# This script creates all the OUs and groups required by new customers in Active Directory
# Author - Matt Ramirez - Last Updated 8/9/2012

# Imports Active Directory module into Powershell - otherwise, new-adgroup and set-adobject commands won't work
# Prompts for a name for the new OU which is used to then create all subsequent AD objects

Clear
import-module activedirectory
import-module grouppolicy
$StrOUName = Read-Host "Enter New Organizational Unit (OU) Name"
Clear

# Sets base OU and creates five child OUs

$objDomain = [ADSI]"LDAP://OU=Companies,DC=odqad,DC=com" 
$objOU = $objDomain.Create("OrganizationalUnit", "ou=" + $StrOUName)
$objOU.SetInfo()
start-sleep -s 5
$objDisabledUsersOU = $objDomain.Create("OrganizationalUnit", "ou=Groups,ou=" + $StrOUName)
$objGroupsOU = $objDomain.Create("OrganizationalUnit", "ou=Disabled Users,ou=" + $StrOUName)
$objServersOU = $objDomain.Create("OrganizationalUnit", "ou=Servers,ou=" + $StrOUName)
$objServersOU1 = $objDomain.Create("OrganizationalUnit", "ou=Flight1,ou=Servers,ou=" + $StrOUName)
$objServersOU2 = $objDomain.Create("OrganizationalUnit", "ou=Flight2,ou=Servers,ou=" + $StrOUName)
$objServersOU3 = $objDomain.Create("OrganizationalUnit", "ou=Flight3,ou=Servers,ou=" + $StrOUName)
$objServersOU4 = $objDomain.Create("OrganizationalUnit", "ou=Flight4,ou=Servers,ou=" + $StrOUName)
$objServersOU5 = $objDomain.Create("OrganizationalUnit", "ou=Flight5,ou=Servers,ou=" + $StrOUName)
$objServersOU6 = $objDomain.Create("OrganizationalUnit", "ou=Flight6,ou=Servers,ou=" + $StrOUName)
$objServicesOU = $objDomain.Create("OrganizationalUnit", "ou=Services,ou=" + $StrOUName)
$objUsersOU = $objDomain.Create("OrganizationalUnit", "ou=Users,ou=" + $StrOUName)
$objDisabledUsersOU.SetInfo()
$objGroupsOU.SetInfo()
$objServersOU.SetInfo()
$objServersOU1.SetInfo()
$objServersOU2.SetInfo()
$objServersOU3.SetInfo()
$objServersOU4.SetInfo()
$objServersOU5.SetInfo()
$objServersOU6.SetInfo()
$objServicesOU.SetInfo()
$objUsersOU.SetInfo()

# Creates variables of the names for the new OUs

$parentOUName = "OU=" + $StrOUName + ",OU=Companies,DC=odqad,DC=com"
$disabledUsersOUName = "OU=DisabledUsers,OU=" + $StrOUName + ",OU=Companies,DC=odqad,DC=com"
$groupsOUName = "OU=Groups,OU=" + $StrOUName + ",OU=Companies,DC=odqad,DC=com"
$serversOUName = "OU=Servers,OU=" + $StrOUName + ",OU=Companies,DC=odqad,DC=com"
$servicesOUName = "OU=Services,OU=" + $StrOUName + ",OU=Companies,DC=odqad,DC=com"
$usersOUName = "OU=Users,OU=" + $StrOUName + ",OU=Companies,DC=odqad,DC=com"

# Create Server Flight GPO links

write-host Linking Flight GPO to $serversOUName
start-sleep -s 15

new-gplink -name "WSUS Flight 1" -target "OU=Flight1,$serversOUName"
new-gplink -name "WSUS Flight 2" -target "OU=Flight2,$serversOUName"
new-gplink -name "WSUS Flight 3" -target "OU=Flight3,$serversOUName"
new-gplink -name "WSUS Flight 4" -target "OU=Flight4,$serversOUName"
new-gplink -name "WSUS Flight 5" -target "OU=Flight5,$serversOUName"
new-gplink -name "WSUS Flight 6" -target "OU=Flight6,$serversOUName"

# Uses the variables of the names created above to set accidental deletion protection to on

Set-ADOrganizationalUnit "$parentOUName" -ProtectedFromAccidentalDeletion $True
Set-ADOrganizationalUnit "$disabledUsersOUName" -ProtectedFromAccidentalDeletion $True
Set-ADOrganizationalUnit "$groupsOUName" -ProtectedFromAccidentalDeletion $True
Set-ADOrganizationalUnit "$serversOUName" -ProtectedFromAccidentalDeletion $True
Set-ADOrganizationalUnit "$servicesOUName" -ProtectedFromAccidentalDeletion $True
Set-ADOrganizationalUnit "$usersOUName" -ProtectedFromAccidentalDeletion $True

# Creates variables to be used in creating new groups including the group name, group description, and then group distinguished name

