Author Posts

April 15, 2015 at 3:07 am

Any help would be greatly appreciated! The attachment shows what I am trying to accomplish but I need to do it through powershell.
The value I am trying to edit is (CN=DS-Replication-Get-Changes-All). The rightsGuid is 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2. I have used powershell to update attributes in AD, but have no clue how to update the rights in the configuration or the schema partitions. I have used the script below to update rights for admins to be able to change passwords etc... but now I need to figure out how to work with the configuration and schema partitions.

The question is .. what would the values be for these lines?
For the $objectguid I would think that the guid would change to the one I am interested here. The extended rights –> DS-REPLICATION-GET-CHANGES?

$objectguid = new-object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2

$inheritedobjectguid = new-object Guid I have no clue what this GUID value would be

Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
$acl = get-acl "ad:DC=corp,DC=domain,DC=net"

$group = Get-ADgroup 'AD Service Administration Tasks'

$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID

# The following object specific ACE is to grant Group permission to change user password on all user objects under OU

$objectguid = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) class

$inheritedobjectguid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user

$identity = [System.Security.Principal.IdentityReference] $SID

$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"

$type = [System.Security.AccessControl.AccessControlType] "Allow"

$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"

$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule$identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid

$acl.AddAccessRule($ace)

Set-acl -aclobject $acl "ad:DC=corp,DC=domain,DC=net"