Powershell active directory delegation

From WikiWiki
Revision as of 10:36, 7 July 2020 by Mendel (talk | contribs)
(change visibility) (diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Do you want to change security permissions in active directory? You can go oldskool and use dsacls, or you can go powershell! Examples below:

  1. Read all users information
  2. Create, delete and manage groups
  3. Modify the membership of a group


dsacls "OU=test,OU=tSFGroups,OU=tSF,DC=corp,DC=contoso,DC=com" /G corp\NHOLLIDA:grgwdtlccc

GR: Generic Read
GW: Generic Write
DT: Delete an object and all of its child objects.
LC: List the child objects of the object.
CC: Create a child object.


Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
#Get a reference to the current domain
$domain = Get-ADDomain

#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

#Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

#Get a reference to the OU we want to delegate
$ou = Get-ADOrganizationalUnit -Identity ("OU=test,OU=tSFGroups,OU=tSF,DC=corp,DC=contoso,DC=com")
#Get the SID values of each group we wish to delegate access to
$s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADuser "NHOLLIDA").SID
#Get a copy of the current DACL on the OU
$acl = Get-ACL -Path ($ou.DistinguishedName)
#Create an Access Control Entry for new permission we wish to add
#Allow the group to write all properties of descendent user objects
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"WriteProperty","Allow","Descendents",$guidmap["user"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"WriteProperty","Allow",$guidmap["group"],"All"))
#Allow the group to create and delete user objects in the OU and all sub-OUs that may get created
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"CreateChild,DeleteChild","Allow",$guidmap["group"],"All"))
#Allow the Service Desk group to also reset passwords on all descendent user objects
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"ExtendedRight","Allow",$extendedrightsmap["Group Membership"],"Descendents",$guidmap["group"]))
#Re-apply the modified DACL to the OU
Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))