From fc2d7c2c8f57f28e2c1095d18b0ad9f1a097de6a Mon Sep 17 00:00:00 2001
From: 0cmenog <poupoumicou@gmail.com>
Date: Mon, 15 May 2023 09:58:40 +0200
Subject: [PATCH 1/4] add GPOChanges from Domain ou OU to Computer and manage
 enforced and blockInheritance precedences

---
 src/components/Menu/MenuContainer.jsx |  33 +++--
 src/js/ingestion_types.js             |  11 ++
 src/js/newingestion.js                | 188 +++++++++++++++++++++++++-
 3 files changed, 217 insertions(+), 15 deletions(-)

diff --git a/src/components/Menu/MenuContainer.jsx b/src/components/Menu/MenuContainer.jsx
index cb187209e..50eb3dfe0 100644
--- a/src/components/Menu/MenuContainer.jsx
+++ b/src/components/Menu/MenuContainer.jsx
@@ -308,14 +308,31 @@ const MenuContainer = () => {
                         }
                     }
                 } else {
-                    for (let key in processedData) {
-                        let props = processedData[key].props;
-                        if (props.length === 0) continue;
-                        let chunked = props.chunk();
-                        let statement = processedData[key].statement;
-
-                        for (let chunk of chunked) {
-                            await uploadData(statement, chunk);
+                    if (Array.isArray(processedData)) {
+                        for (let data in processedData) {
+                            data = processedData[data];
+                            for (let key in data) {
+                                let props = data[key].props;
+                                if (props.length === 0) continue;
+                                let chunked = props.chunk();
+                                let statement = data[key].statement;
+
+                                for (let chunk of chunked) {
+                                    await uploadData(statement, chunk);
+                                }
+                            }
+                        }
+                    }
+                    else {
+                        for (let key in processedData) {
+                            let props = processedData[key].props;
+                            if (props.length === 0) continue;
+                            let chunked = props.chunk();
+                            let statement = processedData[key].statement;
+
+                            for (let chunk of chunked) {
+                                await uploadData(statement, chunk);
+                            }
                         }
                     }
                 }
diff --git a/src/js/ingestion_types.js b/src/js/ingestion_types.js
index c8984cbc8..3c1bdd248 100644
--- a/src/js/ingestion_types.js
+++ b/src/js/ingestion_types.js
@@ -115,6 +115,17 @@
  * @property {Array.<TypedPrincipal>} DcomUsers
  * @property {Array.<TypedPrincipal>} PSRemoteUsers
  * @property {Array.<TypedPrincipal>} AffectedComputers
+ * @property {boolean} BlockInheritance
+ * @property {LinkType} Unenforced
+ * @property {LinkType} Enforced
+ */
+
+/**
+ * @typedef {Object} LinkType
+ * @property {Dictionary.<string,int>} PasswordPolicies
+ * @property {Dictionary.<string,bool>} SMBSigning
+ * @property {Dictionary.<string,bool>} LDAPSigning
+ * @property {Dictionary.<string,int>} LMAuthenticationLevel
  */
 
 /**
diff --git a/src/js/newingestion.js b/src/js/newingestion.js
index 3cc024c8e..7f9dd8629 100644
--- a/src/js/newingestion.js
+++ b/src/js/newingestion.js
@@ -1,5 +1,6 @@
 import { groupBy } from 'lodash/collection';
 
+var blockInheritanceComputers = [];
 const TRUST_DIRECTION_INBOUND = 'Inbound';
 const TRUST_DIRECTION_OUTBOUND = 'Outbound';
 const TRUST_DIRECTION_BIDIRECTIONAL = 'Bidirectional';
@@ -34,6 +35,11 @@ export const ADLabels = {
     Contains: 'Contains',
     GPLink: 'GPLink',
     TrustedBy: 'TrustedBy',
+    PasswordPolicies: 'PasswordPolicies',
+    SMBSigning: 'SMBSigning',
+    LDAPSigning: 'LDAPSigning',
+    LMAuthenticationLevel: 'LMAuthenticationLevel',
+    GPOChanges: 'GPOChanges',
 };
 
 const AzureApplicationAdministratorRoleId =
@@ -527,7 +533,7 @@ export function buildContainerJsonNew(chunk) {
 /**
  * @param {Array.<OU>} chunk
  * @return {{}}
- */
+*/
 export function buildOuJsonNew(chunk) {
     let queries = {};
     queries.properties = {
@@ -535,6 +541,10 @@ export function buildOuJsonNew(chunk) {
         props: [],
     };
 
+    let computerStatement = PROP_QUERY.format(ADLabels.Computer);
+    let queriesComputers = {};
+    var linkTypeProperties = [];
+
     for (let ou of chunk) {
         let properties = ou.Properties;
         let links = ou.Links;
@@ -543,6 +553,7 @@ export function buildOuJsonNew(chunk) {
         let identifier = ou.ObjectIdentifier.toUpperCase();
         properties.objectid = identifier;
         let aces = ou.Aces;
+        let blockInheritance = ou.GPOChanges.BlockInheritance;
 
         processAceArrayNew(aces, identifier, 'OU', queries);
 
@@ -550,6 +561,100 @@ export function buildOuJsonNew(chunk) {
             objectid: identifier,
             map: properties,
         });
+        // add GPOChanges properties to the affected computers
+        let computers = ou.GPOChanges.AffectedComputers;
+        let computerProperties = {"unenforced": {}, "enforced": {}};
+        let linkType = [ou.GPOChanges.Unenforced, ou.GPOChanges.Enforced];
+        // add enforced and unenforced properties separatly
+        for (let index=0;index<linkType.length;index++) {
+            computerProperties[Object.keys(computerProperties)[index]] = {
+                // password policies
+                "minimumPasswordAge": linkType[index].PasswordPolicies.MinimumPasswordAge,
+                "maximumPasswordAge": linkType[index].PasswordPolicies.MaximumPasswordAge,
+                "minimumPasswordLength": linkType[index].PasswordPolicies.MinimumPasswordLength,
+                "passwordComplexity": linkType[index].PasswordPolicies.PasswordComplexity,
+                "passwordHistorySize": linkType[index].PasswordPolicies.PasswordHistorySize,
+                "clearTextPassword": linkType[index].PasswordPolicies.ClearTextPassword,
+                // lockout policies
+                "lockoutDuration": linkType[index].LockoutPolicies.LockoutDuration,
+                "lockoutBadCount": linkType[index].LockoutPolicies.LockoutBadCount,
+                "resetLockoutCount": linkType[index].LockoutPolicies.ResetLockoutCount,
+                "forceLogoffWhenHourExpire": linkType[index].LockoutPolicies.ForceLogoffWhenHourExpire,
+                // SMB signings
+                "requiresServerSMBSigning": linkType[index].SMBSigning.RequiresServerSMBSigning,
+                "enablesServerSMBSigning": linkType[index].SMBSigning.EnablesServerSMBSigning,
+                "requiresClientSMBSigning": linkType[index].SMBSigning.RequiresClientSMBSigning,
+                "enablesClientSMBSigning": linkType[index].SMBSigning.EnablesClientSMBSigning,
+                // LDAP signing
+                "requiresLDAPClientSigning": linkType[index].LDAPSigning.RequiresLDAPClientSigning,
+                // LM authentication level
+                "lmCompatibilityLevel": linkType[index].LMAuthenticationLevel.LmCompatibilityLevel
+            };
+        };
+
+        var computerIdentifier = "";
+        var found;
+        // add properties for each affected computer
+        for (let index=0;index<computers.length;index++){
+            found = false;
+            computerIdentifier = computers[index].ObjectIdentifier.toUpperCase();
+            if(!blockInheritanceComputers.includes(computerIdentifier)){
+                // unenforced are added first and may be overridden by enforced
+                for (let prop of linkTypeProperties){
+                    // if the computer is already affected by properties
+                    if(prop.objectid === computerIdentifier){
+                        // add the ones which do not exist yet
+                        for(let [key, value] of Object.entries(computerProperties["unenforced"])){
+                        if(prop.map[key] === undefined && !(value === undefined)){
+                                prop.map[key] = value;
+                            }
+                        }
+                        found = true;
+                    }
+                }
+
+                // if the computer has not already been affected by properties
+                if(!found){
+                    linkTypeProperties.push({
+                        objectid: computerIdentifier,
+                        map: computerProperties["unenforced"],
+                    });
+                }
+
+                // add the computer to the block inheritance array if needed
+                if(blockInheritance){
+                    blockInheritanceComputers.push(computerIdentifier);
+                }
+            }
+
+            // enforced properties are always applied (even if the computer is under a node which blocks inheritance)
+            for (let prop of linkTypeProperties){
+                // if the computer is already affected by properties
+                if(prop.objectid === computerIdentifier){
+                    for(let [key, value] of Object.entries(computerProperties["enforced"])){
+                        if(!(value === undefined)){
+                            prop.map[key] = value;
+                        }
+                    }
+                    found = true;
+                }
+            }
+
+            // if the computer has not already been affected by properties
+            if(!found){
+                linkTypeProperties.push({
+                    objectid: computerIdentifier,
+                    map: computerProperties["enforced"],
+                });
+            }
+        }
+
+        queriesComputers = {
+            properties: {
+                statement: computerStatement,
+                props: linkTypeProperties,
+            }
+        };
 
         let format = [ADLabels.OU, '', ADLabels.Contains, NON_ACL_PROPS];
         let grouped = groupBy(children, GROUP_OBJECT_TYPE);
@@ -578,8 +683,6 @@ export function buildOuJsonNew(chunk) {
         });
         insertNew(queries, format, props);
 
-        let computers = ou.GPOChanges.AffectedComputers;
-
         format = [
             '',
             ADLabels.Computer,
@@ -664,7 +767,7 @@ export function buildOuJsonNew(chunk) {
             insertNew(queries, format, flattened);
         }
     }
-    return queries;
+    return [queries, queriesComputers];
 }
 
