Share via

delegate in AD with powershell

Wolfgang-2637 0 Reputation points
2023-08-11T12:41:18.4033333+00:00

Hi,

I want to set via Powershell ACLs in the AD to delegate for in a specific OU the right for an AD-Group to edit computers and User accounts.

The computer part seems to work but I struggle with the right syntax of the user (InetOrgPerson):

Here my code:

#settings
Import-Module ActiveDirectory
$TargetOU = "OU=Test-OU,DC=sub,DC=domain,DC=org"
$GroupToDelegate = "CN=Service Operator,OU=Groups,DC=sub,DC=domain,DC=org"
$TargetDC = "dc1.sub.domain.org"

# get identity and current acl
Set-Location AD: 
$Group = Get-ADGroup -Identity $GroupToDelegate -Server $TargetDC
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID  
$ACL = Get-Acl -Path $TargetOU
$Identity = [System.Security.Principal.IdentityReference] $GroupSID  

# system wide SchemaIDGuid
$UserClass = [GUID]"bf967aba-0de6-11d0-a285-00aa003049e2"
$ComputerClass = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"
$InetOrgPerson = [GUID]"4828cc14-1437-45bc-9b07-ad6f015e5f28"

$RuleInetOrgPerson = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Create, Delete", "Allow", $InetOrgPerson, "Descendents" , $UserClass) 
$ACL.AddAccessRule($RuleInetOrgPerson)

$RuleCreateAndDeleteComputer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "CreateChild, DeleteChild", "Allow", $ComputerClass, "All")  
$ACL.AddAccessRule($RuleCreateAndDeleteComputer)

Set-Acl -Path $TargetOU -AclObject $ACL

The problem is related to this line:

$RuleInetOrgPerson = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Create, Delete", "Allow", $InetOrgPerson, "Descendents" , $UserClass)

Can someone please help me?

Regards Wolfgang

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,937 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,628 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ian Xue-MSFT 41,691 Reputation points Microsoft External Staff
    2023-08-14T03:47:16.39+00:00

    Hi,

    "Create" is not a valid value the adRights parameter. Please use "Createchild, DeleteChild" instead. 

    $RuleInetOrgPerson = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Createchild, DeleteChild", "Allow", $InetOrgPerson, "Descendents" , $UserClass)

    ActiveDirectoryRights Enum

    https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=dotnet-plat-ext-7.0

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.