Powershell script delegate OU permissions

MW 1 Reputation point
2021-04-20T11:13:45.333+00:00

How can I give a specific Domain Local Group Full Access rights to a specific OU with a powershell command?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,381 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Romain 16 Reputation points
    2021-04-20T14:26:54.207+00:00 
    $OrganizationalUnit = "OU=Test,DC=Contoso,DC=COM"
$GroupName = "Domain Users"

Set-Location AD:
$Group = Get-ADGroup -Identity $GroupName
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
$ACL = Get-Acl -Path $OrganizationalUnit

$Identity = [System.Security.Principal.IdentityReference] $GroupSID
$ADRight = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$Type = [System.Security.AccessControl.AccessControlType] "Allow"
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $ADRight, $Type,  $InheritanceType)

$ACL.AddAccessRule($Rule)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

    Change :

    $OrganizationalUnit = "OU=Test,DC=Contoso,DC=COM"
    $GroupName = "Domain Users"

    3 people found this answer helpful.
  2. Jan Fernand Bosløven 31 Reputation points
    2021-10-05T06:22:51.647+00:00

    Set delegation for service_account in servers OU

    $OrganizationalUnit = "OU=Servers,OU=SP02,OU=Delivery,$rootDN"
    $ServiceUserName = "account_name"
    Set-Location AD:
    $Group = Get-ADuser -Identity $ServiceUserName
    $GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
    $ACL = Get-Acl -Path $OrganizationalUnit
    $Identity = [System.Security.Principal.IdentityReference] $GroupSID
    $Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"
    $ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
    $ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd"
    $ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1"
    $AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529"
    $RuleCreateAndDeleteComputer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "CreateChild, DeleteChild", "Allow", $Computers, "All")
    $RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers)
    $RuleValidatedDNSHostName = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedDNSHostName, "Descendents", $Computers)
    $RuleValidatedSPN = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedSPN, "Descendents", $Computers)
    $RuleAccountRestrictions = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ReadProperty, WriteProperty", "Allow", $AccountRestrictions, "Descendents", $Computers)
    $ACL.AddAccessRule($RuleCreateAndDeleteComputer)
    $ACL.AddAccessRule($RuleResetPassword)
    $ACL.AddAccessRule($RuleValidatedDNSHostName)
    $ACL.AddAccessRule($RuleValidatedSPN)
    $ACL.AddAccessRule($RuleAccountRestrictions)
    Set-Acl -Path $OrganizationalUnit -AclObject $ACL

    2 people found this answer helpful.