question

MW-2365 avatar image
0 Votes"
MW-2365 asked PappLszl-0291 commented

Powershell script delegate OU permissions

How can I give a specific Domain Local Group Full Access rights to a specific OU with a powershell command?

windows-server-powershellwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Romain-7597 avatar image
1 Vote"
Romain-7597 answered JanFernandBosloven-9304 commented
 $OrganizationalUnit = "OU=Test,DC=Contoso,DC=COM"
 $GroupName = "Domain Users"
    
 Set-Location AD:
 $Group = Get-ADGroup -Identity $GroupName
 $GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
 $ACL = Get-Acl -Path $OrganizationalUnit
    
 $Identity = [System.Security.Principal.IdentityReference] $GroupSID
 $ADRight = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
 $Type = [System.Security.AccessControl.AccessControlType] "Allow"
 $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
 $Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $ADRight, $Type,  $InheritanceType)
    
 $ACL.AddAccessRule($Rule)
 Set-Acl -Path $OrganizationalUnit -AclObject $ACL


Change :

$OrganizationalUnit = "OU=Test,DC=Contoso,DC=COM"
$GroupName = "Domain Users"

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How can I give a service user delegation with this PS with this security settings:
Computer object only

  • Create/delete Computer objects

  • Reset password

  • read and write account restrictions

  • validated write to DNS host name

  • validated write to service principal name

The script you posted here works like a charm, but for my purposes, it gives to many access...:-S

Thank you for your help :-)




0 Votes 0 ·
PappLszl-0291 avatar image PappLszl-0291 JanFernandBosloven-9304 ·

Hello,

Did you find a Solution for this?
Could you please share the script, if yes?

1 Vote 1 ·

posted the complete script. and it works...;)

0 Votes 0 ·
JanFernandBosloven-9304 avatar image
0 Votes"
JanFernandBosloven-9304 answered PappLszl-0291 commented

Set delegation for service_account in servers OU


$OrganizationalUnit = "OU=Servers,OU=SP02,OU=Delivery,$rootDN"
$ServiceUserName = "account_name"
Set-Location AD:
$Group = Get-ADuser -Identity $ServiceUserName
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
$ACL = Get-Acl -Path $OrganizationalUnit
$Identity = [System.Security.Principal.IdentityReference] $GroupSID
$Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd"
$ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1"
$AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529"
$RuleCreateAndDeleteComputer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "CreateChild, DeleteChild", "Allow", $Computers, "All")
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers)
$RuleValidatedDNSHostName = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedDNSHostName, "Descendents", $Computers)
$RuleValidatedSPN = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self", "Allow", $ValidatedSPN, "Descendents", $Computers)
$RuleAccountRestrictions = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($Identity, "ReadProperty, WriteProperty", "Allow", $AccountRestrictions, "Descendents", $Computers)
$ACL.AddAccessRule($RuleCreateAndDeleteComputer)
$ACL.AddAccessRule($RuleResetPassword)
$ACL.AddAccessRule($RuleValidatedDNSHostName)
$ACL.AddAccessRule($RuleValidatedSPN)
$ACL.AddAccessRule($RuleAccountRestrictions)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much. This is a great help.
Do you know where can I find a list about this group ID's?
[GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"

0 Votes 0 ·