DelegateAD Archives - Arie Kuipers

Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
#Get a reference to the current domain
$domain = Get-ADDomain

#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

#Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}


# ============= Define Groups to Set Delegation =======
$grpName = "RTCUniversalUserAdmins"
# Get Group DistinguishedName
$grp = Get-ADGroup -Identity "$grpName" | Select-Object DistinguishedName
# =====================================================

# ============= OU Delegation =========================
#E-Mail-Addresses attribute bf967961-0de6-11d0-a285-00aa003049e2
#Get a reference to the OU we want to delegate
$ou = Get-ADOrganizationalUnit -Identity ("OU=Benutzer,OU=RDI,"+$domain.DistinguishedName)

#Get a copy of the current DACL on the OU
$acl = Get-ACL -Path ($ou.DistinguishedName)

#Get the SID values of each group we wish to delegate access to
$grpNameDelegate = "RTCUniversalUserAdmins"
$WriteProperty = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$grpNameDelegate").SID

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $WriteProperty,
    [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
    [System.Security.AccessControl.AccessControlType]::Allow,
    #"bf967961-0de6-11d0-a285-00aa003049e2",
    $guidmap["Mail"],
    [DirectoryServices.ActiveDirectorySecurityInheritance]::All
)
$ACL.AddAccessRule($ACE)
Set-ACL -AclObject $ACL -Path ("AD:\"+($ou.DistinguishedName))

# Example to Write all Properties
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
#$WriteProperty,"WriteProperty","Allow","Descendents",$guidmap["user"]))

# =====================================================

Import-Module ActiveDirectory #Bring up an Active Directory command prompt so we can use this later on in the script cd ad: #Get a reference to the RootDSE of the current domain $rootdse = Get-ADRootDSE #Get a reference to the current domain $domain = Get-ADDomain #Create a hashtable to store the GUID value of each schema class and attribute $guidmap = @{} Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} #Create a hashtable to store the GUID value of each extended right in the forest $extendedrightsmap = @{} Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} # ============= Define Groups to Set Delegation ======= $grpName = "RTCUniversalUserAdmins" # Get Group DistinguishedName $grp = Get-ADGroup -Identity "$grpName" | Select-Object DistinguishedName # ===================================================== # ============= Group Delegation ====================== #Get the SID values of each group we wish to delegate access to $grpNameDelegate1 = "SkypeUser group name" $SkypeUser = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$grpNameDelegate1").SID $grpNameDelegate2 = "SkypeUser group name Enterprise Voice" $SkypeUserEv = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$grpNameDelegate2").SID #Get a copy of the current DACL on the Group $acl = Get-ACL -Path ($grp.DistinguishedName) #Grant the Delegategroup to edit the Group $acl.AddAccessRule( (New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SkypeUser, "WriteProperty", "Allow", $guidmap["Member"]) ) $acl.AddAccessRule( (New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SkypeUserEv, "WriteProperty", "Allow", $guidmap["Member"]) ) Set-ACL -ACLObject $acl -Path ("AD:\"+($grp.DistinguishedName)) # ==============================================

Category: DelegateAD

Delegate AD Group to Edit one Attribute

Delegate AD Group to Edit Group Member