 /**
@@ -679,6 +782,16 @@ export function buildDomainJsonNew(chunk) {
         props: [],
     };
 
+    let computerStatement = PROP_QUERY.format(ADLabels.Computer);
+    let queriesComputers = [
+        {
+            properties: {
+                statement: computerStatement,
+                props: [],
+            }
+        }
+    ];
+
     for (let domain of chunk) {
         let properties = domain.Properties;
         let children = domain.ChildObjects;
@@ -686,6 +799,69 @@ export function buildDomainJsonNew(chunk) {
         let aces = domain.Aces;
         let links = domain.Links;
         let trusts = domain.Trusts;
+        let computers = domain.GPOChanges.AffectedComputers;
+        let blockInheritance = domain.GPOChanges.BlockInheritance;
+
+        // add GPOChanges properties to the affected computers
+        let computerProperties = {"unenforced": {}, "enforced": {}};
+        let linkType = [domain.GPOChanges.Unenforced, domain.GPOChanges.Enforced];
+        for (let index=0;index<linkType.length;index++) {
+            computerProperties[Object.keys(computerProperties)[index]] = {
+                // password policies
+                "minimumPasswordAge": linkType[index].PasswordPolicies.MinimumPasswordAge,
+                "maximumPasswordAge": linkType[index].PasswordPolicies.MaximumPasswordAge,
+                "minimumPasswordLength": linkType[index].PasswordPolicies.MinimumPasswordLength,
+                "passwordComplexity": linkType[index].PasswordPolicies.PasswordComplexity,
+                "passwordHistorySize": linkType[index].PasswordPolicies.PasswordHistorySize,
+                "clearTextPassword": linkType[index].PasswordPolicies.ClearTextPassword,
+                // lockout policies
+                "lockoutDuration": linkType[index].LockoutPolicies.LockoutDuration,
+                "lockoutBadCount": linkType[index].LockoutPolicies.LockoutBadCount,
+                "resetLockoutCount": linkType[index].LockoutPolicies.ResetLockoutCount,
+                "forceLogoffWhenHourExpire": linkType[index].LockoutPolicies.ForceLogoffWhenHourExpire,
+                // SMB signings
+                "requiresServerSMBSigning": linkType[index].SMBSigning.RequiresServerSMBSigning,
+                "enablesServerSMBSigning": linkType[index].SMBSigning.EnablesServerSMBSigning,
+                "requiresClientSMBSigning": linkType[index].SMBSigning.RequiresClientSMBSigning,
+                "enablesClientSMBSigning": linkType[index].SMBSigning.EnablesClientSMBSigning,
+                // LDAP signing
+                "requiresLDAPClientSigning": linkType[index].LDAPSigning.RequiresLDAPClientSigning,
+                // LM authentication level
+                "lmCompatibilityLevel": linkType[index].LMAuthenticationLevel.LmCompatibilityLevel
+            };
+        };
+
+        var computerIdentifier = "";
+        // add properties for each affected computer
+        for (let index=0;index<computers.length;index++) {
+            computerIdentifier = computers[index].ObjectIdentifier.toUpperCase();
+
+            if(!blockInheritanceComputers.includes(computerIdentifier)){
+                // unenforced will be overridden by enforced
+                computerProperties = _.merge(computerProperties["unenforced"], computerProperties["enforced"]);
+
+                // add the computer to the block inheritance array if needed
+                if(blockInheritance){
+                    blockInheritanceComputers.push(computerIdentifier);
+                }
+
+            } else {
+                // enforced properties are applied even if the computer is under a node which blocks inheritance
+                computerProperties = computerProperties["enforced"];
+            }
+
+            queriesComputers[index] = {
+                properties: {
+                    statement: computerStatement,
+                    props: [
+                        {
+                            objectid: computerIdentifier,
+                            map: computerProperties,
+                        }
+                    ],
+                }
+            };
+        }
 
         processAceArrayNew(aces, identifier, 'Domain', queries);
 
@@ -721,8 +897,6 @@ export function buildDomainJsonNew(chunk) {
         });
         insertNew(queries, format, props);
 
-        let computers = domain.GPOChanges.AffectedComputers;
-
         format = [
             '',
             ADLabels.Computer,
@@ -861,7 +1035,7 @@ export function buildDomainJsonNew(chunk) {
         }
     }
 
-    return queries;
+    return [queries, queriesComputers].flat();
 }
 
 const baseInsertStatement =

From c74cb0fcf5c2be3a906569ff43e974d226e72976 Mon Sep 17 00:00:00 2001
From: 0cmenog <poupoumicou@gmail.com>
Date: Tue, 16 May 2023 16:19:05 +0200
Subject: [PATCH 2/4] correct GPOChanges priorities

---
 src/js/newingestion.js | 126 +++++++++++++++++++++++++++--------------
 1 file changed, 84 insertions(+), 42 deletions(-)

diff --git a/src/js/newingestion.js b/src/js/newingestion.js
index 7f9dd8629..6d275aaf1 100644
--- a/src/js/newingestion.js
+++ b/src/js/newingestion.js
@@ -1,6 +1,8 @@
 import { groupBy } from 'lodash/collection';
 
 var blockInheritanceComputers = [];
+var linkTypeProperties = [];
+var enforcedProperties = {};
 const TRUST_DIRECTION_INBOUND = 'Inbound';
 const TRUST_DIRECTION_OUTBOUND = 'Outbound';
 const TRUST_DIRECTION_BIDIRECTIONAL = 'Bidirectional';
@@ -543,7 +545,11 @@ export function buildOuJsonNew(chunk) {
 
     let computerStatement = PROP_QUERY.format(ADLabels.Computer);
     let queriesComputers = {};
-    var linkTypeProperties = [];
+
+    // sort OU from the children to the parent using the length of the distinguished name
+    chunk.sort((a,b) => {
+        return b.Properties.distinguishedname.length - a.Properties.distinguishedname.length;
+    });
 
     for (let ou of chunk) {
         let properties = ou.Properties;
@@ -594,7 +600,7 @@ export function buildOuJsonNew(chunk) {
 
         var computerIdentifier = "";
         var found;
-        // add properties for each affected computer
+        // build a vector of properties for each affected computer, taking into account the blocInheritance and the enforced precedences
         for (let index=0;index<computers.length;index++){
             found = false;
             computerIdentifier = computers[index].ObjectIdentifier.toUpperCase();
@@ -605,8 +611,8 @@ export function buildOuJsonNew(chunk) {
                     if(prop.objectid === computerIdentifier){
                         // add the ones which do not exist yet
                         for(let [key, value] of Object.entries(computerProperties["unenforced"])){
-                        if(prop.map[key] === undefined && !(value === undefined)){
-                                prop.map[key] = value;
+                            if(prop.map[key] === undefined && value != undefined){
+                                    prop.map[key] = value;
                             }
                         }
                         found = true;
@@ -617,8 +623,10 @@ export function buildOuJsonNew(chunk) {
                 if(!found){
                     linkTypeProperties.push({
                         objectid: computerIdentifier,
-                        map: computerProperties["unenforced"],
+                        // clone the object, without using the same reference
+                        map: Object.assign({}, computerProperties["unenforced"]),
                     });
+                    enforcedProperties[computerIdentifier] = [];
                 }
 
                 // add the computer to the block inheritance array if needed
@@ -629,11 +637,13 @@ export function buildOuJsonNew(chunk) {
 
             // enforced properties are always applied (even if the computer is under a node which blocks inheritance)
             for (let prop of linkTypeProperties){
-                // if the computer is already affected by properties
-                if(prop.objectid === computerIdentifier){
+                // if this computer is already affected by properties
+                if(computerIdentifier === prop.objectid){
                     for(let [key, value] of Object.entries(computerProperties["enforced"])){
-                        if(!(value === undefined)){
+                        // rewrite the property if it is empty or an unenforced one
+                        if(value != undefined && (!Object.keys(enforcedProperties).includes(computerIdentifier) || !(enforcedProperties[computerIdentifier].includes(key)))){
                             prop.map[key] = value;
+                            enforcedProperties[computerIdentifier].push(key);
                         }
                     }
                     found = true;
@@ -644,18 +654,13 @@ export function buildOuJsonNew(chunk) {
             if(!found){
                 linkTypeProperties.push({
                     objectid: computerIdentifier,
-                    map: computerProperties["enforced"],
+                    // clone the object, without using the same reference
+                    map: Object.assign({}, computerProperties["enforced"]),
                 });
+                enforcedProperties[computerIdentifier] = Object.keys(computerProperties["enforced"]);
             }
         }
 
-        queriesComputers = {
-            properties: {
-                statement: computerStatement,
-                props: linkTypeProperties,
-            }
-        };
-
         let format = [ADLabels.OU, '', ADLabels.Contains, NON_ACL_PROPS];
         let grouped = groupBy(children, GROUP_OBJECT_TYPE);
 
@@ -767,6 +772,14 @@ export function buildOuJsonNew(chunk) {
             insertNew(queries, format, flattened);
         }
     }
+
+    queriesComputers = {
+        properties: {
+            statement: computerStatement,
+            props: linkTypeProperties,
+        }
+    };
+
     return [queries, queriesComputers];
 }
 
