OU permission delegation using powershell

Welcome Forums General PowerShell Q&A OU permission delegation using powershell

Viewing 6 reply threads
  • Author
    Posts
    • #30890
      Participant
      Topics: 7
      Replies: 5
      Points: 0
      Rank: Member

      We have few AD admin accounts added in to a group named “Nidhin-test-group” and I want to Deny the group write all properties & Modify permissions on an OU, this settings should apply to “This object only”

      Now i found below blog helpfull. but i’m not getting correct ActiveDirectoryAccessRule to apply.
      http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx#pi142453=2

      —-

      Using below code i can apply Deny the group to write all properties of descendent user objects.
      But i want to Deny the group “write all properties” & “Modify permission” on an OU and this settings should apply to “This object only”

      Import-Module ActiveDirectory
      $rootdse = Get-ADRootDSE
      $domain = Get-ADDomain
      
      $guidmap = @{}
      Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
      "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
      % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
      
      $extendedrightsmap = @{}
      Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
      "(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
      % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
      
      $ou = Get-ADOrganizationalUnit -Identity ("OU=Users,DC=TEST") 
      $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Nidhin-Test-Group").SID
      $acl = Get-ACL -Path ($ou.DistinguishedName)
      
      $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
      $p,"WriteProperty","Deny","Descendents",$guidmap["user"]))
      
      Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
    • #30892
      Participant
      Topics: 6
      Replies: 667
      Points: 97
      Helping Hand
      Rank: Member

      You would need to modify your access rule. Instead of Descendants use None

      https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx

      $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
      $p,"WriteProperty","Deny","Descendents",$guidmap["user"]))
      
    • #30895
      Participant
      Topics: 7
      Replies: 5
      Points: 0
      Rank: Member

      Thank you Curtis Smith..! Now im able to deny the “Write all properties” on an OU. In order to deny “Modify Permissions” what is the exact property name i need to mention in below code? (need to replace xxxx)

      $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
      $p,"XXXXXXXX","Deny","None",$guidmap["user"]))
    • #30896
      Participant
      Topics: 6
      Replies: 667
      Points: 97
      Helping Hand
      Rank: Member

      The ActiveDirectoryAccessRule Class
      https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx

      The ActiveDirectoryRights Enumeration
      https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx

      WriteDacl
      The right to modify the DACL in the object security descriptor.

    • #30897
      Participant
      Topics: 6
      Replies: 667
      Points: 97
      Helping Hand
      Rank: Member
    • #30898
      Participant
      Topics: 7
      Replies: 5
      Points: 0
      Rank: Member

      Thanks a lot Curtis..!

      Is there anyway i can mark this thread as closed ?

    • #30899
      Participant
      Topics: 6
      Replies: 667
      Points: 97
      Helping Hand
      Rank: Member

      Yes, you should have a thread status box right above the reply box. You can set it to resolved.

Viewing 6 reply threads
  • The topic ‘OU permission delegation using powershell’ is closed to new replies.