Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # When delegating DHCP administration to an non Domain Administrator, you can use the build in Active Directory group DHCP Administrators to accomplish this task,
- # but authorization of the DHCP server require additional permissons in Active Directory:
- # The delegation of authorization and unauthorization of DHCP servers is two-fold.
- # 1. Granting permission to create/delete dHCPClass objects.
- # 2. Granting permission to change all properties of the existing dHCPClass objects.
- # When this is done its is really possible to delegate DHCP administration.
- #Change the groupname for your environment.
- $Group = "DHCP Authorization"
- # From here you don't have to change the script.
- $ADRootDSE = Get-ADRootDSE
- $ConfigNC = $ADRootDSE.configurationNamingContext
- $NetServicesPath = "AD:\CN=NetServices,CN=Services,$ConfigNC"
- $SchemaNamingContext = $ADRootDSE.SchemaNamingContext
- $guidmap = @{}
- Get-ADObject -SearchBase ($SchemaNamingContext) -LDAPFilter "(lDAPDisplayName=dHCPclass)" -Properties lDAPDisplayName,schemaIDGUID |
- Where-Object {$_.lDAPDisplayName -eq "dHCPclass"} |
- ForEach-Object {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
- $acl = Get-ACL $NetServicesPath
- $InheritedObjectType = $guidmap['dHCPclass']
- $account = New-Object System.Security.Principal.NTAccount($Group)
- $sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
- # From here the new Access Rules will be created.
- # Allow permission to create/delete dHCPClass objects in the Container NetServices.
- $ActiveDirectoryRights = @("CreateChild", "DeleteChild")
- $AccessControlType = "Allow"
- $Inherit = "None"
- Try{
- $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $ActiveDirectoryRights, $AccessControlType, $InheritedObjectType, $Inherit) -Verbose -ErrorAction Stop
- $acl.AddAccessRule($ace)
- }
- Catch{Write-Error "There was an error while adding the acces rule for $Group. Error: $($Error[0].Exception.Message)"; return}
- # Allow permission to modify all properties of the existing dHCPClass objects.
- $ActiveDirectoryRights = @("WriteProperty", "ReadProperty", "ListChildren", "Delete")
- $AccessControlType = "Allow"
- $Inherit = "Children"
- Try{
- $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $ActiveDirectoryRights, $AccessControlType, $Inherit, $InheritedObjectType) -Verbose -ErrorAction Stop
- $acl.AddAccessRule($ace)
- }
- Catch{Write-Error "There was an error while adding the acces rule for $Group. Error: $($Error[0].Exception.Message)"; return}
- # The accumulated access rules are set to NetServices AD container.
- Try{
- Set-ACL $NetServicesPath -AclObject $acl -Verbose -ErrorAction Stop
- }
- Catch{Write-Error "There was an error while setting the new acces rules for $Group. Error: $($Error[0].Exception.Message)"}
Add Comment
Please, Sign In to add comment