@@ -783,14 +796,7 @@ export function buildDomainJsonNew(chunk) {
     };
 
     let computerStatement = PROP_QUERY.format(ADLabels.Computer);
-    let queriesComputers = [
-        {
-            properties: {
-                statement: computerStatement,
-                props: [],
-            }
-        }
-    ];
+    let queriesComputers = {};
 
     for (let domain of chunk) {
         let properties = domain.Properties;
@@ -832,35 +838,64 @@ export function buildDomainJsonNew(chunk) {
         };
 
         var computerIdentifier = "";
+        var found;
         // add properties for each affected computer
-        for (let index=0;index<computers.length;index++) {
+        for (let index=0;index<computers.length;index++){
+            found = false;
             computerIdentifier = computers[index].ObjectIdentifier.toUpperCase();
-
             if(!blockInheritanceComputers.includes(computerIdentifier)){
-                // unenforced will be overridden by enforced
-                computerProperties = _.merge(computerProperties["unenforced"], computerProperties["enforced"]);
+                // unenforced are added first and may be overridden by enforced
+                for (let prop of linkTypeProperties){
+                    // if the computer is already affected by properties
+                    if(prop.objectid === computerIdentifier){
+                        // add the ones which do not exist yet
+                        for(let [key, value] of Object.entries(computerProperties["unenforced"])){
+                        if(prop.map[key] === undefined && value != undefined){
+                                prop.map[key] = value;
+                            }
+                        }
+                        found = true;
+                    }
+                }
+
+                // if the computer has not already been affected by properties
+                if(!found){
+                    linkTypeProperties.push({
+                        objectid: computerIdentifier,
+                        // clone the object, without using the same reference
+                        map: Object.assign({}, computerProperties["unenforced"]),
+                    });
+                    enforcedProperties[computerIdentifier] = [];
+                }
 
                 // add the computer to the block inheritance array if needed
                 if(blockInheritance){
                     blockInheritanceComputers.push(computerIdentifier);
                 }
-
-            } else {
-                // enforced properties are applied even if the computer is under a node which blocks inheritance
-                computerProperties = computerProperties["enforced"];
             }
 
-            queriesComputers[index] = {
-                properties: {
-                    statement: computerStatement,
-                    props: [
-                        {
-                            objectid: computerIdentifier,
-                            map: computerProperties,
+            // enforced properties are always applied (even if the computer is under a node which blocks inheritance)
+            for (let prop of linkTypeProperties){
+                // if this computer is already affected by properties
+                if(prop.objectid === computerIdentifier){
+                    for(let [key, value] of Object.entries(computerProperties["enforced"])){
+                        if(value != undefined && (!Object.keys(enforcedProperties).includes(computerIdentifier) || !(enforcedProperties[computerIdentifier].includes(key)))){                            prop.map[key] = value;
+                            enforcedProperties[computerIdentifier].push(key);
                         }
-                    ],
+                    }
+                    found = true;
                 }
-            };
+            }
+
+            // if the computer has not already been affected by properties
+            if(!found){
+                linkTypeProperties.push({
+                    objectid: computerIdentifier,
+                    // clone the object, without using the same reference
+                    map: Object.assign({}, computerProperties["enforced"]),
+                });
+                enforcedProperties[computerIdentifier] = Object.keys(computerProperties["enforced"]);
+            }
         }
 
         processAceArrayNew(aces, identifier, 'Domain', queries);
@@ -1035,7 +1070,14 @@ export function buildDomainJsonNew(chunk) {
         }
     }
 
-    return [queries, queriesComputers].flat();
+    queriesComputers = {
+        properties: {
+            statement: computerStatement,
+            props: linkTypeProperties,
+        }
+    };
+
+    return [queries, queriesComputers];
 }
 
 const baseInsertStatement =

From ff4488a8e55a663a0290f686dce5c8fa6ee1f446 Mon Sep 17 00:00:00 2001
From: 0cmenog <poupoumicou@gmail.com>
Date: Thu, 25 May 2023 11:35:40 +0200
Subject: [PATCH 3/4] fix OU/Domain GPO precedences and code cleaning

---
 src/js/ingestion_types.js |   1 +
 src/js/newingestion.js    | 187 ++++++++++++++++++--------------------
 2 files changed, 87 insertions(+), 101 deletions(-)

diff --git a/src/js/ingestion_types.js b/src/js/ingestion_types.js
index 3c1bdd248..422c73056 100644
--- a/src/js/ingestion_types.js
+++ b/src/js/ingestion_types.js
@@ -123,6 +123,7 @@
 /**
  * @typedef {Object} LinkType
  * @property {Dictionary.<string,int>} PasswordPolicies
+ * @property {Dictionary.<string,int>} LockoutPolicies
  * @property {Dictionary.<string,bool>} SMBSigning
  * @property {Dictionary.<string,bool>} LDAPSigning
  * @property {Dictionary.<string,int>} LMAuthenticationLevel
diff --git a/src/js/newingestion.js b/src/js/newingestion.js
index 6d275aaf1..8eed2284c 100644
--- a/src/js/newingestion.js
+++ b/src/js/newingestion.js
@@ -1,8 +1,7 @@
 import { groupBy } from 'lodash/collection';
 
-var blockInheritanceComputers = [];
-var linkTypeProperties = [];
-var enforcedProperties = {};
+let unenforcedDomainProperties = {};
+let enforcedDomainPropertyKeys = {};
 const TRUST_DIRECTION_INBOUND = 'Inbound';
 const TRUST_DIRECTION_OUTBOUND = 'Outbound';
 const TRUST_DIRECTION_BIDIRECTIONAL = 'Bidirectional';
@@ -38,6 +37,7 @@ export const ADLabels = {
     GPLink: 'GPLink',
     TrustedBy: 'TrustedBy',
     PasswordPolicies: 'PasswordPolicies',
+    LockoutPolicies: 'LockoutPolicies',
     SMBSigning: 'SMBSigning',
     LDAPSigning: 'LDAPSigning',
     LMAuthenticationLevel: 'LMAuthenticationLevel',
@@ -544,13 +544,17 @@ export function buildOuJsonNew(chunk) {
     };
 
     let computerStatement = PROP_QUERY.format(ADLabels.Computer);
-    let queriesComputers = {};
+    let computerQuery = {};
+    let computerProperties = [];
+    let blockInheritanceComputers = [];
+    let enforcedOuProperties = {};
 
     // sort OU from the children to the parent using the length of the distinguished name
     chunk.sort((a,b) => {
         return b.Properties.distinguishedname.length - a.Properties.distinguishedname.length;
     });
 
+    // OU are processed from the bottom up, so the default behavior is to not override already set properties
     for (let ou of chunk) {
         let properties = ou.Properties;
         let links = ou.Links;
@@ -567,13 +571,15 @@ export function buildOuJsonNew(chunk) {
             objectid: identifier,
             map: properties,
         });
+
         // add GPOChanges properties to the affected computers
         let computers = ou.GPOChanges.AffectedComputers;
-        let computerProperties = {"unenforced": {}, "enforced": {}};
+        let ouProperties = {"unenforced": {}, "enforced": {}};
         let linkType = [ou.GPOChanges.Unenforced, ou.GPOChanges.Enforced];
+
         // add enforced and unenforced properties separatly
         for (let index=0;index<linkType.length;index++) {
-            computerProperties[Object.keys(computerProperties)[index]] = {
+            ouProperties[Object.keys(ouProperties)[index]] = {
                 // password policies
                 "minimumPasswordAge": linkType[index].PasswordPolicies.MinimumPasswordAge,
                 "maximumPasswordAge": linkType[index].PasswordPolicies.MaximumPasswordAge,
@@ -598,66 +604,77 @@ export function buildOuJsonNew(chunk) {
             };
         };
 
-        var computerIdentifier = "";
-        var found;
-        // build a vector of properties for each affected computer, taking into account the blocInheritance and the enforced precedences
+        // add properties
         for (let index=0;index<computers.length;index++){
-            found = false;
-            computerIdentifier = computers[index].ObjectIdentifier.toUpperCase();
+            let computerIdentifier = computers[index].ObjectIdentifier.toUpperCase();
+            let found = false;
+
+            // remove unenforced OU properties overlapping with domain enforced properties
+            if(Object.keys(enforcedDomainPropertyKeys).includes(computerIdentifier)){
+                for (let key of enforcedDomainPropertyKeys[computerIdentifier]){
+                    delete ouProperties["unenforced"][key];
+                }
+            }
+
+            // unenforced properties
             if(!blockInheritanceComputers.includes(computerIdentifier)){
-                // unenforced are added first and may be overridden by enforced
-                for (let prop of linkTypeProperties){
-                    // if the computer is already affected by properties
+                // add, if the computer is already affected by properties
+                for (let prop of computerProperties){
                     if(prop.objectid === computerIdentifier){
-                        // add the ones which do not exist yet
-                        for(let [key, value] of Object.entries(computerProperties["unenforced"])){
-                            if(prop.map[key] === undefined && value != undefined){
-                                    prop.map[key] = value;
+                        // add properties which do not exist yet and are not enforced at the domain level
+                        for(let [key, value] of Object.entries(ouProperties["unenforced"])){
+                            if(prop.map[key] === undefined && (!Object.keys(enforcedDomainPropertyKeys).includes(computerIdentifier) || !enforcedDomainPropertyKeys[computerIdentifier].includes(key)) && value !== undefined){
+                                prop.map[key] = value;
                             }
                         }
                         found = true;
                     }
                 }
 
-                // if the computer has not already been affected by properties
+                // create, if the computer has not already been affected by properties
                 if(!found){
-                    linkTypeProperties.push({
+                    computerProperties.push({
                         objectid: computerIdentifier,
-                        // clone the object, without using the same reference
-                        map: Object.assign({}, computerProperties["unenforced"]),
+                        map: Object.assign({}, ouProperties["unenforced"]),
                     });
-                    enforcedProperties[computerIdentifier] = [];
                 }
 
-                // add the computer to the block inheritance array if needed
                 if(blockInheritance){
+                    // add the computer to the block inheritance array
                     blockInheritanceComputers.push(computerIdentifier);
+                    // remove unenforced properties set by domains
+                    delete unenforcedDomainProperties[computerIdentifier];
                 }
             }
 
