Detailed Deployment Guide
This guide provides a step-by-step deployment workflow using scoped deployment parameters. Use this approach when you need granular control over the deployment process or want to deploy components incrementally.
For a streamlined full deployment workflow, see the Quick Deployment Guide.
Overview
This detailed approach deploys Tier Model components one type at a time, following the proper dependency order:
- Organizational Units (OUs) - Foundation hierarchy
- Security Groups - Required for ACL delegations and GPO filtering
- User Accounts - Service accounts and administrative users
- OU ACL Delegations - Permissions and rights delegation
- Group Policy Objects (GPOs) - Policy configuration and linking
- ADMX Templates - Administrative template imports
Each component follows a three-step pattern:
1. Plan - Preview changes without applying them
2. Deploy - Execute the deployment with -ConfirmApply
3. Audit - Verify compliance and detect drift
Step 1: Deploy Organizational Units
1.1 Plan OU Deployment
Review what OUs will be created:
.\Deploy-TierModel.ps1 -OuOnly -PreferredDc DC01.contoso.com
Expected Output: - List of OUs to be created - OU paths and protection settings - No changes applied to Active Directory
1.2 Deploy OUs
Execute the OU deployment:
.\Deploy-TierModel.ps1 -OuOnly -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - OUs created successfully - Protection from accidental deletion applied - Deployment summary
1.3 Audit OUs
Verify OU compliance:
.\Audit-TierModel.ps1 -OuOnly -PreferredDc DC01.contoso.com
Expected Output: - All OUs compliant - No drift detected - Zero high-severity findings
Step 2: Deploy Security Groups
2.1 Plan Group Deployment
Review what groups will be created:
.\Deploy-TierModel.ps1 -GroupOnly -PreferredDc DC01.contoso.com
Expected Output: - List of groups to be created - Group scope and type - Planned membership assignments - No changes applied to Active Directory
2.2 Deploy Groups
Execute the group deployment:
.\Deploy-TierModel.ps1 -GroupOnly -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - Groups created successfully - Group memberships configured - Deployment summary
2.3 Audit Groups
Verify group compliance:
.\Audit-TierModel.ps1 -GroupOnly -PreferredDc DC01.contoso.com
Expected Output: - All groups compliant - Membership matches configuration - No drift detected
Step 3: Deploy User Accounts
3.1 Plan User Deployment
Review what users will be created:
.\Deploy-TierModel.ps1 -UserOnly -PreferredDc DC01.contoso.com
Expected Output: - List of users to be created - User properties and group memberships - OU placement - No changes applied to Active Directory
3.2 Deploy Users
Execute the user deployment:
.\Deploy-TierModel.ps1 -UserOnly -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - Users created successfully - Group memberships assigned - Users placed in correct OUs - Deployment summary
3.3 Audit Users
Verify user compliance:
.\Audit-TierModel.ps1 -UserOnly -PreferredDc DC01.contoso.com
Expected Output: - All users compliant - Placement and membership correct - No drift detected
Step 4: Deploy OU ACL Delegations
4.1 Plan OU ACL Deployment
Review what ACL delegations will be applied:
.\Deploy-TierModel.ps1 -OuAclsOnly -PreferredDc DC01.contoso.com
Expected Output: - List of OUs receiving ACL delegations - Groups being delegated permissions - Rights and access control entries to be applied - No changes applied to Active Directory
4.2 Deploy OU ACLs
Execute the ACL delegation deployment:
.\Deploy-TierModel.ps1 -OuAclsOnly -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - ACL delegations applied successfully - Groups granted appropriate permissions - Deployment summary
4.3 Audit OU ACLs
Verify ACL delegation compliance:
.\Audit-TierModel.ps1 -OuAclsOnly -PreferredDc DC01.contoso.com
Expected Output: - All delegations compliant - Security principals have correct permissions - No drift detected
Step 5: Deploy Group Policy Objects
5.1 Plan GPO Deployment
Review what GPOs will be created and linked:
.\Deploy-TierModel.ps1 -GposOnly -PreferredDc DC01.contoso.com
Expected Output: - List of GPOs to be created or updated - GPO link targets and link order - Security filtering and WMI filters - No changes applied to Active Directory
5.2 Deploy GPOs
Execute the GPO deployment:
.\Deploy-TierModel.ps1 -GposOnly -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - GPOs created or updated successfully - GPOs linked to target OUs - Link order and enforcement configured - Deployment summary
5.3 Audit GPOs
Verify GPO compliance:
.\Audit-TierModel.ps1 -GposOnly -PreferredDc DC01.contoso.com
Expected Output: - All GPOs compliant - Links and settings match configuration - No drift detected
Step 6: Deploy ADMX Templates
6.1 Plan ADMX Deployment
Review what ADMX templates will be imported:
.\Deploy-TierModel.ps1 -AdmxOnly -PreferredDc DC01.contoso.com
Expected Output: - List of ADMX files to be imported to Central Store - ADML language files to be imported - Target path in SYSVOL - No changes applied to the domain
6.2 Deploy ADMX Templates
Execute the ADMX deployment:
.\Deploy-TierModel.ps1 -AdmxOnly -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - ADMX templates copied to Central Store - ADML language files deployed - Templates available for GPO configuration - Deployment summary
6.3 Audit ADMX Templates
Verify ADMX template compliance:
.\Audit-TierModel.ps1 -AdmxOnly -PreferredDc DC01.contoso.com
Expected Output: - All ADMX templates present in Central Store - File hashes match configuration - No drift detected
Step 7: Deploy MSA ACL Delegations (Optional)
This step is optional and only required if you need to manage Managed Service Account (MSA) permissions using the Tier Model. Enable with -IncludeMsa switch.
