Powershell active directory delegation

From WikiWiki
Jump to navigation Jump to search

Do you want to change security permissions in active directory? You can go oldskool and use dsacls, or you can go powershell! Examples below:

  1. Read all users information
  2. Create, delete and manage groups
  3. Modify the membership of a group


dsacls "OU=test,OU=tSFGroups,OU=tSF,DC=corp,DC=contoso,DC=com" /G corp\NHOLLIDA:grgwdtlccc

GR: Generic Read
GW: Generic Write
DT: Delete an object and all of its child objects.
LC: List the child objects of the object.
CC: Create a child object.


Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
#Get a reference to the current domain
$domain = Get-ADDomain

#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

#Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

#Get a reference to the OU we want to delegate
$ou = Get-ADOrganizationalUnit -Identity ("OU=test,OU=tSFGroups,OU=tSF,DC=corp,DC=contoso,DC=com")
#Get the SID values of each group we wish to delegate access to
$s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADuser "NHOLLIDA").SID
#Get a copy of the current DACL on the OU
$acl = Get-ACL -Path ($ou.DistinguishedName)
#Create an Access Control Entry for new permission we wish to add
#Allow the group to write all properties of descendent user objects
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"WriteProperty","Allow","Descendents",$guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"WriteProperty","Allow",$guidmap["group"],"All"))
#Allow the group to create and delete user objects in the OU and all sub-OUs that may get created
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"CreateChild,DeleteChild","Allow",$guidmap["group"],"All"))
#Allow the Service Desk group to also reset passwords on all descendent user objects
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"ExtendedRight","Allow",$extendedrightsmap["Group Membership"],"Descendents",$guidmap["group"]))
#Re-apply the modified DACL to the OU
Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))