Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx
- # First I will get myself setup with references to some objects I will need later:
- Import-Module ActiveDirectory
- #Bring up an Active Directory command prompt so we can use this later on in the script
- cd ad:
- #Get a reference to the RootDSE of the current domain
- $rootdse = Get-ADRootDSE
- #Get a reference to the current domain
- $domain = Get-ADDomain
- # Now, I want to create two hash tables to store the GUID values, but reference them by their display
- # names. I dont know about you, but I can never remember that 00299570-246d-11d0-a768-00aa006e0529 is
- # the rightsGUID for allowing the forced changing of a user’s password. I can, however, remember "Reset # Password" which is the displayName for this right. If you care to see the hash tables in the raw (or # just need to find the display name reference"), simply type the variable names (e.g. $guidmap).
- #Create a hashtable to store the GUID value of each schema class and attribute
- $guidmap = @{}
- Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
- "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | `
- % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
- #Create a hashtable to store the GUID value of each extended right in the forest
- $extendedrightsmap = @{}
- Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
- "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | `
- % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
- # Now that I have that in place, I can move forward with the actual delegation work. The below code # allows the AD group named "Contoso Provisioning Admins" to create and delete user objects, modify their # attributes, and reset their passwords. It also allows the AD group named "Contoso Service Desk" to
- # reset user passwords in the top-level Contoso Users OU.
- # The tricky part comes when we have to create the ActiveDirectoryAccessRule that goes into the # AddAccessRule method. This object has six different constructors and each can be used for a different # use case.
- #Get a reference to the OU we want to delegate
- $ou = Get-ADOrganizationalUnit -Identity ("OU=Contoso Users,"+$domain.DistinguishedName)
- #Get the SID values of each group we wish to delegate access to
- $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Contoso Provisioning Admins").SID
- $s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Contoso Service Desk").SID
- #Get a copy of the current DACL on the OU
- $acl = Get-ACL -Path ($ou.DistinguishedName)
- #Create an Access Control Entry for new permission we wish to add
- #Allow the group to write all properties of descendent user objects
- $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
- $p,"WriteProperty","Allow","Descendents",$guidmap["user"]))
- #Allow the group to create and delete user objects in the OU and all sub-OUs that may get created
- $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
- $p,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"))
- #Allow the group to reset user passwords on all descendent user objects
- $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
- $p,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
- #Allow the Service Desk group to also reset passwords on all descendent user objects
- $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
- $s,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
- #Re-apply the modified DACL to the OU
- Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
- # I will extend this example to another scenario; the ability to link Group Policies Objects. This bit # of PowerShell grants the "Contoso Group Policy Admins" AD group the ability to modify the gplink and
- # gpoptions attributes across the entire domain (thus allowing them to link pre-existing Group Policy # Objects to OUs.
- #Provision the Group Policy Admins role
- $acl = Get-ACL -Path ($rootdse.defaultNamingContext)
- $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup ("Contoso Group Policy Admins")).SID
- $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
- $p,"WriteProperty","Allow",$guidmap["gplink"],"All"))
- $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
- $p,"WriteProperty","Allow",$guidmap["gpoptions"],"All"))
- Set-ACL -ACLObject $acl -Path ("AD:\"+($rootdse.defaultNamingContext))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement