Configuration driven Active Directory management.
The order in which Components are applied during invocation matters. Several actions build upon each other and some Components require multi-part operations in order to run smoothly, as one step may depend on completion of multiple others.
The processing order is specific to a given Category (domain / forest).
If you use the provided invocation commands (Invoke-AdmfDomain
and Invoke-AdmfForest
) you do not need to worry about the order, as these commands will automatically use the correct order.
Invoke-AdmfDomain
- Organizational Units: Create & Update (Option:
OUSoft
)
Invoke-DMOrganizationalUnit
As a first step, we want to create and customize organizational units, as those are what all the other bits get put in.
However, we do not want to delete undesirable OUs yet, as we might first need to mvoe content out of them (and maybe into some of the newly created OUs).
- Groups (Option:
Group
)
Invoke-DMGroup
Create, Update and Delete group objects.
- Users (Option:
User
)
Invoke-DMUser
Create, Update and Delete user objects.
- Group Membership (Option: `GroupMembership)
Invoke-DMGroupMembership
Assigns members to groups. Members can be anything that can legally be a member of a group.
- Finegrained Password Policies (Option:
PSO
)
Invoke-DMPasswordPolicy
Create, Update and Delete finegrained password policies.
- Group Policy Objects: Create & Update (Option:
GroupPolicy
)
Invoke-DMGroupPolicy
Creates and updates group policy objects. This allows ensuring the correct GPOs exist. However the old ones cannot be deleted until the new policies are properly linked, otherwise it could happen that connectivity is lost (e.g.: Updating GPOs that include the IPSec ruleset).
- Group Policy Links: Create & Update, Disable undesirable links (Option:
GPLinkDisable
)
Invoke-DMGPLink -Disable
This assigns the new & correct GPLinks and link order. Undesired links however are only disabled, not removed.
Previous Group Policy objects that are no longer desired are identified by having been linked into managed objects, but no longer being desired to be linked anywhere. Were we to remove all the Group Policy Links right away, these could not be identified anymore.
- Group Policy Objects: Delete (Option:
GroupPolicyDelete
)
Invoke-DMGroupPolicy -Delete
After the new policies have been correctly linked, we can now move to delete undesired Group Policy Objects. All Group Policy Objects that have only disabled links and include a link into an OU that is under management and also are not defined in configuration will be removed.
It also creates new GPOs if needed, but step 6 should have handled that.
- Group Policy Links: Remove (Option:
GPLink
)
Invoke-DMGPLink
Applies all remaining desired GPLinks, removes all undesired links (disabled or not so). Final cleanup in the group policy application cycle.
- Organizational Units: Delete (Option:
OUHard
)
Invoke-DMOrganizationalUnit -Delete
Now that all content objects have been taken care of, we finally attempt to delete all OUs that hsould no longer exist. If the OUs in question still have content objects, this operation will fail, with a warning and log entry clearly identifying this.
- Generic Objects (Option:
Object
)
Invoke-DMObject
Create and update any custom objects desired. This could be literally any kind of object.
As this Component does not support any delete operations at this time, performing it before step 10 is not necessary, but also not harmful.
- Access Control Lists (Option:
Acl
)
Invoke-DMAcl
Applies the defined ACL configuration, concerning itself mostly with inheritance and ownership of an object. For actual security delegations, see AccessRules
- Access Rules (Option:
AccessRule
)
Invoke-DMAccessRule
Applies the desired access rules to the configured objects.
- Sites (Option:
Sites
)
Invoke-FMSite
Apply the defined sites.
Note: This will fail to delete sites that still contain a domain controller
- Site Links (Option:
SiteLinks
)
Invoke-FMSiteLink
Establish the defined sitelinks, discard undesirables.
- Subnets
Invoke-FMSubnet
Create, Update and Delete subnets as configured.
- Server Subnet Assignment (Option:
ServerRelocate
)
Invoke-FMServer
This calculates for each domain controller the ideal site assignment, based on subnets of a site and ip address of the domain controller. If the domain controller is in an inappropriate site, it will instead be moved to site with the smallest subnet it is part of.
- Schema Extension (Option:
Schema
)
Invoke-FMSchema
Applies, and corrects custom schema attributes and classes.
- Schema Extension (LDIF) (Option:
SchemaLdif
)
Invoke-FMSchemaLdif
Applies any pending ldf files.