Hi Seth,
I think your script will be useful, please share them
Here it is. It does the same items that the DPM tool does to the domain, with a few extra steps noted at the top.
We create a group that has the permissions on the container, with the hope that one day, this feature will be available (DCR submitted). In our support model, we would rather delegate permissions to support personnel to modify group membership than
modify ACLs on system containers. Your opinion on this may differ, so, feel free to remove it.
It also gives our support personnel permissions to modify the sharemap container - so they can enable DPM EUR servers later.
Both of these have been working fine for preparing a domain / enabling EUR. Preparing the domain is run by domain admin, then, we leave enabling EUR to our support staff.
Remember, this is not supported, this just makes the same changes that the EUR tool does. You should use the EUR tool from Microsoft.
#Requires -version 2.0
# ***************************************************************************
#
# File: DPMEndUserDomainPrep.ps1
# Version: 0.1
#
# Purpose: Domain Preparation for DPM End User Recovery
#
# Tasks compelted by this script:
# -Create MS-ShareMapConfiguration container in System container of the domain
# -Create the security group (NETBIOS Domain Name) DPM End User Recovery servers
# -Give Create,Delete MS-srvShareMappingObjects, ListChildren permissions for the newly created group, on the new MS-ShareMapConfiguration container
# -Find <SUPPORT GROUP> group in the forest root, and grant full permissions to the MS-ShareMapConfiguration container
#
# ***************************************************************************
Param(
[string]$domain
)
if ($domain -eq "")
{
write-host ""
write-host "Script Usage" -foreground cyan
write-host "-----------------" -foreground cyan
write-host "./DPMEndUserDomainPrep.ps1 -domain domain.com" -foreground cyan
write-host ""
exit
}
$Title = "DPM End User Recovery Domain Prep"
$Message = "Do you want to continue with domain prep for " + $domain + "?"
$Yes = new-object system.management.automation.host.choicedescription "&Yes","Continue with Domain Prep for $domain"
$No = new-object system.management.automation.host.choicedescription "&No","Exit the script"
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
$result = $host.ui.PromptForChoice($title, $message, $options, 0)
If ($result -eq 1){exit}
# Load the AD module
Import-Module ActiveDirectory
# Figure out our domain
$root = (Get-ADRootDSE -server $domain).defaultNamingContext
#Get netbios domain name
$domainname = (Get-ADDomain -Identity $domain).NetBIOSName
#SchemaIDGuid for MS-SrvShareMapping Class
$ShareMapGUID = new-object guid c356f65b-5540-4d85-9aef-3a7ecae7a878
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
# Get or create the MS-ShareMapConfiguration container
$ou = $null
try
{
$ou = Get-ADObject "CN=MS-ShareMapConfiguration,CN=System,$root"
}
catch
{
Write-host "MS-ShareMapConfiguration container does not currently exist." -foreground yellow
}
if ($ou -eq $null)
{
$ou = New-ADObject -Type Container -name "MS-ShareMapConfiguration" -Path "CN=System,$root" -Passthru
write-host "Created Container $ou" -foreground yellow
start-sleep -s 10
}
#Create DPM End User Recovery servers group
write-host "Creating group $domainname DPM End User Recovery Servers" -foreground yellow
new-adgroup -path "cn=builtin,$root" -name "$domainname DPM End User Recovery Servers" -groupscope universal -groupcategory security -description "Members of this group are delegated permissions to change contents of the System\MS-ShareMapConfiguration
container"
start-sleep -s 10
$ServerGroup = get-adgroup "$domainname DPM End User Recovery Servers"
$ServerGroupsid = [system.security.principal.securityidentifier] $ServerGroup.sid
write-host ""
write-host "Created group $ServerGroup" -foreground yellow
#Get <SUPPORT GROUP>in Forest Root
$forestname = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name
#Check to see if <SUPPORT GROUP> group exists
$SupportGroup = $null
$SupportGroup = get-adgroup -server $forestname "<SUPPORT GROUP>"
if ($SupportGroup -eq $null)
{
write-host ""
write-host "WARNING - <SUPPORT GROUP> Group does not exist in the forest root" -foreground red
write-host "Permissions must be manually assigned to the MS-ShareMapConfiguration Container for the <SUPPORT GROUP>" -foreground red
write-host ""
}
$SupportGroupSID = [system.security.principal.securityidentifier] $SupportGroup.sid
#Get current ACL for the MS-ShareMapConfiguration Container
$OUacl = get-acl "ad:cn=ms-sharemapconfiguration,cn=system,$root"
#Create ACE for adding permissions to newly created group to MS-ShareMapConfiguration container
$ace1 = new-object system.directoryservices.activedirectoryaccessrule $ServerGroupsid, "CreateChild,DeleteChild", Allow, $sharemapguid,"all"
$ace2 = new-object system.directoryservices.activedirectoryaccessrule $ServerGroupsid, "ListChildren", Allow,$guidNull,"all"
$ace3 = new-object system.directoryservices.activedirectoryaccessrule $SupportGroupsid, "GenericAll", Allow,$guidNull,"all"
$OUacl.addaccessrule($ace1)
$OUacl.addaccessrule($ace2)
$OUacl.addaccessrule($ace3)
#Apply ACL
write-host ""
write-host "Setting ACLs on cn=ms-sharemapconfiguration,cn=system,$root" -foreground yellow
set-acl -aclobject $OUacl "ad:cn=ms-sharemapconfiguration,cn=system,$root"
#Get current ACL for the DPM End User Recovery Servers group
$ServerGroupDN = $servergroup.distinguishedname
$Groupacl = get-acl "ad:$servergroupdn"
$groupace = new-object system.directoryservices.activedirectoryaccessrule $SupportGroupsid, "GenericAll", Allow,$guidNull,"all"
$Groupacl.addaccessrule($groupace)
write-host ""
write-host "Setting ACLs on $servergroupdn" -foreground yellow
set-acl -aclobject $Groupacl "ad:$servergroupdn"
write-host ""
write-host "Script Complete" -foreground yellow