We have few AD admin accounts added in to a group named “Nidhin-test-group” and I want to Deny the group write all properties & Modify permissions on an OU, this settings should apply to “This object only”
Now i found below blog helpfull. but i’m not getting correct ActiveDirectoryAccessRule to apply.
http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx#pi142453=2
Using below code i can apply Deny the group to write all properties of descendent user objects.
But i want to Deny the group “write all properties” & “Modify permission” on an OU and this settings should apply to “This object only”
Import-Module ActiveDirectory $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{} Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} $extendedrightsmap = @{} Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} $ou = Get-ADOrganizationalUnit -Identity ("OU=Users,DC=TEST") $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Nidhin-Test-Group").SID $acl = Get-ACL -Path ($ou.DistinguishedName) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` $p,"WriteProperty","Deny","Descendents",$guidmap["user"])) Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))