Delegate Rights to a OU for one Service User on Computer Objects only with Powershell

Jan Fernand Bosløven 36 Reputation points
2021-06-16T06:01:03.91+00:00

How can I give a service user delegation with this PS with this security settings:
Computer object only

*Create/delete Computer objects

*Reset password

*read and write account restrictions

*validated write to DNS host name

*validated write to service principal name

Started with this, but it gives all access, and haven't figuret out how to narow it down...:-S

Blockquote

Set delegation for svc-joindom in servers OU
$OrganizationalUnit = "OU=Servers,OU=SP02,OU=SvcDelivery,$rootDN"
$ServiceUserName = "svc-joindom"

Set-Location AD:
$Group = Get-ADuser -Identity $ServiceUserName
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
$ACL = Get-Acl -Path $OrganizationalUnit
$Identity = [System.Security.Principal.IdentityReference] $GroupSID
$ADRight = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$Type = [System.Security.AccessControl.AccessControlType] "Allow"
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $ADRight, $Type, $InheritanceType)

$ACL.AddAccessRule($Rule)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

Blockquote

Please help me...:-)

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,573 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ian Xue 38,296 Reputation points Microsoft Vendor
    2021-06-17T06:19:41.823+00:00

    Hi,

    You can specify the guid of objectType and inheritedObjectType for specific permission.

    $OrganizationalUnit = "OU=Servers,OU=SP02,OU=SvcDelivery,$rootDN"  
    $ServiceUserName = "svc-joindom"  
    Set-Location AD:  
    $Group = Get-ADuser -Identity $ServiceUserName  
    $GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID  
    $ACL = Get-Acl -Path $OrganizationalUnit  
    $Identity = [System.Security.Principal.IdentityReference] $GroupSID  
    $Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"  
    $ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"  
    $ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd"  
    $ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1"  
    $AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529"  
    $RuleCreateAndDeleteComputer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "CreateChild, DeleteChild", "Allow", $Computers, "All")  
    $RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers)  
    $RuleValidatedDNSHostName = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedDNSHostName, "Descendents", $Computers)  
    $RuleValidatedSPN = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedSPN, "Descendents", $Computers)  
    $RuleAccountRestrictions = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ReadProperty, WriteProperty", "Allow", $AccountRestrictions, "Descendents", $Computers)  
    $ACL.AddAccessRule($RuleCreateAndDeleteComputer)  
    $ACL.AddAccessRule($RuleResetPassword)  
    $ACL.AddAccessRule($RuleValidatedDNSHostName)  
    $ACL.AddAccessRule($RuleValidatedSPN)  
    $ACL.AddAccessRule($RuleAccountRestrictions)  
    Set-Acl -Path $OrganizationalUnit -AclObject $ACL  
    

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. McDonald, Matthew 216 Reputation points
    2022-12-09T19:46:23.37+00:00

    Necropost, but for anyone that runs across this (or even original OP), I found this which I found really useful as it will dynamically create a GUID map for all AD objects and attributes to allow quick reference to them by name vs having to identify and hardcode SIDs manually, as is done in the code above.

    https://the-itguy.de/delegate-access-in-active-directory-with-powershell/

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.