OU permission delegation using powershell

We have few AD admin accounts added in to a group named “Nidhin-test-group” and I want to Deny the group write all properties & Modify permissions on an OU, this settings should apply to “This object only”

Now i found below blog helpfull. but i’m not getting correct ActiveDirectoryAccessRule to apply.

Using below code i can apply Deny the group to write all properties of descendent user objects.
But i want to Deny the group “write all properties” & “Modify permission” on an OU and this settings should apply to “This object only”

Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain

$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

$ou = Get-ADOrganizationalUnit -Identity ("OU=Users,DC=TEST") 
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Nidhin-Test-Group").SID
$acl = Get-ACL -Path ($ou.DistinguishedName)

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `

Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))

You would need to modify your access rule. Instead of Descendants use None


$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `

Thank you Curtis Smith…! Now im able to deny the “Write all properties” on an OU. In order to deny “Modify Permissions” what is the exact property name i need to mention in below code? (need to replace xxxx)

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `

The ActiveDirectoryAccessRule Class

The ActiveDirectoryRights Enumeration

The right to modify the DACL in the object security descriptor.

Cross linking post in technet wiki

Thanks a lot Curtis…!

Is there anyway i can mark this thread as closed ?

Yes, you should have a thread status box right above the reply box. You can set it to resolved.