OU permission delegation using powershell

Welcome Forums General PowerShell Q&A OU permission delegation using powershell

This topic contains 6 replies, has 2 voices, and was last updated by

 
Participant
3 years, 1 month ago.

  • Author
    Posts
  • #30890

    Participant
    Points: 0
    Rank: Member

    We have few AD admin accounts added in to a group named "Nidhin-test-group" and I want to Deny the group write all properties & Modify permissions on an OU, this settings should apply to "This object only"

    Now i found below blog helpfull. but i'm not getting correct ActiveDirectoryAccessRule to apply.
    http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx#pi142453=2

    —-

    Using below code i can apply Deny the group to write all properties of descendent user objects.
    But i want to Deny the group "write all properties" & "Modify permission" on an OU and this settings should apply to "This object only"

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain
    
    $guidmap = @{}
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
    "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
    % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
    
    $extendedrightsmap = @{}
    Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
    "(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
    % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
    
    $ou = Get-ADOrganizationalUnit -Identity ("OU=Users,DC=TEST") 
    $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Nidhin-Test-Group").SID
    $acl = Get-ACL -Path ($ou.DistinguishedName)
    
    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"WriteProperty","Deny","Descendents",$guidmap["user"]))
    
    Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
  • #30892

    Participant
    Points: 0
    Rank: Member

    You would need to modify your access rule. Instead of Descendants use None

    https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx

    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"WriteProperty","Deny","Descendents",$guidmap["user"]))
    
  • #30895

    Participant
    Points: 0
    Rank: Member

    Thank you Curtis Smith..! Now im able to deny the "Write all properties" on an OU. In order to deny "Modify Permissions" what is the exact property name i need to mention in below code? (need to replace xxxx)

    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"XXXXXXXX","Deny","None",$guidmap["user"]))
  • #30896

    Participant
    Points: 0
    Rank: Member

    The ActiveDirectoryAccessRule Class
    https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx

    The ActiveDirectoryRights Enumeration
    https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx

    WriteDacl
    The right to modify the DACL in the object security descriptor.

  • #30897

    Participant
    Points: 0
    Rank: Member
  • #30898

    Participant
    Points: 0
    Rank: Member

    Thanks a lot Curtis..!

    Is there anyway i can mark this thread as closed ?

  • #30899

    Participant
    Points: 0
    Rank: Member

    Yes, you should have a thread status box right above the reply box. You can set it to resolved.

The topic ‘OU permission delegation using powershell’ is closed to new replies.