API tools faq
paste
Advertisement
dantpro

Active Directory Delegation via PowerShell

dantpro
Jul 31st, 2014
482
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 4.68 KB | None | 0 0
raw download clone embed print report
  1. # http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx
  2.  
  3. # First I will get myself setup with references to some objects I will need later:
  4. Import-Module ActiveDirectory
  5.  
  6. #Bring up an Active Directory command prompt so we can use this later on in the script
  7. cd ad:
  8.  
  9. #Get a reference to the RootDSE of the current domain
  10. $rootdse = Get-ADRootDSE
  11.  
  12. #Get a reference to the current domain
  13. $domain = Get-ADDomain
  14.  
  15. # Now, I want to create two hash tables to store the GUID values, but reference them by their display
  16. # names. I dont know about you, but I can never remember that 00299570-246d-11d0-a768-00aa006e0529 is
  17. # the rightsGUID for allowing the forced changing of a user’s password. I can, however, remember "Reset # Password" which is the displayName for this right. If you care to see the hash tables in the raw (or # just need to find the display name reference"), simply type the variable names (e.g. $guidmap).
  18.  
  19. #Create a hashtable to store the GUID value of each schema class and attribute
  20. $guidmap = @{}
  21.  
  22. Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
  23. "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | `
  24. % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
  25.  
  26. #Create a hashtable to store the GUID value of each extended right in the forest
  27. $extendedrightsmap = @{}
  28. Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
  29. "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | `
  30. % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
  31.  
  32.  
  33. # Now that I have that in place, I can move forward with the actual delegation work. The below code # allows the AD group named "Contoso Provisioning Admins" to create and delete user objects, modify their # attributes, and reset their passwords. It also allows the AD group named "Contoso Service Desk" to
  34. # reset user passwords in the top-level Contoso Users OU.
  35.  
  36. # The tricky part comes when we have to create the ActiveDirectoryAccessRule that goes into the # AddAccessRule method. This object has six different constructors and each can be used for a different # use case.
  37.  
  38. #Get a reference to the OU we want to delegate
  39. $ou = Get-ADOrganizationalUnit -Identity ("OU=Contoso Users,"+$domain.DistinguishedName)
  40.  
  41. #Get the SID values of each group we wish to delegate access to
  42. $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Contoso Provisioning Admins").SID
  43. $s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Contoso Service Desk").SID
  44.  
  45. #Get a copy of the current DACL on the OU
  46. $acl = Get-ACL -Path ($ou.DistinguishedName)
  47.  
  48. #Create an Access Control Entry for new permission we wish to add
  49. #Allow the group to write all properties of descendent user objects
  50. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  51. $p,"WriteProperty","Allow","Descendents",$guidmap["user"]))
  52.  
  53. #Allow the group to create and delete user objects in the OU and all sub-OUs that may get created
  54. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  55. $p,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"))
  56.  
  57. #Allow the group to reset user passwords on all descendent user objects
  58. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  59. $p,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
  60.  
  61. #Allow the Service Desk group to also reset passwords on all descendent user objects
  62. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  63. $s,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
  64.  
  65. #Re-apply the modified DACL to the OU
  66. Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
  67.  
  68. # I will extend this example to another scenario;  the ability to link Group Policies Objects. This bit # of PowerShell grants the "Contoso Group Policy Admins" AD group the ability to modify the gplink and
  69. # gpoptions attributes across the entire domain (thus allowing them to link pre-existing Group Policy # Objects to OUs.
  70.  
  71. #Provision the Group Policy Admins role
  72. $acl = Get-ACL -Path ($rootdse.defaultNamingContext)
  73. $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup ("Contoso Group Policy Admins")).SID
  74.  
  75. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  76. $p,"WriteProperty","Allow",$guidmap["gplink"],"All"))
  77.  
  78. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  79. $p,"WriteProperty","Allow",$guidmap["gpoptions"],"All"))
  80.  
  81. Set-ACL -ACLObject $acl -Path ("AD:\"+($rootdse.defaultNamingContext))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!