This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 76%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIG%3C/text%3E%3C/svg%3E)
I have this script that gives permission to a group manipulate an object type in a specific OU. In addition to the current permissions availabe, I need to give the permission to reset user password.
I believed the WriteProperty had this permission, but turns out it didnt. I tested other options like GenericWrite and WriteOwner in this list but none of them work. The GenericAll worked but it also gives delete permission and I dont want that.
Then I saw the ExtendedRight. Apparently the permission "User-Force-Change-Password extended right" does what I need. But I dont know how to give this permission in my script. I read about the need to create an acess control right but I dont know how to do it.
User-Force-Change-Password extended right
Creating a Control Access Right
How can I give the permission "User-Force-Change-Password extended right" to a group?
The commented part in the script is not functional, just an idea.
$AutomationManagers = "OU=Job_Groups,OU=Teste_Hardening_EnterpriseAdmin,DC=INFO2,DC=DOM"
$FullPathOU = "OU=Testes,OU=Teste_Hardening_EnterpriseAdmin,DC=INFO2,DC=DOM"
if ($FullPathOU -eq $AutomationManagers) {
Write-Host "OU não permitida."
exit -1
}
$start = 3
$end = $FullPathOU.IndexOf(',', $start)
$TargetOU = $FullPathOU.Substring($start, $end - $start)
$ObjectType = "User"
$ObjectsIDs = @{
"Computer"="bf967a86-0de6-11d0-a285-00aa003049e2";
"Group"="bf967a9c-0de6-11d0-a285-00aa003049e2";
"OrganizationalUnit"="bf967aa5-0de6-11d0-a285-00aa003049e2";
"User"="bf967aba-0de6-11d0-a285-00aa003049e2"
}
function AnalyzeVariables ($variables) {
$hasWriteProperty = $false
$hasCreateChild = $false
#$hasResetPassword = $false
foreach ($variable in $variables) {
if ($variable -eq "WriteProperty") {
$hasWriteProperty = $true
} elseif ($variable -eq "CreateChild") {
$hasCreateChild = $true
} #elseif ($variable -eq "ResetPassword") {
# $hasResetPassword = $true
#}
}
$sufixPermissions="_"
if ($hasWriteProperty) {
$sufixPermissions=$sufixPermissions+"W"
}
if ($hasCreateChild) {
$sufixPermissions=$sufixPermissions+"C"
}
#if ($hasResetPassword) {
# $sufixPermissions=$sufixPermissions+"R"
#}
return $sufixPermissions
}
$ADRightsString = "CreateChild,WriteProperty"
$ADRightsList = $ADRightsString.Split(",")
$RightsIdentifier = AnalyzeVariables $ADRightsList
$GroupName = $ObjectType + "Manager_" + $TargetOU + $RightsIdentifier
Invoke-Command -ComputerName "hw-dc-01" -Credential $credential -ScriptBlock {
Import-Module ActiveDirectory
if (-not (Get-ADGroup -Filter {Name -eq $using:GroupName})) {
New-ADGroup -Name $using:GroupName -GroupCategory Security -GroupScope Global -Path $using:AutomationManagers
}
else{
Write-Host "Grupo já existente."
exit -1
}
$OUPath = $using:FullPathOU
$ACL = Get-Acl -Path "AD:\$OUPath"
$Group = Get-ADGroup -Identity $using:GroupName
$GroupSID = $Group.SID
$Identity = New-Object System.Security.Principal.SecurityIdentifier($GroupSID)
$Type = [System.Security.AccessControl.AccessControlType]::Allow
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All
$IDs=$using:ObjectsIDs
$ObjectType=$using:ObjectType
$ObjectTypeID =[guid]$IDs[$ObjectType]
$listOfRights = $using:ADRightsList
foreach ($ADRight in $listOfRights) {
$ADRightType = [System.DirectoryServices.ActiveDirectoryRights]$ADRight
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, $ADRightType, $Type, $objectTypeID, $InheritanceType)
$ACL.AddAccessRule($Rule)
}
Set-Acl -Path "AD:\$OUPath" -AclObject $ACL
}
$Output = "Grupo " + $GroupName + " adicionado com as permissões desejadas em " + $FullPathOU
Write-Host $Output
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi Igor Godinho,
Please note that the User-Force-Change-Password extended right does not apply to groups. It only applies to User, Computer, ms-DS-Managed-Service-Account and inetOrgPerson objects.
Best Regards,
Ian Xue
If the Answer is helpful, please click "Accept Answer" and upvote it.
