daily pastebin goal
75%
SHARE
TWEET

Active Directory Delegation via PowerShell

dantpro Jul 31st, 2014 329 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx
  2.  
  3. # First I will get myself setup with references to some objects I will need later:
  4. Import-Module ActiveDirectory
  5.  
  6. #Bring up an Active Directory command prompt so we can use this later on in the script
  7. cd ad:
  8.  
  9. #Get a reference to the RootDSE of the current domain
  10. $rootdse = Get-ADRootDSE
  11.  
  12. #Get a reference to the current domain
  13. $domain = Get-ADDomain
  14.  
  15. # Now, I want to create two hash tables to store the GUID values, but reference them by their display
  16. # names. I dont know about you, but I can never remember that 00299570-246d-11d0-a768-00aa006e0529 is
  17. # the rightsGUID for allowing the forced changing of a userís password. I can, however, remember "Reset # Password" which is the displayName for this right. If you care to see the hash tables in the raw (or # just need to find the display name reference"), simply type the variable names (e.g. $guidmap).
  18.  
  19. #Create a hashtable to store the GUID value of each schema class and attribute
  20. $guidmap = @{}
  21.  
  22. Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
  23. "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | `
  24. % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
  25.  
  26. #Create a hashtable to store the GUID value of each extended right in the forest
  27. $extendedrightsmap = @{}
  28. Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
  29. "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | `
  30. % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
  31.  
  32.  
  33. # Now that I have that in place, I can move forward with the actual delegation work. The below code # allows the AD group named "Contoso Provisioning Admins" to create and delete user objects, modify their # attributes, and reset their passwords. It also allows the AD group named "Contoso Service Desk" to
  34. # reset user passwords in the top-level Contoso Users OU.
  35.  
  36. # The tricky part comes when we have to create the ActiveDirectoryAccessRule that goes into the # AddAccessRule method. This object has six different constructors and each can be used for a different # use case.
  37.  
  38. #Get a reference to the OU we want to delegate
  39. $ou = Get-ADOrganizationalUnit -Identity ("OU=Contoso Users,"+$domain.DistinguishedName)
  40.  
  41. #Get the SID values of each group we wish to delegate access to
  42. $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Contoso Provisioning Admins").SID
  43. $s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Contoso Service Desk").SID
  44.  
  45. #Get a copy of the current DACL on the OU
  46. $acl = Get-ACL -Path ($ou.DistinguishedName)
  47.  
  48. #Create an Access Control Entry for new permission we wish to add
  49. #Allow the group to write all properties of descendent user objects
  50. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  51. $p,"WriteProperty","Allow","Descendents",$guidmap["user"]))
  52.  
  53. #Allow the group to create and delete user objects in the OU and all sub-OUs that may get created
  54. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  55. $p,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"))
  56.  
  57. #Allow the group to reset user passwords on all descendent user objects
  58. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  59. $p,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
  60.  
  61. #Allow the Service Desk group to also reset passwords on all descendent user objects
  62. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  63. $s,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))
  64.  
  65. #Re-apply the modified DACL to the OU
  66. Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
  67.  
  68. # I will extend this example to another scenario;  the ability to link Group Policies Objects. This bit # of PowerShell grants the "Contoso Group Policy Admins" AD group the ability to modify the gplink and
  69. # gpoptions attributes across the entire domain (thus allowing them to link pre-existing Group Policy # Objects to OUs.
  70.  
  71. #Provision the Group Policy Admins role
  72. $acl = Get-ACL -Path ($rootdse.defaultNamingContext)
  73. $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup ("Contoso Group Policy Admins")).SID
  74.  
  75. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  76. $p,"WriteProperty","Allow",$guidmap["gplink"],"All"))
  77.  
  78. $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
  79. $p,"WriteProperty","Allow",$guidmap["gpoptions"],"All"))
  80.  
  81. Set-ACL -ACLObject $acl -Path ("AD:\"+($rootdse.defaultNamingContext))
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top