Share via

Delegation control wizard powershell values

Phillip Banky 1 Reputation point
2022-08-08T15:17:23.64+00:00

Hey everyone!

I'm trying to look over a way for my sysadmins to take some work off their hands with static security groups that have set in stone delegated permissions over an OU.
I understand some people in other forums have had a $permissions = "FullControl" or "modify" but I can't support for anything more specific that the delegation wizard can assign... ("Modify membership of a group")

However, lines 25+ confuse me.. there doesn't seem to be any specific attribute for the permissions/tasks I can assign to them.
The code I have so far is edited from others I've read up on who have done similar things, but not with delegation wizards, and I can't seem to find documentation on this :\

any help is appreciated, thank you so much! 

        #Create a hashtable to store the GUID value of each schema class and attribute  
        Import-Module ActiveDirectory  
        $ADRootDSE = Get-ADRootDSE  
        $domain = Get-ADDomain  
  
        $ou_DN = "OU=dont worry about thisss,OU=tata,OU=lala,OU=lala Users and Computers"  
        $AD_Group = "Test Group"  
  
        $searchbase_DN = $ou_DN+","+$domain.DistinguishedName  
  
        $users = Get-ADUser -Filter * -SearchBase $searchbase_DN  
  
        $ou = Get-ADOrganizationalUnit -Identity ($searchbase_DN)  
        $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $AD_Group).SID  
  
        $contents = Get-ADObject -SearchBase ($ADrootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID   
  
        ## populate guidmap with an array of all things from the $contents  
        $GUIDMap = @($contents)  
  
        $GUIDMap = Get-ADObject -SearchBase ($ADrootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |   
        ForEach-Object {"$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID"}  
        
  
        ## delegate on ou via wizard  
        #object1 = modify create delete and manage user accounts  
            $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"))  
  
        #object2 = reset user password and force pass chang eon next login  
            $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,""))  
  
        #object3 = Read all user information   
            $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"GenericAll","Allow","Descendents",$GUIDMap["user"]))  
  
        #object4 = Create delete and manage groups ##   
            $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"CreateChild,DeleteChild","Allow",$guidmap["group"],"All"))   
  
        #object5 = Modify the membership of a group  
            $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"""Descendents"["group"]))  
  
        #object6 = Manage Group Policy links ## what group actually is assigned this  
            $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"create, delete"))  
  
        #object7  
            $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"modify"))

229200-capture.png

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 9,626 Reputation points
    2022-08-08T16:48:49.443+00:00

    Hi.

    The commands you are running in your script are relying on low level api calls to change the ACL on the selected OU, to be able to use these effectively you do need to understanding the DACL and ACE details.

    I would recommend you read the following:

    DACL - https://learn.microsoft.com/en-us/windows/win32/secauthz/how-dacls-control-access-to-an-object

    ACL - https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists

    ACE - https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-entries

    The powershell AddAccessRule cmdlet will, probably indirectly, call the low level function AddAccessAllowedObjectAce, which uses the ACCESS_ALLOWED_OBJECT_ACE data structure. The parameters for the cmdlet are used to construct the ACCESS_ALLOWED_OBJECT_ACE.

    However, I'm not sure I would recommend this approach if you are new to AD delegations and permissions. I would get familiar setting the required permissions with ADUC or LDP before trying to automate them with powershell.

    It is possible to extend the available delegation options in the ADUC delegation wizard, the article below has the details, which will be easier than using powershell. You will still need to understand DACL and ACE to make changes to the delegation wizard.

    https://social.technet.microsoft.com/wiki/contents/articles/21061.how-to-extend-the-delegation-of-control-wizard-templates-in-active-directory-users-and-computers.aspx

    Gary.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.