Advertisement
dantpro

Create new bulk AD delegations with Powershell

Jul 31st, 2014
301
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Here is a Powershell script I wrote to delegate permissions to a service account
  2. # to manage user objects within a number of OUs.  The script takes as input a file
  3. # containing the distinguished names (DNs) of the OUs.  The approach should be
  4. # reasonably obvious from the comments in the script.  The only complexity comes
  5. # from having to get the correct System.DirectoryServices syntax for the Access
  6. # Control Entries (ACEs).
  7.  
  8. #########################################################
  9. #
  10. # Name: Add-UserOUACEs.ps1
  11. # Author: Tony Murray
  12. # Version: 1.0
  13. # Date: 16/04/2012
  14. # Comment: PowerShell script to add Access Control
  15. # entries to a target object
  16. #
  17. #########################################################
  18.  
  19. Write-Verbose "Script starting..."
  20.  
  21. # Import the AD module
  22. ipmo ActiveDirectory
  23.  
  24. # Set the verbosity preference
  25. $VerbosePreference = "Continue" # Default is "SilentlyContinue", i.e. no verbosity
  26.  
  27. ### Set Global Variables
  28.  
  29. # Specify the import file to use
  30. $impfile = "c:\User_OUs.txt"
  31.  
  32. # Specify the security principal to which perms will be granted
  33. $svc = Get-ADUser MyServiceAccount
  34.  
  35. # Get the SID of the security principal
  36. $sid = new-object System.Security.Principal.SecurityIdentifier $svc.SID
  37.  
  38. ###  
  39.  
  40. # Change to the AD drive
  41. CD AD:
  42.  
  43. $ous = Import-Csv $impfile
  44. foreach ($dn in $ous) {
  45.     $ou = $dn.distinguishedname
  46.  
  47.     ## Get the DACL of the OU
  48.  
  49.     $acl = get-acl $ou
  50.  
  51.     ## Note that  bf967aba-0de6-11d0-a285-00aa003049e2 is the schemaIDGuid for the user object class.
  52.  
  53.     $guid = new-object Guid  bf967aba-0de6-11d0-a285-00aa003049e2                          
  54.  
  55.     # ACE for creating and deleting child User objects
  56.     $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild,DeleteChild","Allow",$guid
  57.     # ACE for full control over descendent User objects
  58.     $ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"GenericAll","Allow","Descendents ",$guid
  59.  
  60.     ## Add the ACE in the ACL and set the ACL on the object
  61.     $acl.AddAccessRule($ace1)
  62.     $acl.AddAccessRule($ace2)
  63.  
  64.     Write-Verbose "Adding ACEs to ACL on $ou"
  65.  
  66.     set-acl -aclobject $acl $ou
  67.  
  68.     # Clean up variables used in ForEach loop
  69.     Clear-Variable -ErrorAction SilentlyContinue -Name dn
  70.     Clear-Variable -ErrorAction SilentlyContinue -Name ou
  71.     Clear-Variable -ErrorAction SilentlyContinue -Name acl
  72.     Clear-Variable -ErrorAction SilentlyContinue -Name guid
  73.     Clear-Variable -ErrorAction SilentlyContinue -Name ace1
  74.     Clear-Variable -ErrorAction SilentlyContinue -Name ace2
  75.  
  76. } # End foreach loop
  77.  
  78. # Clean up Global Variables
  79. Write-Verbose "Cleaning global variables..."
  80. Clear-Variable -ErrorAction SilentlyContinue -Name impfile
  81. Clear-Variable -ErrorAction SilentlyContinue -Name sid
  82. Clear-Variable -ErrorAction SilentlyContinue -Name svc
  83. Clear-Variable -ErrorAction SilentlyContinue -Name ous
  84.  
  85. # End
  86. Write-Verbose "Script finished"
  87. $VerbosePreference = "SilentlyContinue"
Advertisement
RAW Paste Data Copied
Advertisement