$adminsGroupName = $StrOUName + "_Admins_Group"
$adminsGroupDescription = $StrOUName + " Admins Group"
$adminsGroupCNName = "CN=" + $adminsGroupName + "," + $groupsOUName
$bpGroupName = $StrOUName + "_BP_Group"
$bpGroupDescription = $StrOUName + " BP Group"
$bpGroupCNName = "CN=" + $bpGroupName + "," + $groupsOUName
$serversGroupName = $StrOUName + "_Servers_Group"
$serversGroupDescription = $StrOUName + " Servers Group"
$serversGroupCNName = "CN=" + $serversGroupName + "," + $groupsOUName
$usersGroupName = $StrOUName + "_Users_Group"
$usersGroupDescription = $StrOUName + " Users Group"
$usersGroupCNName = "CN=" + $usersGroupName + "," + $groupsOUName
$linuxUsersGroupName = $StrOUName + "_Linux_Users"
$linuxUsersGroupDescription = $StrOUName + " Linux Users Group"
$linuxUsersGroupCNName = "CN=" + $linuxUsersGroupName + "," + $groupsOUName
$linuxDevelopersGroupName = $StrOUName + "_Linux_Developers"
$linuxDevelopersGroupDescription = $StrOUName + " Linux Developers Group"
$linuxDevelopersGroupCNName = "CN=" + $linuxDevelopersGroupName + "," + $groupsOUName
$linuxHandheldsGroupName = $StrOUName + "_Linux_Handhelds"
$linuxHandheldsGroupDescription = $StrOUName + " Linux Handhelds Group"
$linuxHandheldsGroupCNName = "CN=" + $linuxHandheldsGroupName + "," + $groupsOUName
$nonprodlinuxUsersGroupName = $StrOUName + "_Non_Prod_Linux_Users"
$nonprodlinuxUsersGroupDescription = $StrOUName + "Non Prod Linux Users Group"
$nonprodlinuxUsersGroupCNName = "CN=" + $nonprodlinuxUsersGroupName + "," + $groupsOUName
$nonprodlinuxDevelopersGroupName = $StrOUName + "_Non_Prod_Linux_Developers"
$nonprodlinuxDevelopersGroupDescription = $StrOUName + " Non Prod Linux Developers Group"
$nonprodlinuxDevelopersGroupCNName = "CN=" + $nonprodlinuxDevelopersGroupName + "," + $groupsOUName
$nonprodlinuxHandheldsGroupName = $StrOUName + "_Non_Prod_Linux_Handhelds"
$nonprodlinuxHandheldsGroupDescription = $StrOUName + " Non Prod Linux Handhelds Group"
$nonprodlinuxHandheldsGroupCNName = "CN=" + $nonprodlinuxHandheldsGroupName + "," + $groupsOUName

# Creates the new groups

New-ADGroup -Name "$adminsGroupName" -SamAccountName $adminsGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$adminsGroupDescription"
New-ADGroup -Name "$bpGroupName" -SamAccountName $bpGroupName -GroupCategory Security -GroupScope Universal -DisplayName $bpGroupName -Path "$groupsOUName" -Description "$bpGroupDescription"
New-ADGroup -Name "$serversGroupName" -SamAccountName $serversGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$serversGroupDescription"
New-ADGroup -Name "$usersGroupName" -SamAccountName $usersGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$usersGroupDescription"
New-ADGroup -Name "$linuxUsersGroupName" -SamAccountName $linuxUsersGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$linuxUsersGroupDescription"
New-ADGroup -Name "$linuxDevelopersGroupName" -SamAccountName $linuxDevelopersGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$linuxDevelopersGroupDescription"
New-ADGroup -Name "$linuxHandheldsGroupName" -SamAccountName $linuxHandheldsGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$linuxHandheldsGroupDescription"
New-ADGroup -Name "$nonprodlinuxUsersGroupName" -SamAccountName $nonprodlinuxUsersGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$nonprodlinuxUsersGroupDescription"
New-ADGroup -Name "$nonprodlinuxDevelopersGroupName" -SamAccountName $nonprodlinuxDevelopersGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$nonprodlinuxDevelopersGroupDescription"
New-ADGroup -Name "$nonprodlinuxHandheldsGroupName" -SamAccountName $nonprodlinuxHandheldsGroupName -GroupCategory Security -GroupScope Universal -DisplayName $adminsGroupName -Path "$groupsOUName" -Description "$nonprodlinuxHandheldsGroupDescription"

# Creates LDAP Admin account

$ldapAdminName = $truncStrOUName + "_LDAPAdm"
$ldapUPN = $ldapAdminName + "@odqad.com"
New-ADuser -name "$ldapAdminName" -SamAccountName $ldapAdminName -userPrincipalName "$ldapUPN" -GivenName "$strOUName" -Surname "LDAPAdmin" -DisplayName "$ldapAdminName" -Path "$servicesOUName"
$ldapAdminCNName = "CN=" + $ldapAdminName + "," + $servicesOUName
Set-ADAccountPassword -identity "$ldapAdminName" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password1" -Force)
Set-ADUser -identity "$ldapAdminName" -Enabled $true -PasswordNeverExpires $true

# Protects the new groups from accidental deletion

Set-ADObject -Identity "$adminsGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$bpGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$serversGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$usersGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$linuxUsersGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$linuxDevelopersGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$linuxHandheldsGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$nonprodlinuxUsersGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$nonprodlinuxDevelopersGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$nonprodlinuxHandheldsGroupCNName" -ProtectedFromAccidentalDeletion $True
Set-ADObject -Identity "$ldapAdminCNName" -ProtectedFromAccidentalDeletion $True

# Tells you everything worked fine

Write-Host $StrOUName + " Has Been Created"