add security group to an attribute in an extended right

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Mike Johnson Mike Johnson 1 year, 6 months ago.

  • Author
  • #24281
    Profile photo of Mike Johnson
    Mike Johnson

    Any help would be greatly appreciated! The attachment shows what I am trying to accomplish but I need to do it through powershell.
    The value I am trying to edit is (CN=DS-Replication-Get-Changes-All). The rightsGuid is 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2. I have used powershell to update attributes in AD, but have no clue how to update the rights in the configuration or the schema partitions. I have used the script below to update rights for admins to be able to change passwords etc... but now I need to figure out how to work with the configuration and schema partitions.

    The question is .. what would the values be for these lines?
    For the $objectguid I would think that the guid would change to the one I am interested here. The extended rights –> DS-REPLICATION-GET-CHANGES?

    $objectguid = new-object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2

    $inheritedobjectguid = new-object Guid I have no clue what this GUID value would be

    Import-Module ActiveDirectory
    #Bring up an Active Directory command prompt so we can use this later on in the script
    cd ad:
    $acl = get-acl "ad:DC=corp,DC=domain,DC=net"

    $group = Get-ADgroup 'AD Service Administration Tasks'

    $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID

    # The following object specific ACE is to grant Group permission to change user password on all user objects under OU

    $objectguid = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) class

    $inheritedobjectguid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user

    $identity = [System.Security.Principal.IdentityReference] $SID

    $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"

    $type = [System.Security.AccessControl.AccessControlType] "Allow"

    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"

    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule$identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid


    Set-acl -aclobject $acl "ad:DC=corp,DC=domain,DC=net"

You must be logged in to reply to this topic.