Create new bulk AD delegations with Powershell

1. # Here is a Powershell script I wrote to delegate permissions to a service account
2. # to manage user objects within a number of OUs.  The script takes as input a file
3. # containing the distinguished names (DNs) of the OUs.  The approach should be
4. # reasonably obvious from the comments in the script.  The only complexity comes
5. # from having to get the correct System.DirectoryServices syntax for the Access
6. # Control Entries (ACEs).
7.  
8. #########################################################
9. #
10. # Name: Add-UserOUACEs.ps1
11. # Author: Tony Murray
12. # Version: 1.0
13. # Date: 16/04/2012
14. # Comment: PowerShell script to add Access Control
15. # entries to a target object
16. #
17. #########################################################
18.  
19. Write-Verbose "Script starting..."
20.  
21. # Import the AD module
22. ipmo ActiveDirectory
23.  
24. # Set the verbosity preference
25. $VerbosePreference = "Continue" # Default is "SilentlyContinue", i.e. no verbosity
26.  
27. ### Set Global Variables
28.  
29. # Specify the import file to use
30. $impfile = "c:\User_OUs.txt"
31.  
32. # Specify the security principal to which perms will be granted
33. $svc = Get-ADUser MyServiceAccount
34.  
35. # Get the SID of the security principal
36. $sid = new-object System.Security.Principal.SecurityIdentifier $svc.SID
37.  
38. ###  
39.  
40. # Change to the AD drive
41. CD AD:
42.  
43. $ous = Import-Csv $impfile
44. foreach ($dn in $ous) {
45.     $ou = $dn.distinguishedname
46.  
47.     ## Get the DACL of the OU
48.  
49.     $acl = get-acl $ou
50.  
51.     ## Note that  bf967aba-0de6-11d0-a285-00aa003049e2 is the schemaIDGuid for the user object class.
52.  
53.     $guid = new-object Guid  bf967aba-0de6-11d0-a285-00aa003049e2                          
54.  
55.     # ACE for creating and deleting child User objects
56.     $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild,DeleteChild","Allow",$guid
57.     # ACE for full control over descendent User objects
58.     $ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"GenericAll","Allow","Descendents ",$guid
59.  
60.     ## Add the ACE in the ACL and set the ACL on the object
61.     $acl.AddAccessRule($ace1)
62.     $acl.AddAccessRule($ace2)
63.  
64.     Write-Verbose "Adding ACEs to ACL on $ou"
65.  
66.     set-acl -aclobject $acl $ou
67.  
68.     # Clean up variables used in ForEach loop
69.     Clear-Variable -ErrorAction SilentlyContinue -Name dn
70.     Clear-Variable -ErrorAction SilentlyContinue -Name ou
71.     Clear-Variable -ErrorAction SilentlyContinue -Name acl
72.     Clear-Variable -ErrorAction SilentlyContinue -Name guid
73.     Clear-Variable -ErrorAction SilentlyContinue -Name ace1
74.     Clear-Variable -ErrorAction SilentlyContinue -Name ace2
75.  
76. } # End foreach loop
77.  
78. # Clean up Global Variables
79. Write-Verbose "Cleaning global variables..."
80. Clear-Variable -ErrorAction SilentlyContinue -Name impfile
81. Clear-Variable -ErrorAction SilentlyContinue -Name sid
82. Clear-Variable -ErrorAction SilentlyContinue -Name svc
83. Clear-Variable -ErrorAction SilentlyContinue -Name ous
84.  
85. # End
86. Write-Verbose "Script finished"
87. $VerbosePreference = "SilentlyContinue"