Delegate AD Group to Edit one Attribute

Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
#Get a reference to the current domain
$domain = Get-ADDomain

#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

#Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}


# ============= Define Groups to Set Delegation =======
$grpName = "RTCUniversalUserAdmins"
# Get Group DistinguishedName
$grp = Get-ADGroup -Identity "$grpName" | Select-Object DistinguishedName
# =====================================================

# ============= OU Delegation =========================
#E-Mail-Addresses attribute bf967961-0de6-11d0-a285-00aa003049e2
#Get a reference to the OU we want to delegate
$ou = Get-ADOrganizationalUnit -Identity ("OU=Benutzer,OU=RDI,"+$domain.DistinguishedName)

#Get a copy of the current DACL on the OU
$acl = Get-ACL -Path ($ou.DistinguishedName)

#Get the SID values of each group we wish to delegate access to
$grpNameDelegate = "RTCUniversalUserAdmins"
$WriteProperty = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$grpNameDelegate").SID

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $WriteProperty,
    [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
    [System.Security.AccessControl.AccessControlType]::Allow,
    #"bf967961-0de6-11d0-a285-00aa003049e2",
    $guidmap["Mail"],
    [DirectoryServices.ActiveDirectorySecurityInheritance]::All
)
$ACL.AddAccessRule($ACE)
Set-ACL -AclObject $ACL -Path ("AD:\"+($ou.DistinguishedName))

# Example to Write all Properties
#$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
#$WriteProperty,"WriteProperty","Allow","Descendents",$guidmap["user"]))

# =====================================================