Modifying Permissions on an Active Directory OU with Powershell

There are a few other blogs about this topic, but even so this is not an easy topic to wrap your head around.

To start you off, you’ll want to read:
https://social.technet.microsoft.com/Forums/Lync/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell (This is a must read!)
and
http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx

Next, lets look at the following code to add a Deny Everyone Delete Child items with no inheritance to all the OUs in a CSV:

$OUCSV = Import-CSV -Path (Join-Path -Path $PSScriptRoot -ChildPath "OUs.csv")
$OUs = $OUCSV.OUDN
$GroupSID = [System.Security.Principal.SecurityIdentifier]'S-1-1-0' #Everyone Group

Import-module "ActiveDirectory"
ForEach($OU in $OUs){
    $objACL = Get-ACL "AD:\\${OU}"
    $objACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($GroupSID,"DeleteChild","Deny", 'None', [guid]'00000000-0000-0000-0000-000000000000')
    $objACL.AddAccessRule($objACE)
    Set-acl -AclObject $objACL "AD:${OU}"
}

Evidently, I have a CSV called OUs.csv in the same directory as the script. This csv has a column titled OUDN which I am assuming contains the distinguished name of the ou. I know this because I created the csv.

Next, we are defining the group we want to give permissions to. It is important that this must be a [System.Security.Principal.SecurityIdentifier] type. This was one of the gotchas for me. If you simply specify a string, the script will fail when creating the ActiveDirectoryAccessRule.

The next couple lines are fairly self explanatory….until we create the access rule (line 8). You can take a look at the constructors for the ActiveDirectoryAccessRule class here: https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule%28v=vs.110%29.aspx
Whatever constructor you choose, it is important once again that when specifying a guid to apply it must be cast into the [guid] type. If you do not cast this, your script will throw an error.

One of the questions I also had was knowing which guid to use and when. Really it is probably easier for you to set a permission on a test object in your AD environment first and then using get-acl to identify the guid for it:

    $objACL = Get-ACL "AD:\\${OU}" 
    $objACL.Access | Where{$_.IdentityReference -match "Everyone"} | Where{$_.AccessControlType -match "Deny"} | Where{$_.ActiveDirectoryRights -match "DeleteChild"} | out-gridview

Then you’ll see the guid in the ObjectType property. Otherwise, if you’d rather most can be found in the technet FAQ linked above.

If you are still confused, I’ll re-iterate….please read the two posts I linked above. They were invaluable to me when attempting to understand this.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s