Import-Module ActiveDirectory #Bring up an Active Directory command prompt so we can use this later on in the script cd ad: #Get a reference to the RootDSE of the current domain $rootdse = Get-ADRootDSE #Get a reference to the current domain $domain = Get-ADDomain #Create a hashtable to store the GUID value of each schema class and attribute $guidmap = @{} Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} #Create a hashtable to store the GUID value of each extended right in the forest $extendedrightsmap = @{} Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} # ============= Define Groups to Set Delegation ======= $grpName = "RTCUniversalUserAdmins" # Get Group DistinguishedName $grp = Get-ADGroup -Identity "$grpName" | Select-Object DistinguishedName # ===================================================== # ============= Group Delegation ====================== #Get the SID values of each group we wish to delegate access to $grpNameDelegate1 = "SkypeUser group name" $SkypeUser = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$grpNameDelegate1").SID $grpNameDelegate2 = "SkypeUser group name Enterprise Voice" $SkypeUserEv = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$grpNameDelegate2").SID #Get a copy of the current DACL on the Group $acl = Get-ACL -Path ($grp.DistinguishedName) #Grant the Delegategroup to edit the Group $acl.AddAccessRule( (New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SkypeUser, "WriteProperty", "Allow", $guidmap["Member"]) ) $acl.AddAccessRule( (New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SkypeUserEv, "WriteProperty", "Allow", $guidmap["Member"]) ) Set-ACL -ACLObject $acl -Path ("AD:\"+($grp.DistinguishedName)) # ==============================================