-            // enforced properties are always applied (even if the computer is under a node which blocks inheritance)
-            for (let prop of linkTypeProperties){
-                // if this computer is already affected by properties
+            // enforced properties
+            // add, if this computer is already affected by properties
+            for (let prop of computerProperties){
                 if(computerIdentifier === prop.objectid){
-                    for(let [key, value] of Object.entries(computerProperties["enforced"])){
-                        // rewrite the property if it is empty or an unenforced one
-                        if(value != undefined && (!Object.keys(enforcedProperties).includes(computerIdentifier) || !(enforcedProperties[computerIdentifier].includes(key)))){
+                    for(let [key, value] of Object.entries(ouProperties["enforced"])){
+                        // override the property if it is empty or an not enforced at a lower OU level
+                        if(value !== undefined && (!Object.keys(enforcedOuProperties).includes(computerIdentifier) || !(enforcedOuProperties[computerIdentifier].includes(key)))){
                             prop.map[key] = value;
-                            enforcedProperties[computerIdentifier].push(key);
+                            // store the property keys as enforced
+                            try{
+                                enforcedOuProperties[computerIdentifier].push(key);
+                            } catch (ReferenceRerror){
+                                enforcedOuProperties[computerIdentifier] = [key];
+                            }
                         }
                     }
                     found = true;
                 }
             }
 
-            // if the computer has not already been affected by properties
+            // create,if the computer has not already been affected by properties
             if(!found){
-                linkTypeProperties.push({
+                computerProperties.push({
                     objectid: computerIdentifier,
-                    // clone the object, without using the same reference
-                    map: Object.assign({}, computerProperties["enforced"]),
+                    map: Object.assign({}, ouProperties["enforced"]),
                 });
-                enforcedProperties[computerIdentifier] = Object.keys(computerProperties["enforced"]);
+                // store the property keys as enforced
+                enforcedOuProperties[computerIdentifier] = Object.keys(ouProperties["enforced"]);
             }
         }
 
@@ -773,14 +790,26 @@ export function buildOuJsonNew(chunk) {
         }
     }
 
-    queriesComputers = {
+    // Finally add domain unenforced properties, without overriding existing properties
+    for (let domainComputerId of Object.keys(unenforcedDomainProperties)){
+        for (let prop of computerProperties){
+            if(domainComputerId === prop.objectid){
+                for (let [key, value] of Object.entries(prop.map)){
+                    if(unenforcedDomainProperties[domainComputerId][key] !== undefined && value === undefined){
+                        prop.map[key] = unenforcedDomainProperties[domainComputerId][key];
+                    }
+                }
+            }
+        }
+    }
+    computerQuery = {
         properties: {
             statement: computerStatement,
-            props: linkTypeProperties,
+            props: computerProperties,
         }
     };
 
-    return [queries, queriesComputers];
+    return [queries, computerQuery];
 }
 
 /**
@@ -796,7 +825,8 @@ export function buildDomainJsonNew(chunk) {
     };
 
     let computerStatement = PROP_QUERY.format(ADLabels.Computer);
-    let queriesComputers = {};
+    let computerQuery = {};
+    let computerProperties = [];
 
     for (let domain of chunk) {
         let properties = domain.Properties;
@@ -806,13 +836,12 @@ export function buildDomainJsonNew(chunk) {
         let links = domain.Links;
         let trusts = domain.Trusts;
         let computers = domain.GPOChanges.AffectedComputers;
-        let blockInheritance = domain.GPOChanges.BlockInheritance;
 
         // add GPOChanges properties to the affected computers
-        let computerProperties = {"unenforced": {}, "enforced": {}};
+        let domainProperties = {"unenforced": {}, "enforced": {}};
         let linkType = [domain.GPOChanges.Unenforced, domain.GPOChanges.Enforced];
         for (let index=0;index<linkType.length;index++) {
-            computerProperties[Object.keys(computerProperties)[index]] = {
+            domainProperties[Object.keys(domainProperties)[index]] = {
                 // password policies
                 "minimumPasswordAge": linkType[index].PasswordPolicies.MinimumPasswordAge,
                 "maximumPasswordAge": linkType[index].PasswordPolicies.MaximumPasswordAge,
@@ -837,65 +866,21 @@ export function buildDomainJsonNew(chunk) {
             };
         };
 
-        var computerIdentifier = "";
-        var found;
         // add properties for each affected computer
+        // a computer can belong to one domain max
         for (let index=0;index<computers.length;index++){
-            found = false;
-            computerIdentifier = computers[index].ObjectIdentifier.toUpperCase();
-            if(!blockInheritanceComputers.includes(computerIdentifier)){
-                // unenforced are added first and may be overridden by enforced
-                for (let prop of linkTypeProperties){
-                    // if the computer is already affected by properties
-                    if(prop.objectid === computerIdentifier){
-                        // add the ones which do not exist yet
-                        for(let [key, value] of Object.entries(computerProperties["unenforced"])){
-                        if(prop.map[key] === undefined && value != undefined){
-                                prop.map[key] = value;
-                            }
-                        }
-                        found = true;
-                    }
-                }
+            let computerIdentifier = computers[index].ObjectIdentifier.toUpperCase();
 
