Delegate permissions to Active Directory objects

Any suggestion on providing specific permissions?

Hi Jason,

Any suggestions on allowing specific permissions like : Create User Objects/Delete User Objects etc… to a group?

Play around with this. Look what you can find from $guidmap


cd ad:

$guidmap = @{}
$extendedrightsmap = @{}
$rootdse = Get-ADRootDSE
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter “(schemaidguid=)" -Properties lDAPDisplayName,schemaIDGUID | foreach {$guidmap[$.lDAPDisplayName]=[System.GUID]$.schemaIDGUID}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=
))” -Properties displayName,rightsGuid | foreach {$extendedrightsmap[$.displayName]=[System.GUID]$.rightsGuid}

$servicegroup = ‘AG-AD-Admin-SD’

$identity = New-Object System.Security.Principal.SecurityIdentifier (get-adgroup $servicegroup).SID
$ace1user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,“CreateChild,DeleteChild”,“Allow”,$guidmap[“user”],“All”
$ace2user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,“WriteProperty”,“Allow”,“Descendents”,$guidmap[“user”]
$AccountOUs = Get-ADOrganizationalUnit -SearchBase “OU=Accounts,DC=DaCrap,DC=com” -Filter * -SearchScope OneLevel | select -ExpandProperty DistinguishedName

foreach ($AccountOU in $AccountOUs) {
$acl = Get-Acl $AccountOU
set-acl -aclobject $acl -Path $AccountOU -Verbose



Sorry for the delay on my end. Completely swamped at work. Aapeli is correct in exploring what you are trying to do. I would also recommend researching ActiveDirectory Control Access Rights and Extended Rights to understand the scope of what is available. From what you are asking it almost sounds like you are attempting to setup a custom RBAC group for administrative purposes.



Thanks Jason and Aapeli, I will explore more on the above.