3

I want to delegate control of the TestUsers organizational unit to a user NickA and give the following permissions to it:

  1. Create, delete, and manage user accounts
  2. Reset user passwords and force password change at next logon
  3. Read all user information
  4. Create, delete and manage groups
  5. Modify the membership of a group

The only method that I found is the following, but I cannot find the correct permissions to assign:

$acc  = Get-ADUser NickA
$sid  = new-object System.Security.Principal.SecurityIdentifier $acc.SID
$guid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 
$ou   = Get-ADOrganizationalUnit -Identity TestUsers
$acl  = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule($(new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild,DeleteChild","Allow",$guid))
Set-ACL -ACLObject $acl -Path "AD:$($ou.DistinguishedName)"
user01230
  • 41
  • 5

2 Answers2

1

I haven't tackled ACL building with PowerShell yet, but this can be done with the old DSACLS command that has been part of RSAT and the Support Tools since Windows Server 2003.

dsacls "OU=Test,DC=domain,DC=com" /I:S /G "domain\user:CA;Reset Password";user

Put the DN of the delegated OU in between the quotes and put the user after the /G (grant) parameter. The /I:S parameter tells the ACE to inherit for child objects only, and the CA parameter stands for Control Access.

More on the syntax can be found on TechNet or other sites. If you need to use PowerShell, check out the Update ACL Active Directory Provider documentation.

SamErde
  • 3,324
  • 3
  • 23
  • 42
1

I finally did it using PowerShell. Thanks to the following TechNet posts Exchange 2007 GUID Reference and Update ACL Skeleton I was able to delegate control of the TestUsers organizational unit to a user NickA and give the permissions that I originally posted.

$OU   = Get-ADOrganizationalUnit -Identity "OU=TestUsers,DC=contoso,DC=private"
$SID  = new-object System.Security.Principal.SecurityIdentifier $(Get-ADUser "NickA").SID
$GUIDUserOBJ  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$GUIDGroupOBJ = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2
$GUIDNull     = new-object Guid 00000000-0000-0000-0000-000000000000 

$ACL  = Get-ACL -Path "AD:$($OU.DistinguishedName)"

#Create a hashtable to store the GUID value of each schema class and attribute
$ADRootDSE = Get-ADRootDSE
$GUIDMap = @{}
Get-ADObject -SearchBase ($ADRootDSE.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$GUIDMap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"CreateChild,DeleteChild","Allow",$GUIDUserOBJ,"ALL"))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$GUIDNull,"Descendents",$GUIDMap["user"]))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"CreateChild,DeleteChild","Allow",$GUIDGroupOBJ,"ALL"))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$GUIDNull,"Descendents",$GUIDMap["group"]))

Set-ACL -ACLObject $ACL -Path "AD:$($OU.DistinguishedName)"
user01230
  • 41
  • 5