7.1 Plan MSA ACL Deployment
Review what MSA ACL delegations will be applied:
.\Deploy-TierModel.ps1 -IncludeMsa -PreferredDc DC01.contoso.com
Expected Output: - List of MSAs receiving ACL delegations - Groups being delegated permissions (msDS-ManagedServiceAccount object class) - Rights and access control entries to be applied - No changes applied to Active Directory
7.2 Deploy MSA ACLs
Execute the MSA ACL delegation deployment:
.\Deploy-TierModel.ps1 -IncludeMsa -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - MSA ACL delegations applied successfully - Groups granted appropriate permissions on MSA objects - Deployment summary
7.3 Audit MSA ACLs
Verify MSA ACL delegation compliance:
.\Audit-TierModel.ps1 -IncludeMsa -PreferredDc DC01.contoso.com
Expected Output: - All MSA delegations compliant - Security principals have correct permissions on msDS-ManagedServiceAccount objects - No drift detected
Step 8: Deploy gMSA ACL Delegations (Optional)
This step is optional and only required if you need to manage Group Managed Service Account (gMSA) permissions using the Tier Model. Enable with -IncludeGmsa switch.
8.1 Plan gMSA ACL Deployment
Review what gMSA ACL delegations will be applied:
.\Deploy-TierModel.ps1 -IncludeGmsa -PreferredDc DC01.contoso.com
Expected Output: - List of gMSAs receiving ACL delegations - Groups being delegated permissions (msDS-GroupManagedServiceAccount object class) - Rights and access control entries to be applied - No changes applied to Active Directory
8.2 Deploy gMSA ACLs
Execute the gMSA ACL delegation deployment:
.\Deploy-TierModel.ps1 -IncludeGmsa -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - gMSA ACL delegations applied successfully - Groups granted appropriate permissions on gMSA objects - Deployment summary
8.3 Audit gMSA ACLs
Verify gMSA ACL delegation compliance:
.\Audit-TierModel.ps1 -IncludeGmsa -PreferredDc DC01.contoso.com
Expected Output: - All gMSA delegations compliant - Security principals have correct permissions on msDS-GroupManagedServiceAccount objects - No drift detected
Step 9: Deploy dMSA ACL Delegations (Optional)
This step is optional and only required if you need to manage Delegated Managed Service Account (dMSA) permissions using the Tier Model. Enable with -IncludeDmsa switch.
9.1 Plan dMSA ACL Deployment
Review what dMSA ACL delegations will be applied:
.\Deploy-TierModel.ps1 -IncludeDmsa -PreferredDc DC01.contoso.com
Expected Output: - List of dMSAs receiving ACL delegations - Groups being delegated permissions (msDS-DelegatedManagedServiceAccount object class) - Rights and access control entries to be applied - No changes applied to Active Directory
9.2 Deploy dMSA ACLs
Execute the dMSA ACL delegation deployment:
.\Deploy-TierModel.ps1 -IncludeDmsa -PreferredDc DC01.contoso.com -ConfirmApply
Expected Output: - dMSA ACL delegations applied successfully - Groups granted appropriate permissions on dMSA objects - Deployment summary
9.3 Audit dMSA ACLs
Verify dMSA ACL delegation compliance:
.\Audit-TierModel.ps1 -IncludeDmsa -PreferredDc DC01.contoso.com
Expected Output: - All dMSA delegations compliant - Security principals have correct permissions on msDS-DelegatedManagedServiceAccount objects - No drift detected
Post-Deployment Verification
After completing all deployment steps, run a comprehensive audit to ensure the entire Tier Model is compliant:
.\Audit-TierModel.ps1 -FullDeployment -PreferredDc DC01.contoso.com
Expected Output: - All components compliant across all categories - Zero high-severity findings - Complete audit report
Troubleshooting
Component Dependencies
If a deployment step fails, verify dependencies are in place: - Groups require OUs to exist - Users require OUs and Groups to exist - OU ACLs require OUs and Groups to exist - MSA ACLs (Optional) require MSA objects and Groups to exist - gMSA ACLs (Optional) require gMSA objects and Groups to exist - dMSA ACLs (Optional) require dMSA objects and Groups to exist - GPOs require OUs to exist for linking
Redeployment
If issues occur, you can safely re-run any deployment step. The deployment scripts are idempotent and will skip existing objects:
# Re-run a specific component deployment
.\Deploy-TierModel.ps1 -GroupOnly -PreferredDc DC01.contoso.com -ConfirmApply
Audit Failures
If an audit step reports drift or non-compliance: 1. Review the audit findings 2. Identify the specific discrepancies 3. Re-run the deployment for that component to remediate 4. Re-audit to verify compliance
When to Use This Approach
Use this detailed step-by-step approach when: - Deploying to production for the first time - Validating each component before proceeding - Troubleshooting specific component issues - Learning the deployment process - Meeting change control requirements for incremental changes
For routine deployments or updates, consider using the Quick Deployment Guide with -FullDeployment.
Next Steps
After successful deployment: - Schedule regular audits to detect configuration drift - Document any manual changes made outside automation - Review audit reports periodically for compliance monitoring
For additional documentation, see: - Quick Deployment Guide - Deployment Methodology - Drift Detection Details - GPO Management Strategy