daily pastebin goal
25%
SHARE
TWEET

Untitled

a guest Sep 14th, 2018 54 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # When delegating DHCP administration to an non Domain Administrator, you can use the build in Active Directory group DHCP Administrators to accomplish this task,
  2. # but authorization of the DHCP server require additional permissons in Active Directory:
  3.  
  4. # The delegation of authorization and unauthorization of DHCP servers is two-fold.
  5. # 1. Granting permission to create/delete dHCPClass objects.
  6. # 2. Granting permission to change all properties of the existing dHCPClass objects.
  7.  
  8. # When this is done its is really possible to delegate DHCP administration.
  9.  
  10. #Change the groupname for your environment.
  11. $Group = "DHCP Authorization"
  12.  
  13. # From here you don't have to change the script.
  14. $ADRootDSE = Get-ADRootDSE
  15. $ConfigNC = $ADRootDSE.configurationNamingContext
  16. $NetServicesPath = "AD:\CN=NetServices,CN=Services,$ConfigNC"
  17. $SchemaNamingContext = $ADRootDSE.SchemaNamingContext
  18. $guidmap = @{}
  19. Get-ADObject -SearchBase ($SchemaNamingContext) -LDAPFilter "(lDAPDisplayName=dHCPclass)" -Properties lDAPDisplayName,schemaIDGUID |
  20. Where-Object {$_.lDAPDisplayName -eq "dHCPclass"} |
  21. ForEach-Object {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
  22.  
  23. $acl = Get-ACL $NetServicesPath
  24. $InheritedObjectType = $guidmap['dHCPclass']
  25.  
  26. $account = New-Object System.Security.Principal.NTAccount($Group)
  27. $sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
  28.  
  29. # From here the new Access Rules will be created.
  30.  
  31. # Allow permission to create/delete dHCPClass objects in the Container NetServices.
  32. $ActiveDirectoryRights = @("CreateChild", "DeleteChild")
  33. $AccessControlType = "Allow"
  34. $Inherit = "None"
  35. Try{
  36.     $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $ActiveDirectoryRights, $AccessControlType, $InheritedObjectType, $Inherit) -Verbose -ErrorAction Stop
  37.     $acl.AddAccessRule($ace)
  38. }
  39. Catch{Write-Error "There was an error while adding the acces rule for $Group. Error: $($Error[0].Exception.Message)"; return}
  40.  
  41. # Allow permission to modify all properties of the existing dHCPClass objects.
  42. $ActiveDirectoryRights = @("WriteProperty", "ReadProperty", "ListChildren", "Delete")
  43. $AccessControlType = "Allow"
  44. $Inherit = "Children"
  45.  
  46. Try{
  47.     $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $ActiveDirectoryRights, $AccessControlType, $Inherit, $InheritedObjectType) -Verbose -ErrorAction Stop
  48.     $acl.AddAccessRule($ace)
  49. }
  50. Catch{Write-Error "There was an error while adding the acces rule for $Group. Error: $($Error[0].Exception.Message)"; return}
  51.  
  52. # The accumulated access rules are set to NetServices AD container.
  53. Try{
  54.     Set-ACL $NetServicesPath  -AclObject $acl -Verbose -ErrorAction Stop
  55.    }
  56. Catch{Write-Error "There was an error while setting the new acces rules for $Group. Error: $($Error[0].Exception.Message)"}
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top