|
| 1 | +# Script for creating a Role that can manage distributions groups but can't create new ones |
| 2 | +# |
| 3 | +################################################################################# |
| 4 | +# |
| 5 | +# The sample scripts are not supported under any Microsoft standard support |
| 6 | +# program or service. The sample scripts are provided AS IS without warranty |
| 7 | +# of any kind. Microsoft further disclaims all implied warranties including, without |
| 8 | +# limitation, any implied warranties of merchantability or of fitness for a particular |
| 9 | +# purpose. The entire risk arising out of the use or performance of the sample scripts |
| 10 | +# and documentation remains with you. In no event shall Microsoft, its authors, or |
| 11 | +# anyone else involved in the creation, production, or delivery of the scripts be liable |
| 12 | +# for any damages whatsoever (including, without limitation, damages for loss of business |
| 13 | +# profits, business interruption, loss of business information, or other pecuniary loss) |
| 14 | +# arising out of the use of or inability to use the sample scripts or documentation, |
| 15 | +# even if Microsoft has been advised of the possibility of such damages |
| 16 | +# |
| 17 | +################################################################################# |
| 18 | +# |
| 19 | +# Written by Matthew Byrd |
| 20 | + |
| 21 | +# Last Updated 10.15.09 |
| 22 | + |
| 23 | + |
| 24 | +# Parameter to get a different name than default for the new Role |
| 25 | +Param([string]$name="MyDistributionGroupsManagement",[string]$policy="Default Role Assignment Policy",[switch]$creategroup,[switch]$removegroup) |
| 26 | + |
| 27 | +# Help Function |
| 28 | +Function Show-Help { |
| 29 | + |
| 30 | +" |
| 31 | +This script is will create or manage a management role designed to allow users to modify groups that they already own |
| 32 | +but not create or remove any new distribution groups. |
| 33 | + |
| 34 | +Switches: |
| 35 | +-name Name of the managment role you want to create or modify |
| 36 | + Defaults to: `"MyDistributionGroupsManagmenet`" |
| 37 | + |
| 38 | +-policy Name of the Role Policy you want to assign the role to |
| 39 | + Defaults to: `"Default Role Assignement Policy`" |
| 40 | + |
| 41 | +-creategroup Adds or Removes the ability of the Role to Create DLs |
| 42 | + |
| 43 | +-removegroup Adds or Removes the ability of the Role to Remove DLs |
| 44 | + |
| 45 | +Examples: |
| 46 | +-------------------------------------------- |
| 47 | +This will Use the default names and Policy and will create a role that cannot |
| 48 | +Create or remove groups but can still modify them. If the role already exists |
| 49 | +It will modify it by removing or adding the abiltity to create and remove groups |
| 50 | +based on the current state. |
| 51 | + |
| 52 | +Manage-GroupManagementRole -CreateGroup -RemoveGroup |
| 53 | + |
| 54 | +" |
| 55 | + |
| 56 | + |
| 57 | +} |
| 58 | + |
| 59 | + |
| 60 | + |
| 61 | +# Function to modify a role by removing or adding Role Entries |
| 62 | +# If no action is passed we assume remove |
| 63 | +# $roleentry should be in the form Role\Roleentry e.g. MyRole\New-DistributionGroup |
| 64 | +Function ModifyRole { |
| 65 | + Param($roleenty,$action) |
| 66 | + |
| 67 | + Switch ($action){ |
| 68 | + Add {Add-ManagementRoleEntry $roleenty -confirm:$false} |
| 69 | + Remove {Remove-ManagementRoleEntry $roleenty -confirm:$false} |
| 70 | + Default {Remove-ManagementRoleEntry $roleenty -confirm:$false} |
| 71 | + } |
| 72 | +} |
| 73 | + |
| 74 | +If (($creategroup -eq $false) -and ($removegroup -eq $false)){ |
| 75 | + Show-Help |
| 76 | + exit |
| 77 | +} |
| 78 | + |
| 79 | + |
| 80 | +# Test if we have a role that already has that name |
| 81 | +If (([bool](Get-Managementrole $name -erroraction Silentlycontinue)) -eq $true){ |
| 82 | + Write-Warning "Found a Role with Name: $name" |
| 83 | + Write-Warning "Trying to Modify Existing Role" |
| 84 | +} |
| 85 | +Else { |
| 86 | + # Create the new Management Role |
| 87 | + Write-Host "Creating Managmenet Role $name" |
| 88 | + New-ManagementRole -name $name -parent MyDistributionGroups |
| 89 | +} |
| 90 | + |
| 91 | +# Determine if we have the New and Remove Role Entries on the Role Already |
| 92 | +$create = [bool](Get-managementroleentry $name\New-DistributionGroup -erroraction Silentlycontinue) |
| 93 | +$remove = [bool](Get-managementroleentry $name\Remove-DistributionGroup -erroraction Silentlycontinue) |
| 94 | + |
| 95 | +# If we have the switch CreateGroup add or remove the RoleEntry for New-DistributionGroup |
| 96 | +If ($creategroup -eq $true){ |
| 97 | + If ($create -eq $true){ModifyRole $name\New-DistributionGroup Remove;Write-Host "Removing ability to create distribution Groups from $name"} |
| 98 | + elseif ($create -eq $false) {ModifyRole $name\New-DistributionGroup Add;Write-Host "Adding ability to create distribution Groups to $name"} |
| 99 | +} |
| 100 | + |
| 101 | +# If we have the switch RemoveGroup add or remove the RoleEntry for New-DistributionGroup |
| 102 | +If ($removegroup -eq $true){ |
| 103 | + If ($remove -eq $true){ModifyRole $name\Remove-DistributionGroup Remove;Write-Host "Removing ability to create distribution Groups from $name"} |
| 104 | + elseif ($remove -eq $false) {ModifyRole $name\Remove-DistributionGroup Add;Write-Host "Adding ability to create distribution Groups to $name"} |
| 105 | +} |
| 106 | + |
| 107 | +# Test if we have the assignment for the Role and Policy |
| 108 | +# If we do ... write a warning |
| 109 | +# If not create a new assignment |
| 110 | +If (([bool](get-managementroleassignment $name-$policy -erroraction SilentlyContinue)) -eq $true){ |
| 111 | + Write-Warning "Found Existing Role Assignment: $name-$policy" |
| 112 | + Write-Warning "Making no modifications to Role Assignments" |
| 113 | +} |
| 114 | +Else { |
| 115 | + # Assign the Role to the Role Policy |
| 116 | + Write-Host "Creating Managmenet Role Assignment $name-$policy" |
| 117 | + New-ManagementRoleAssignment -name ($name + "-" + $policy) -role $name -policy $policy |
| 118 | +} |
| 119 | + |
0 commit comments