OU permission delegation using powershell

nidhinck · October 15, 2015, 9:24am

We have few AD admin accounts added in to a group named “Nidhin-test-group” and I want to Deny the group write all properties & Modify permissions on an OU, this settings should apply to “This object only”

Now i found below blog helpfull. but i’m not getting correct ActiveDirectoryAccessRule to apply.
http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx#pi142453=2

Using below code i can apply Deny the group to write all properties of descendent user objects.
But i want to Deny the group “write all properties” & “Modify permission” on an OU and this settings should apply to “This object only”

Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain

$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

$ou = Get-ADOrganizationalUnit -Identity ("OU=Users,DC=TEST") 
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Nidhin-Test-Group").SID
$acl = Get-ACL -Path ($ou.DistinguishedName)

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"WriteProperty","Deny","Descendents",$guidmap["user"]))

Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))

curtis-smith · October 15, 2015, 11:18am

You would need to modify your access rule. Instead of Descendants use None

https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"WriteProperty","Deny","Descendents",$guidmap["user"]))

nidhinck · October 15, 2015, 12:18pm

Thank you Curtis Smith…! Now im able to deny the “Write all properties” on an OU. In order to deny “Modify Permissions” what is the exact property name i need to mention in below code? (need to replace xxxx)

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"XXXXXXXX","Deny","None",$guidmap["user"]))

curtis-smith · October 15, 2015, 12:57pm

The ActiveDirectoryAccessRule Class
https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx

The ActiveDirectoryRights Enumeration
https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx

WriteDacl
The right to modify the DACL in the object security descriptor.

curtis-smith · October 15, 2015, 1:08pm

Cross linking post in technet wiki
https://social.technet.microsoft.com/Forums/windowsserver/en-US/04bb799b-5669-4e7b-aa1f-dcb49e9ab028/powershell-ou-permission-delegation-using-powershell?forum=winserverpowershell

nidhinck · October 15, 2015, 1:13pm

Thanks a lot Curtis…!

Is there anyway i can mark this thread as closed ?

curtis-smith · October 15, 2015, 1:19pm

Yes, you should have a thread status box right above the reply box. You can set it to resolved.

Topic		Replies	Views
Delegate permissions to Active Directory objects PowerShell Help	25	918	May 16, 2024
Powershell to remove/delete a permission on an AD OU PowerShell Help	4	1465	May 16, 2024
AD Delegation specific rights PowerShell Help	2	233	May 16, 2024
Set ACL security group PowerShell Help	2	134	May 16, 2024
View permissions for schema objects at the OU level PowerShell Help	5	431	May 16, 2024

OU permission delegation using powershell

Related topics