How can I modify Advanced Security setting in Active directory with PowerShell?

Papp László 6 Reputation points

I want to set the following settings using PowerShell.

Add a User to an Organizational Unit. That’s ok.
And after that set the Following rights to the User on the Organizational Unit

Read all properties  
Write all properties  
Create Computer objects  
Delete Computer objects  
Create Group objects  
Delete Group objects  
Create User objects  
Delete User objects  

This question originates from these settings to BDC that I do not have to scroll every time and select checkboxes.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,189 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,448 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,626 Reputation points


    You can use the powershell commend to set the ACLs settings on this OU :

    $oupath =  "OU=Groups,DC=domain,DC=local"  
    $User = get-aduser -identy Username  
    $objACL = Get-ACL "AD:\\$oupath"  
        $objACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($User,"DeleteChild","Deny", 'None'')  
        Set-acl -AclObject $objACL "AD:${OU}"  

    You can refer to the following link to get more details about how set active directory delegation using Powershell:

    Please don't forget to mark helpful reply as answer

    0 comments No comments

  2. ZOTOS Sokratis 1 Reputation point

    If you are familiar with PowerShell AccessControl module this could help you start:

    $UserToAdd = Get-ADUser AccountXX
    $ObjectToEdit = Get-ADOrganizationalUnit SomeOUName
    $ObjectToEdit | Get-PacAccessControlEntry -Principal $UserToAdd.SamAccountName
    $AceToAdd = @(
        New-PacAccessControlEntry -Principal $UserToAdd.SamAccountName -ActiveDirectoryRights ReadAndWriteProperty
    $ObjectToEdit | Add-PacAccessControlEntry -AceObject $AceToAdd -Verbose

    You can find the PS module here:

    Otherwise you have to dig into .NET AD objects, which in my eyes looks a lot more complicated with the above solution.
    A simple example can look like this:

    $ACL = Get-ACL -Path "SomeOU"
    $ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule "AccountXXX","WriteProperty","Allow","Descendents","bf967aba-0de6-11d0-a285-00aa003049e2"))
    Set-Acl $ACL

    where the last value equals to the User GUID

    Hope this can give you some hint were you can start.

    0 comments No comments

  3. Limitless Technology 39,506 Reputation points

    Hello @Papp László

    I would suggest to check the script mentioned in this similar post:

    as well this ones:

    Hope this can help you configure the automation you need,


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments