Friday, 17 October 2014

Create the System Management Container with PowerShell

If you want System Center Configuration Manager to publish to Active Directory you have to extend the directory schema and create the System Management container in the System container. You then have to give site servers full control to the new object. Here's some Windows PowerShell to create the System Management container and set the required permissions on the new object. If the container already exists, the script will still assign permissions for a new site server. The script has been designed to run from the site server, not from another server.

# ========================================================
# SystemManagementContainer.ps1
# Purpose: Creates and/or configures the Active Directory System 
# Management container
# Author: JustAnotherTechnicalBlog 
# (
# Version: 1.0
# 1. Creates the 'System Management' container required by 
#    Configuration Manager if it does not already exist
# 2. Sets permissions on the 'Systems Management' container 
#    required by site servers
# 3. Is designed to be run from the site server.  It configures
#    permissions for the host from where it is run.
# 4. No variables required
# 5. Does assume the Active Directory PowerShell module is 
#    available on the target machine
# ========================================================

# Get the distinguished name of the Active Directory domain
$DomainDN = (Get-ADDomain).DistinguishedName

# Get the AD computer object for this system
$ThisSiteSystem = Get-ADComputer $env:ComputerName 

# Build distinguished name path of the System container
$SystemDN = "CN=System," + $DomainDN

# Get or create the System Management container
$Container = $null 
    $Container = Get-ADObject "CN=System Management,$SystemDN" 
    Write-Verbose "System Management container does not exist." 

If ($Container -eq $null) 
    $Container = New-ADObject -Type Container -name "System Management" `
                                             -Path "$SystemDN" -Passthru 

# Get current ACL for the System Management container
$ACL = Get-ACL -Path AD:\$Container

# Get the SID for the computer object
$SID = [System.Security.Principal.SecurityIdentifier] $ThisSiteSystem.SID

# Create a new access control entry for the System Management container
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `

# Add the new access control entry to the ACL object we grabbed earlier

# Commit the new audit rule
Set-ACL -AclObject $ACL -Path "AD:$Container"

No comments:

Post a Comment