Skip to content

Home

Jump to bottom
Chris Whitfield edited this page Mar 9, 2023 · 2 revisions

Welcome to the ADDeploy wiki!

So, you were probably looking for PowerShell stuff related to ESAE, and you found this project. Yes, there are other modules and scripts already available to deploy some, or many, aspects of ESAE. This probably leads you to wonder why it is I felt that another one was required...simply put, I think that the other options I've seen are either too static, or never got completed. If you've got a smaller environment, or otherwise have the ability to use a relatively flat OU structure that fits completely within the MS 'Securing Privileged Access' content (formerly referred to as ESAE), you should absolutely use that approach and leverage one of the many fine options already available.

In my case, I'm a consultant, and I've had to build quite a few ESAE type environments by this point, and not a single one had a flat enough support organization to enable effective use of a flat OU structure. I won't go into all the details here, as this isn't the place. If you are interested in my philosophy on the subject, I suggest you check out my blog, where I will go into what is likely to be an exhausting level of detail.

The overall goal of this project is to enable deployment of an Zero Trust Active Directory framework structure in an automated manner for those needing something a bit broader and more complex, but still need it to be manageable. This project leverages a specific set of framework components, partly from an ESAE base, and partly with elements of my own design. Within the framework that I have devised, there is a LOT of room for customization, and even some extensibility, without needing to modify code within the module to make most scenarios work. That said, there are some elements of the framework that are not flexible, as this would break the guardrails, and thus the point of the project.

The existing published version is a pre-release, in that not all features have been built yet, and there are still a few bugs that need to be worked out. That said, the current components are capable of performing a fully automated deployment of the OU structure proscribed by the framework, as well as all of the associated groups and ACLs. The module has the ability to run multi-threaded, so it can deploy hundreds of thousands of objects in a matter of hours. It's also been optimized to minimize the memory footprint (typically not more than a few hundred MB per thread), with threads tied to the number of processors on the system when run using the Publish-ADESAEStructure cmdlet. As much as I possibly could, everything is completely dynamic, based on entries in a very lightweight SQLite DB.

Please note that there is currently a Dev branch that holds a much updated version of the module (v1.4.6). This version contains a substantial number of fixes to address various issues and additional requirements I've encountered while using the module in the field in customer environments. I have not yet PR'ed this version for a number of reasons, as outlined below:

  • A number of the required changes broke the main orchestration cmdlet (Publish-ADESAEStructure), and I just haven't had time to finish updating it to align with the updates. The tool still works for deployment, you just have to run the various cmdlets manually. That said, you can technically now just pipe the output of one command straight into the next one, provided you don't need feedback on the console and don't need to run multi-threaded.
  • There was a requirement to enable complete customization of the deployment of the Scope layer OUs. The use case was an organization that needed completely different organization structures between both Tiers and Focuses. Enabling this required some restructuring of the DB and the code that handles the OU deployment. At the time, I only needed a single level, so the ability to deploy second and third levels in the structure is not available in the updated version.
  • The updated version fully removed dependency on the Microsoft ActiveDirectory and GroupPolicy PowerShell modules, as I had to deploy on systems without RSAT being available. One result of this is that the ability to deploy the placeholder GPOs is currently not available as I have not yet identified a viable API-based approach. The second result of this is that the Install-ADDCoreComponents cmdlet is not currently able to automatically initiate redirection of the default location for users or computers. A switch was added to skip the redirection portion of the code, but if you don't use it, then it will error.

The docs folder has a more detailed accounting of the changes, as well as documentation on the known issues. One item called out in the issues is the lack of documentation, outside of the in-line help. I'm going to start adding documentation for the module here, though please note that all documentation will be for the 1.4.6 version only, which I hope to have time to PR in the coming weeks once I fix a few things.

Clone this wiki locally