0

I have an OU in AD, which has delegated permissions assigned to it. Is there any way/tool to export delegated permissions (or just all security permissions) for an OU and then apply the very same permissions to another OU in the AD structure?

Export seems to be easier, - DSACLS.exe can do this.

But, how do I import/apply/restore exported permissions to another OU in AD?

Volodymyr Molodets
  • 2,404
  • 9
  • 35
  • 52
  • 1
    Not a complete answer, but I believe you can do this in powershell using get-acl and set-acl in the AD: drive context – BlueCompute Oct 09 '15 at 12:15

1 Answers1

0

The solution seems to be found and it actually worked on a test Windows Server 2012 R2 DC.

The main idea is to use LDIFDE tool to export security descriptor of the source OU, modify it and then re-apply it to another one.

E.g.

export OU ntSecurityDescriptor:

LDIFDE.exe -f ACLs_source_OU.txt -d "OU=Desktop,OU=Users,DC=yourcompany,DC=com" -l ntSecurityDescriptor

You will get something like this:

enter image description here

Modify it, by changing destination OU and changetype method and adding dash at the end of the file:

enter image description here

Once this is done, import the modified ntSecurityDescriptor:

ldifde -i -f ACLs_destination_OU.txt

P.S. this is based on info here.

Volodymyr Molodets
  • 2,404
  • 9
  • 35
  • 52