Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
#Get a reference to the current domain
$domain = Get-ADDomain
#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
#Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
# ============= Define Groups to Set Delegation =======
$grpName = "RTCUniversalUserAdmins"
# Get Group DistinguishedName
$grp = Get-ADGroup -Identity "$grpName" | Select-Object DistinguishedName
# =====================================================
# ============= Group Delegation ======================
#Get the SID values of each group we wish to delegate access to
$grpNameDelegate1 = "SkypeUser group name"
$SkypeUser = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$grpNameDelegate1").SID
$grpNameDelegate2 = "SkypeUser group name Enterprise Voice"
$SkypeUserEv = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$grpNameDelegate2").SID
#Get a copy of the current DACL on the Group
$acl = Get-ACL -Path ($grp.DistinguishedName)
#Grant the Delegategroup to edit the Group
$acl.AddAccessRule(
(New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SkypeUser,
"WriteProperty",
"Allow",
$guidmap["Member"])
)
$acl.AddAccessRule(
(New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SkypeUserEv,
"WriteProperty",
"Allow",
$guidmap["Member"])
)
Set-ACL -ACLObject $acl -Path ("AD:\"+($grp.DistinguishedName))
# ==============================================