April 15, 2015 at 3:07 am #24281ParticipantTopics: 1Replies: 0Points: 0Rank: Member
Any help would be greatly appreciated! The attachment shows what I am trying to accomplish but I need to do it through powershell.
The value I am trying to edit is (CN=DS-Replication-Get-Changes-All). The rightsGuid is 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2. I have used powershell to update attributes in AD, but have no clue how to update the rights in the configuration or the schema partitions. I have used the script below to update rights for admins to be able to change passwords etc... but now I need to figure out how to work with the configuration and schema partitions.
The question is .. what would the values be for these lines?
For the $objectguid I would think that the guid would change to the one I am interested here. The extended rights –> DS-REPLICATION-GET-CHANGES?
$objectguid = new-object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$inheritedobjectguid = new-object Guid I have no clue what this GUID value would be
#Bring up an Active Directory command prompt so we can use this later on in the script
$acl = get-acl "ad:DC=corp,DC=domain,DC=net"
$group = Get-ADgroup 'AD Service Administration Tasks'
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) class
$inheritedobjectguid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule$identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
Set-acl -aclobject $acl "ad:DC=corp,DC=domain,DC=net"
The topic ‘add security group to an attribute in an extended right’ is closed to new replies.