How can I modify Advanced Security setting in Active directory with PowerShell?

Papp László 6 Reputation points
2021-09-24T12:54:30.473+00:00

I want to set the following settings using PowerShell.

Add a User to an Organizational Unit. That’s ok.
And after that set the Following rights to the User on the Organizational Unit

Read all properties  
Write all properties  
Create Computer objects  
Delete Computer objects  
Create Group objects  
Delete Group objects  
Create User objects  
Delete User objects  

This question originates from these settings to BDC that I do not have to scroll every time and select checkboxes.

https://learn.microsoft.com/en-us/sql/big-data-cluster/active-directory-prerequisites?view=sql-server-ver15

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,189 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,448 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,626 Reputation points
    2021-09-24T14:27:18.493+00:00

    Hi,

    You can use the powershell commend to set the ACLs settings on this OU :

    $oupath =  "OU=Groups,DC=domain,DC=local"  
    $User = get-aduser -identy Username  
    $objACL = Get-ACL "AD:\\$oupath"  
        $objACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($User,"DeleteChild","Deny", 'None'')  
        $objACL.AddAccessRule($objACE)  
        Set-acl -AclObject $objACL "AD:${OU}"  
    

    You can refer to the following link to get more details about how set active directory delegation using Powershell:
    active-directory-delegation-via-powershell

    Please don't forget to mark helpful reply as answer

    0 comments No comments

  2. ZOTOS Sokratis 1 Reputation point
    2021-09-24T14:43:26.237+00:00

    Hello,
    If you are familiar with PowerShell AccessControl module this could help you start:

    $UserToAdd = Get-ADUser AccountXX
    $ObjectToEdit = Get-ADOrganizationalUnit SomeOUName
    $ObjectToEdit | Get-PacAccessControlEntry -Principal $UserToAdd.SamAccountName
    $AceToAdd = @(
        New-PacAccessControlEntry -Principal $UserToAdd.SamAccountName -ActiveDirectoryRights ReadAndWriteProperty
    ) 
    $ObjectToEdit | Add-PacAccessControlEntry -AceObject $AceToAdd -Verbose
    

    You can find the PS module here: https://github.com/rohnedwards/PowerShellAccessControl

    Otherwise you have to dig into .NET AD objects, which in my eyes looks a lot more complicated with the above solution.
    A simple example can look like this:

    $ACL = Get-ACL -Path "SomeOU"
    $ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule "AccountXXX","WriteProperty","Allow","Descendents","bf967aba-0de6-11d0-a285-00aa003049e2"))
    Set-Acl $ACL
    

    where the last value equals to the User GUID

    Hope this can give you some hint were you can start.
    Cheers,

    0 comments No comments

  3. Limitless Technology 39,506 Reputation points
    2021-09-24T16:00:41.26+00:00

    Hello @Papp László

    I would suggest to check the script mentioned in this similar post:

    https://learn.microsoft.com/en-us/answers/questions/364180/powershell-script-delegate-ou-permissions.html

    as well this ones:

    https://social.technet.microsoft.com/Forums/en-US/04bb799b-5669-4e7b-aa1f-dcb49e9ab028/powershell-ou-permission-delegation-using-powershell?forum=winserverpowershell

    Hope this can help you configure the automation you need,

    ------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments