Any help would be greatly appreciated! The attachment shows what I am trying to accomplish but I need to do it through powershell.
The question is .. what would the values be for these lines?
$objectguid = new-object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$inheritedobjectguid = new-object Guid I have no clue what this GUID value would be
$group = Get-ADgroup 'AD Service Administration Tasks'
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) class
$inheritedobjectguid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule$identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
Set-acl -aclobject $acl "ad:DC=corp,DC=domain,DC=net"
You must be logged in to reply to this topic.