I want to create a group in AD that has the permission to create group objects and edit group objects in a specific Organization Unit.

I want to create a group in AD that has the permission to create group objects and edit group objects in a specific Organizational Unit.

I made a script that is able to do this. I created a group that can create object and edit them, but it isn't restricted to Group objects only. How can I add this feature?

I was able to do that with the dsa for testing, but I need to do it using a script.

ps1 script:

$OrganizationalUnit = "OU=TargetOUGroups, (...)"

$GroupName = "GroupManager"

if (-not (Get-ADGroup -Filter {Name -eq $GroupName})) {

    New-ADGroup -Name $GroupName -GroupCategory Security -GroupScope Global -Path $OrganizationalUnit

}

Set-Location AD:

$Group = Get-ADGroup -Identity $GroupName

$GroupSID = $Group.SID

$ACL = Get-Acl -Path "AD:$OrganizationalUnit"

$Identity = New-Object System.Security.Principal.SecurityIdentifier($GroupSID)

$ADRights = @("WriteProperty", "CreateChild")

$Type = [System.Security.AccessControl.AccessControlType]::Allow

$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All

foreach ($ADRight in $ADRights) {

    $ADRightType = [System.DirectoryServices.ActiveDirectoryRights]$ADRight

    $Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $ADRightType, $Type, $InheritanceType)

    $ACL.AddAccessRule($Rule)

}

Set-Acl -Path "AD:$OrganizationalUnit" -AclObject $ACL