Any suggestion on providing specific permissions?
Hi Jason,
Any suggestions on allowing specific permissions like : Create User Objects/Delete User Objects etc… to a group?
Play around with this. Look what you can find from $guidmap
[pre]
cd ad:
$guidmap = @{}
$extendedrightsmap = @{}
$rootdse = Get-ADRootDSE
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter “(schemaidguid=)" -Properties lDAPDisplayName,schemaIDGUID | foreach {$guidmap[$.lDAPDisplayName]=[System.GUID]$.schemaIDGUID}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=))” -Properties displayName,rightsGuid | foreach {$extendedrightsmap[$.displayName]=[System.GUID]$.rightsGuid}
$servicegroup = ‘AG-AD-Admin-SD’
$identity = New-Object System.Security.Principal.SecurityIdentifier (get-adgroup $servicegroup).SID
$ace1user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,“CreateChild,DeleteChild”,“Allow”,$guidmap[“user”],“All”
$ace2user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,“WriteProperty”,“Allow”,“Descendents”,$guidmap[“user”]
$AccountOUs = Get-ADOrganizationalUnit -SearchBase “OU=Accounts,DC=DaCrap,DC=com” -Filter * -SearchScope OneLevel | select -ExpandProperty DistinguishedName
foreach ($AccountOU in $AccountOUs) {
$acl = Get-Acl $AccountOU
$acl.AddAccessRule($ace1user)
$acl.AddAccessRule($ace2user)
set-acl -aclobject $acl -Path $AccountOU -Verbose
}
[/pre]
TechSavy,
Sorry for the delay on my end. Completely swamped at work. Aapeli is correct in exploring what you are trying to do. I would also recommend researching ActiveDirectory Control Access Rights and Extended Rights to understand the scope of what is available. From what you are asking it almost sounds like you are attempting to setup a custom RBAC group for administrative purposes.
Thanks Jason and Aapeli, I will explore more on the above.