Security group to computer object?

Good day,
I was attempting to take a domain local group, add them to the security of a computer object and provide them read access. This will be for every computer object in an ou.

For instance
Object class = Organizational unit
Canonical name of object

Inside this Ou there is approximately 700 plus computer objects.
The group needs read access security on ever object.

First draft i was thinking

Set-location AD:
$ou = Get-ADOrganizationalUnit -Filter { name -like “device”}
cd $ou
$acl = get-childitem | foreach-object {get-acl}

THen i got stuck about there and my brain fried.

Any help suggestions would be greatly appreciated.

Thank you

Is there a particular reason you want to set the permissions directly on each computer object, instead of setting it at the OU level and letting the permissions inherit to the computers? It’s a better practice to set permissions on containers, in general (and in this case, it might even be faster to just do it with the AD Users and Computers GUI rather than writing a script.)

We had thought of that also, however two things that were against that is this group may or may not be added to future objects placed into this container, and we will most like do some restructuring.
Also there are other groups that may be applied to specific groups of objects within this ou, that i could modify the script to work with.

Thank you

It’s still a bad idea, but if that’s the design you want to run with, it can be done. (Personally, I would add a new child OU to hold just the subset of computers that require this delegation, and set the permissions there.)

Here are a couple of examples of using PowerShell to get at the security descriptors of AD objects:

They’re not exactly what you asked for, but it’s a start. The code to modify the ACLs themselves is fairly generic, but you’ll be working with ActiveDirectorySecurity, ActiveDirectoryAccessRule and ActiveDirectoryRights types, instead of the FileSystem versions of those classes that you’d see in most example code.

After futher discussion we decided to simply place the group on the ou and allow permissions to filter down.
This wasnt ideal as in this scenario it is applying read permissions for this to the computer objects for integrated lights out utilities on servers.
Ultimately the HP tool should have applied the permissions correctly but i was hoping to use powershell to correct easily although everything i read it seems acl is not quick and or easy.

THank you for you help.