.ShouldProcess($SamAccountName, "Create AD user")) { + New-ADUser ` + -SamAccountName $SamAccountName ` + -Name $SamAccountName ` + -AccountPassword $password ` + -Enabled $true ` + -PasswordNeverExpires $true ` + -ChangePasswordAtLogon $false + } + } +} + +$user = Get-ADUser -Identity $SamAccountName +$identity = $user.SID + +$groupClassGuid = Get-SchemaGuid "group" +$attributeNames = @( + "cn", + "sAMAccountName", + "displayName", + "groupType", + "description", + "managedBy", + "member" +) + +$attributeGuids = @{} +foreach ($name in $attributeNames) { + $attributeGuids[$name] = Get-SchemaGuid $name +} + +Add-LiamAdAccessRule ` + -TargetDN $TargetGroupOuDN ` + -Identity $identity ` + -Rights ([System.DirectoryServices.ActiveDirectoryRights]"ListChildren,ReadProperty") ` + -AccessType Allow ` + -Inheritance All + +Add-LiamAdAccessRule ` + -TargetDN $TargetGroupOuDN ` + -Identity $identity ` + -Rights CreateChild ` + -AccessType Allow ` + -ObjectType $groupClassGuid + +if ($GrantDeleteGroupObjects) { + Add-LiamAdAccessRule ` + -TargetDN $TargetGroupOuDN ` + -Identity $identity ` + -Rights DeleteChild ` + -AccessType Allow ` + -ObjectType $groupClassGuid +} + +foreach ($attributeName in $attributeNames) { + Add-LiamAdAccessRule ` + -TargetDN $TargetGroupOuDN ` + -Identity $identity ` + -Rights WriteProperty ` + -AccessType Allow ` + -ObjectType $attributeGuids[$attributeName] ` + -Inheritance Descendents ` + -InheritedObjectType $groupClassGuid +} + +foreach ($readBase in $ReadSearchBaseDNs) { + Add-LiamAdAccessRule ` + -TargetDN $readBase ` + -Identity $identity ` + -Rights ([System.DirectoryServices.ActiveDirectoryRights]"ListChildren,ReadProperty") ` + -AccessType Allow ` + -Inheritance All +} + +foreach ($path in $NtfsReadAclPaths) { + Grant-LiamNtfsRights ` + -Path $path ` + -Account $accountName ` + -Rights ([System.Security.AccessControl.FileSystemRights]"ReadAndExecute,ReadPermissions") +} + +foreach ($path in $NtfsManageAclPaths) { + Grant-LiamNtfsRights ` + -Path $path ` + -Account $accountName ` + -Rights ([System.Security.AccessControl.FileSystemRights]"ReadAndExecute,ReadPermissions,ChangePermissions") +} + +foreach ($path in $NtfsCreateParentPaths) { + Grant-LiamNtfsRights ` + -Path $path ` + -Account $accountName ` + -Rights ([System.Security.AccessControl.FileSystemRights]"ReadAndExecute,ReadPermissions,CreateDirectories") ` + -InheritanceFlags None ` + -PropagationFlags None +} + +Write-Host "Delegation finished for $accountName" +Write-Host "Suggested validation:" +Write-Host "1. Configure this account as the LIAM provider credential." +Write-Host "2. Create AD service groups and add members." +Write-Host "3. Read NTFS data areas." +Write-Host "4. Ensure missing NTFS permission groups and ACL entries." +Write-Host "5. Verify that AD deletes and writes outside the target OU fail."