-                // if the computer has not already been affected by properties
-                if(!found){
-                    linkTypeProperties.push({
-                        objectid: computerIdentifier,
-                        // clone the object, without using the same reference
-                        map: Object.assign({}, computerProperties["unenforced"]),
-                    });
-                    enforcedProperties[computerIdentifier] = [];
-                }
-
-                // add the computer to the block inheritance array if needed
-                if(blockInheritance){
-                    blockInheritanceComputers.push(computerIdentifier);
-                }
-            }
-
-            // enforced properties are always applied (even if the computer is under a node which blocks inheritance)
-            for (let prop of linkTypeProperties){
-                // if this computer is already affected by properties
-                if(prop.objectid === computerIdentifier){
-                    for(let [key, value] of Object.entries(computerProperties["enforced"])){
-                        if(value != undefined && (!Object.keys(enforcedProperties).includes(computerIdentifier) || !(enforcedProperties[computerIdentifier].includes(key)))){                            prop.map[key] = value;
-                            enforcedProperties[computerIdentifier].push(key);
-                        }
-                    }
-                    found = true;
-                }
-            }
+            // store unenforced propertiesto manage precedences with OU properties
+            unenforcedDomainProperties[computerIdentifier] = domainProperties["unenforced"];
 
-            // if the computer has not already been affected by properties
-            if(!found){
-                linkTypeProperties.push({
-                    objectid: computerIdentifier,
-                    // clone the object, without using the same reference
-                    map: Object.assign({}, computerProperties["enforced"]),
-                });
-                enforcedProperties[computerIdentifier] = Object.keys(computerProperties["enforced"]);
-            }
+            // add enforced properties
+            computerProperties.push({
+                objectid: computerIdentifier,
+                map: Object.assign({}, domainProperties["enforced"]),
+            });
+            // store defined property keys
+            enforcedDomainPropertyKeys[computerIdentifier] = Object.keys(domainProperties["enforced"]).filter(key => domainProperties["enforced"][key] !== undefined);
         }
 
         processAceArrayNew(aces, identifier, 'Domain', queries);
@@ -1070,14 +1055,14 @@ export function buildDomainJsonNew(chunk) {
         }
     }
 
-    queriesComputers = {
+    computerQuery = {
         properties: {
             statement: computerStatement,
-            props: linkTypeProperties,
+            props: computerProperties,
         }
     };
 
-    return [queries, queriesComputers];
+    return [queries, computerQuery];
 }
 
 const baseInsertStatement =

From c8638e9b135667827200a515314f7c9739bc008d Mon Sep 17 00:00:00 2001
From: 0cmenog <poupoumicou@gmail.com>
Date: Mon, 24 Jul 2023 12:15:10 +0200
Subject: [PATCH 4/4] fix a precedence rule (multiple enforced properties)

---
 src/js/newingestion.js | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/src/js/newingestion.js b/src/js/newingestion.js
index 8eed2284c..dc0b7103e 100644
--- a/src/js/newingestion.js
+++ b/src/js/newingestion.js
@@ -547,7 +547,6 @@ export function buildOuJsonNew(chunk) {
     let computerQuery = {};
     let computerProperties = [];
     let blockInheritanceComputers = [];
-    let enforcedOuProperties = {};
 
     // sort OU from the children to the parent using the length of the distinguished name
     chunk.sort((a,b) => {
@@ -652,15 +651,9 @@ export function buildOuJsonNew(chunk) {
             for (let prop of computerProperties){
                 if(computerIdentifier === prop.objectid){
                     for(let [key, value] of Object.entries(ouProperties["enforced"])){
-                        // override the property if it is empty or an not enforced at a lower OU level
-                        if(value !== undefined && (!Object.keys(enforcedOuProperties).includes(computerIdentifier) || !(enforcedOuProperties[computerIdentifier].includes(key)))){
+                        // override the property if it is empty or an not enforced at domain level
+                        if(value !== undefined && (!Object.keys(enforcedDomainPropertyKeys).includes(computerIdentifier) || !(enforcedDomainPropertyKeys[computerIdentifier].includes(key)))){
                             prop.map[key] = value;
-                            // store the property keys as enforced
-                            try{
-                                enforcedOuProperties[computerIdentifier].push(key);
-                            } catch (ReferenceRerror){
-                                enforcedOuProperties[computerIdentifier] = [key];
-                            }
                         }
                     }
                     found = true;
@@ -673,8 +666,6 @@ export function buildOuJsonNew(chunk) {
                     objectid: computerIdentifier,
                     map: Object.assign({}, ouProperties["enforced"]),
                 });
-                // store the property keys as enforced
-                enforcedOuProperties[computerIdentifier] = Object.keys(ouProperties["enforced"]);
             }
         }