OU permission delegation using powershell

Welcome Forums General PowerShell Q&A OU permission delegation using powershell

This topic contains 6 replies, has 2 voices, and was last updated by

 
Participant
3 years, 6 months ago.

  • Author
    Posts
  • #30890

    Participant
    Points: 0
    Rank: Member

    We have few AD admin accounts added in to a group named "Nidhin-test-group" and I want to Deny the group write all properties & Modify permissions on an OU, this settings should apply to "This object only"

    Now i found below blog helpfull. but i'm not getting correct ActiveDirectoryAccessRule to apply.
    http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx#pi142453=2

    —-

    Using below code i can apply Deny the group to write all properties of descendent user objects.
    But i want to Deny the group "write all properties" & "Modify permission" on an OU and this settings should apply to "This object only"

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain
    
    $guidmap = @{}
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
    "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
    % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
    
    $extendedrightsmap = @{}
    Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
    "(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
    % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
    
    $ou = Get-ADOrganizationalUnit -Identity ("OU=Users,DC=TEST") 
    $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Nidhin-Test-Group").SID
    $acl = Get-ACL -Path ($ou.DistinguishedName)
    
    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"WriteProperty","Deny","Descendents",$guidmap["user"]))
    
    Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
  • #30892

    Participant
    Points: 2
    Rank: Member

    You would need to modify your access rule. Instead of Descendants use None

    https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx

    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"WriteProperty","Deny","Descendents",$guidmap["user"]))
    
  • #30895

    Participant
    Points: 0
    Rank: Member

    Thank you Curtis Smith..! Now im able to deny the "Write all properties" on an OU. In order to deny "Modify Permissions" what is the exact property name i need to mention in below code? (need to replace xxxx)

    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"XXXXXXXX","Deny","None",$guidmap["user"]))
  • #30896

    Participant
    Points: 2
    Rank: Member

    The ActiveDirectoryAccessRule Class
    https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx

    The ActiveDirectoryRights Enumeration
    https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx

    WriteDacl
    The right to modify the DACL in the object security descriptor.

  • #30897

    Participant
    Points: 2
    Rank: Member
  • #30898

    Participant
    Points: 0
    Rank: Member

    Thanks a lot Curtis..!

    Is there anyway i can mark this thread as closed ?

  • #30899

    Participant
    Points: 2
    Rank: Member

    Yes, you should have a thread status box right above the reply box. You can set it to resolved.

The topic ‘OU permission delegation using powershell’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort