Powershell script delegate OU permissions

Question

Powershell script delegate OU permissions

MW 1

How can I give a specific Domain Local Group Full Access rights to a specific OU with a powershell command?

2 answers

Your answer

Answer 1

Romain 16

$OrganizationalUnit = "OU=Test,DC=Contoso,DC=COM"
$GroupName = "Domain Users"

Set-Location AD:
$Group = Get-ADGroup -Identity $GroupName
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
$ACL = Get-Acl -Path $OrganizationalUnit

$Identity = [System.Security.Principal.IdentityReference] $GroupSID
$ADRight = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$Type = [System.Security.AccessControl.AccessControlType] "Allow"
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $ADRight, $Type,  $InheritanceType)

$ACL.AddAccessRule($Rule)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

Change :

$OrganizationalUnit = "OU=Test,DC=Contoso,DC=COM"
$GroupName = "Domain Users"

Jan Fernand Bosløven 41 Reputation points

2021-06-14T08:11:22.317+00:00
How can I give a service user delegation with this PS with this security settings:
Computer object only

Create/delete Computer objects

Reset password

read and write account restrictions

validated write to DNS host name

validated write to service principal name

The script you posted here works like a charm, but for my purposes, it gives to many access...:-S

Thank you for your help :-)
Papp László 6 Reputation points

2021-09-29T09:38:08.727+00:00

Hello,

Did you find a Solution for this?
Could you please share the script, if yes?
Jan Fernand Bosløven 41 Reputation points

2021-10-05T06:25:20.243+00:00

posted the complete script. and it works...;)

Answer 2

Set delegation for service_account in servers OU

$OrganizationalUnit = "OU=Servers,OU=SP02,OU=Delivery,$rootDN"
$ServiceUserName = "account_name"
Set-Location AD:
$Group = Get-ADuser -Identity $ServiceUserName
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
$ACL = Get-Acl -Path $OrganizationalUnit
$Identity = [System.Security.Principal.IdentityReference] $GroupSID
$Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd"
$ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1"
$AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529"
$RuleCreateAndDeleteComputer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "CreateChild, DeleteChild", "Allow", $Computers, "All")
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers)
$RuleValidatedDNSHostName = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedDNSHostName, "Descendents", $Computers)
$RuleValidatedSPN = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedSPN, "Descendents", $Computers)
$RuleAccountRestrictions = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ReadProperty, WriteProperty", "Allow", $AccountRestrictions, "Descendents", $Computers)
$ACL.AddAccessRule($RuleCreateAndDeleteComputer)
$ACL.AddAccessRule($RuleResetPassword)
$ACL.AddAccessRule($RuleValidatedDNSHostName)
$ACL.AddAccessRule($RuleValidatedSPN)
$ACL.AddAccessRule($RuleAccountRestrictions)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

Papp László 6 Reputation points

2021-10-08T09:02:12.313+00:00

Thank you very much. This is a great help.
Do you know where can I find a list about this group ID's?
[GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"

Share via

Powershell script delegate OU permissions

2 answers

Set delegation for service_account in servers OU

Your answer