Delegate Rights to a OU for one Service User on Computer Objects only with Powershell

Question

How can I give a service user delegation with this PS with this security settings:
Computer object only

*Create/delete Computer objects

*Reset password

*read and write account restrictions

*validated write to DNS host name

*validated write to service principal name

Started with this, but it gives all access, and haven't figuret out how to narow it down...:-S

Blockquote

Set delegation for svc-joindom in servers OU
$OrganizationalUnit = "OU=Servers,OU=SP02,OU=SvcDelivery,$rootDN"
$ServiceUserName = "svc-joindom"

Set-Location AD:
$Group = Get-ADuser -Identity $ServiceUserName
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
$ACL = Get-Acl -Path $OrganizationalUnit
$Identity = [System.Security.Principal.IdentityReference] $GroupSID
$ADRight = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$Type = [System.Security.AccessControl.AccessControlType] "Allow"
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $ADRight, $Type, $InheritanceType)

$ACL.AddAccessRule($Rule)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

Blockquote

Please help me...:-)

Answer 1

Hi，

You can specify the guid of objectType and inheritedObjectType for specific permission.

$OrganizationalUnit = "OU=Servers,OU=SP02,OU=SvcDelivery,$rootDN"  
$ServiceUserName = "svc-joindom"  
Set-Location AD:  
$Group = Get-ADuser -Identity $ServiceUserName  
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID  
$ACL = Get-Acl -Path $OrganizationalUnit  
$Identity = [System.Security.Principal.IdentityReference] $GroupSID  
$Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"  
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"  
$ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd"  
$ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1"  
$AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529"  
$RuleCreateAndDeleteComputer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "CreateChild, DeleteChild", "Allow", $Computers, "All")  
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers)  
$RuleValidatedDNSHostName = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedDNSHostName, "Descendents", $Computers)  
$RuleValidatedSPN = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedSPN, "Descendents", $Computers)  
$RuleAccountRestrictions = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ReadProperty, WriteProperty", "Allow", $AccountRestrictions, "Descendents", $Computers)  
$ACL.AddAccessRule($RuleCreateAndDeleteComputer)  
$ACL.AddAccessRule($RuleResetPassword)  
$ACL.AddAccessRule($RuleValidatedDNSHostName)  
$ACL.AddAccessRule($RuleValidatedSPN)  
$ACL.AddAccessRule($RuleAccountRestrictions)  
Set-Acl -Path $OrganizationalUnit -AclObject $ACL  

Best Regards,
Ian Xue

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Necropost, but for anyone that runs across this (or even original OP), I found this which I found really useful as it will dynamically create a GUID map for all AD objects and attributes to allow quick reference to them by name vs having to identify and hardcode SIDs manually, as is done in the code above.

https://the-itguy.de/delegate-access-in-active-directory-with-powershell/