8,330 questions
The list of all the AD classes can be found over here
I want to create a group in AD that has the permission to create group objects and edit group objects in a specific Organization Unit.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
I want to create a group in AD that has the permission to create group objects and edit group objects in a specific Organizational Unit.
I made a script that is able to do this. I created a group that can create object and edit them, but it isn't restricted to Group objects only. How can I add this feature?
I was able to do that with the dsa for testing, but I need to do it using a script.
ps1 script:
$OrganizationalUnit = "OU=TargetOUGroups, (...)"
$GroupName = "GroupManager"
if (-not (Get-ADGroup -Filter {Name -eq $GroupName})) {
New-ADGroup -Name $GroupName -GroupCategory Security -GroupScope Global -Path $OrganizationalUnit
}
Set-Location AD:
$Group = Get-ADGroup -Identity $GroupName
$GroupSID = $Group.SID
$ACL = Get-Acl -Path "AD:$OrganizationalUnit"
$Identity = New-Object System.Security.Principal.SecurityIdentifier($GroupSID)
$ADRights = @("WriteProperty", "CreateChild")
$Type = [System.Security.AccessControl.AccessControlType]::Allow
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All
foreach ($ADRight in $ADRights) {
$ADRightType = [System.DirectoryServices.ActiveDirectoryRights]$ADRight
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $ADRightType, $Type, $InheritanceType)
$ACL.AddAccessRule($Rule)
}
Set-Acl -Path "AD:$OrganizationalUnit" -AclObject $ACL
Windows for business | Windows Server | User experience | PowerShell
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
{count} votes
Accepted answer
-
Anonymous
2023-11-13T01:51:25+00:00
Accepted answer
-
Anonymous
2023-11-10T08:12:54+00:00 Hi iggodinho,
You can specify the object type to which the access rule applies.
$objectType =[guid]"bf967a9c-0de6-11d0-a285-00aa003049e2" $Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, $ADRightType, $Type, $objectType, $InheritanceType)bf967a9c-0de6-11d0-a285-00aa003049e2 is the schema GUID of the group object.
Best Regards,
Ian Xue
1 additional answer
Sort by: Most helpful
-
Anonymous
2023-11-10T17:43:50+00:00 Thank you very much for the help.
It worked.
I would like to do this for other objects. Where can I get the schema GUID for other object types? Such as user or OU