Share via

How can I modify Advanced Security setting in Active directory with PowerShell?

Papp László 6 Reputation points
2021-09-24T12:54:30.473+00:00

I want to set the following settings using PowerShell.

Add a User to an Organizational Unit. That’s ok.
And after that set the Following rights to the User on the Organizational Unit 

Read all properties  
Write all properties  
Create Computer objects  
Delete Computer objects  
Create Group objects  
Delete Group objects  
Create User objects  
Delete User objects

This question originates from these settings to BDC that I do not have to scroll every time and select checkboxes.

https://learn.microsoft.com/en-us/sql/big-data-cluster/active-directory-prerequisites?view=sql-server-ver15

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,266 Reputation points Moderator
    2021-09-24T14:27:18.493+00:00

    Hi,

    You can use the powershell commend to set the ACLs settings on this OU : 

    $oupath =  "OU=Groups,DC=domain,DC=local"  
$User = get-aduser -identy Username  
$objACL = Get-ACL "AD:\\$oupath"  
    $objACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($User,"DeleteChild","Deny", 'None'')  
    $objACL.AddAccessRule($objACE)  
    Set-acl -AclObject $objACL "AD:${OU}"

    You can refer to the following link to get more details about how set active directory delegation using Powershell:
    active-directory-delegation-via-powershell

    Please don't forget to mark helpful reply as answer

    0 comments
  2. ZOTOS Sokratis 1 Reputation point
    2021-09-24T14:43:26.237+00:00

    Hello,
    If you are familiar with PowerShell AccessControl module this could help you start: 

    $UserToAdd = Get-ADUser AccountXX
$ObjectToEdit = Get-ADOrganizationalUnit SomeOUName
$ObjectToEdit | Get-PacAccessControlEntry -Principal $UserToAdd.SamAccountName
$AceToAdd = @(
    New-PacAccessControlEntry -Principal $UserToAdd.SamAccountName -ActiveDirectoryRights ReadAndWriteProperty
) 
$ObjectToEdit | Add-PacAccessControlEntry -AceObject $AceToAdd -Verbose

    You can find the PS module here: https://github.com/rohnedwards/PowerShellAccessControl

    Otherwise you have to dig into .NET AD objects, which in my eyes looks a lot more complicated with the above solution.
    A simple example can look like this: 

    $ACL = Get-ACL -Path "SomeOU"
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule "AccountXXX","WriteProperty","Allow","Descendents","bf967aba-0de6-11d0-a285-00aa003049e2"))
Set-Acl $ACL

    where the last value equals to the User GUID

    Hope this can give you some hint were you can start.
    Cheers,

    0 comments
  3. Limitless Technology 39,931 Reputation points
    2021-09-24T16:00:41.26+00:00

    Hello @Papp László

    I would suggest to check the script mentioned in this similar post:

    https://learn.microsoft.com/en-us/answers/questions/364180/powershell-script-delegate-ou-permissions.html

    as well this ones:

    https://social.technet.microsoft.com/Forums/en-US/04bb799b-5669-4e7b-aa1f-dcb49e9ab028/powershell-ou-permission-delegation-using-powershell?forum=winserverpowershell

    Hope this can help you configure the automation you need,

    ------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.