Created
February 1, 2014 15:48
-
-
Save DamianFlynn/8753968 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #GUID Settings | |
| $guidChangePassword = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b | |
| $guidLockoutTime = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1 | |
| $guidPwdLastSet = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2 | |
| $guidComputerObject = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2 | |
| $guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 | |
| $guidLinkGroupPolicy = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1 | |
| $guidGroupPolicyOptions = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1 | |
| $guidResetPassword = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 | |
| $guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2 | |
| $guidContactObject = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2 | |
| $guidOUObject = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2 | |
| $guidPrinterObject = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2 | |
| $guidWriteMembers = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2 #GUID for the Members property | |
| $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000 | |
| $guidPublicInformation = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050 | |
| $guidGeneralInformation = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf | |
| $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1 | |
| $guidGroupMembership = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf | |
| function Set-ADPermissionModifyGroupMembership{ | |
| <# | |
| .DESCRIPTION | |
| Sets the Delegation permission for a group to Modify the Membership of an AD Group | |
| .EXAMPLE | |
| Set-ADPermissionModifyGroupMembership -Group "Delegated Users" -LDAPPath "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $Group, | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $LDAPPath | |
| ) | |
| begin { | |
| try { | |
| import-module activedirectory | |
| $guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2 | |
| } | |
| catch { | |
| } | |
| } | |
| process { | |
| try { | |
| # The First Part of the exercise will be to collect the SID for the Group we will be delegating to | |
| $groupObject = Get-ADGroup $Group | |
| $groupSID = new-object System.Security.Principal.SecurityIdentifier $groupObject.SID | |
| # Next we are going to create an Access Control Entry, | |
| # | |
| # In order to understand what we the entry will look like, i will dump a sample with the Get-ObjectAcl Function | |
| # Get-ADObjectAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | ? {$_.IsInherited -eq $false} | ? {$_.NTAccount -like "CORPNET\*"} | select PropegationFlags, InheritanceFlags, ObjectType, InheritanceType, InheritedObjectType, ActiveDirectoryRights | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf9679c0-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967a9c-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $aceManageGroupMembership = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidGroupObject,"Descendents",$guidGroupObject | |
| $ADObject = [ADSI]("LDAP://" + $LDAPPath) | |
| $ADObject.ObjectSecurity.AddAccessRule($aceManageGroupMembership) | |
| $ADObject.CommitChanges() | |
| } | |
| catch { | |
| } | |
| } | |
| end { | |
| try { | |
| } | |
| catch { | |
| } | |
| } | |
| } | |
| function Set-ADPremissionManageGroups{ | |
| <# | |
| .DESCRIPTION | |
| The function will delegate the permission for a group to manage the Creation, Deletion and Management of | |
| Group Objects in an OU | |
| .EXAMPLE | |
| Set-ADPermissionManageGroups -Group "Delegated Users" -LDAPPath "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $Group, | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $LDAPPath | |
| ) | |
| begin { | |
| try { | |
| import-module activedirectory | |
| $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000 | |
| $guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2 | |
| } | |
| catch { | |
| } | |
| } | |
| process { | |
| try { | |
| # The First Part of the exercise will be to collect the SID for the Group we will be delegating to | |
| $groupObject = Get-ADGroup $Group | |
| $groupSID = new-object System.Security.Principal.SecurityIdentifier $groupObject.SID | |
| #Now we will link to the OU Object | |
| $ADObject = [ADSI]("LDAP://" + $LDAPPath) | |
| # Next we are going to create an Access Control Entry, | |
| # In order to understand what we the entry will look like, i will dump a sample with the LDAPAcl Function | |
| # Get-ADLDAPAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | ? {$_.IsInherited -eq $false} | ? {$_.NTAccount -like "CORPNET\*"} | select PropegationFlags, InheritanceFlags, ObjectType, InheritanceType, InheritedObjectType, ActiveDirectoryRights | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : 00000000-0000-0000-0000-000000000000 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967a9c-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : GenericAll | |
| # | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"GenericAll","Allow",$guidNull,"Descendents",$guidGroupObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # PropagationFlags : None | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf967a9c-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : All | |
| # InheritedObjectType : 00000000-0000-0000-0000-000000000000 | |
| # ObjectFlags : ObjectAceTypePresent | |
| # ActiveDirectoryRights : CreateChild, DeleteChild | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"CreateChild, DeleteChild","Allow",$guidGroupObject,"All",$guidNull | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| $ADObject.CommitChanges() | |
| } | |
| catch { | |
| } | |
| } | |
| end { | |
| try { | |
| } | |
| catch { | |
| } | |
| } | |
| } | |
| function Set-ADPremissionResetUserPassword{ | |
| <# | |
| .DESCRIPTION | |
| The function will delegate the premission for a group to manage the Creation, Deletion and Managment of | |
| Group Objects in an OU | |
| .EXAMPLE | |
| Set-ADPremissionResetUserPassword -Group "Delegated Users" -LDAPPath "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $Group, | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $LDAPPath | |
| ) | |
| begin { | |
| try { | |
| import-module activedirectory | |
| $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000 | |
| $guidPwdLastSet = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2 | |
| $guidResetPassword = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 | |
| } | |
| catch { | |
| } | |
| } | |
| process { | |
| try { | |
| # The First Part of the exercise will be to collect the SID for the Group we will be delegating to | |
| $groupObject = Get-ADGroup $Group | |
| $groupSID = new-object System.Security.Principal.SecurityIdentifier $groupObject.SID | |
| #Now we will link to the OU Object | |
| $ADObject = [ADSI]("LDAP://" + $LDAPPath) | |
| # Next we are going to create an Access Control Entry, | |
| # In order to understand what we the entry will look like, i will dump a sample with the LDAPAcl Function | |
| # Get-ADLDAPAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | ? {$_.IsInherited -eq $false} | ? {$_.NTAccount -like "CORPNET\*"} | select PropegationFlags, InheritanceFlags, ObjectType, InheritanceType, InheritedObjectType, ActiveDirectoryRights | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf967a0a-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| # | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidPwdLastSet,"Descendents",$guidPwdLastSet | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : 00299570-246d-11d0-a768-00aa006e0529 | |
| # AccessControlType : Allow | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ExtendedRight | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ExtendedRight","Allow",$guidResetPassword,"Descendents",$guidPwdLastSet | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| $ADObject.CommitChanges() | |
| } | |
| catch { | |
| } | |
| } | |
| end { | |
| try { | |
| } | |
| catch { | |
| } | |
| } | |
| } | |
| function Set-ADPremissionManageComputers{ | |
| <# | |
| .DESCRIPTION | |
| The function will delegate the premission for a group to manage the Creation, Deletion and Managment of | |
| Group Objects in an OU | |
| .EXAMPLE | |
| Set-ADPremissionResetUserPassword -Group "Delegated Users" -LDAPPath "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $Group, | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $LDAPPath | |
| ) | |
| begin { | |
| try { | |
| import-module activedirectory | |
| $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000 | |
| $guidComputerObject = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2 | |
| } | |
| catch { | |
| } | |
| } | |
| process { | |
| try { | |
| # The First Part of the exercise will be to collect the SID for the Group we will be delegating to | |
| $groupObject = Get-ADGroup $Group | |
| $groupSID = new-object System.Security.Principal.SecurityIdentifier $groupObject.SID | |
| #Now we will link to the OU Object | |
| $ADObject = [ADSI]("LDAP://" + $LDAPPath) | |
| # Next we are going to create an Access Control Entry, | |
| # In order to understand what we the entry will look like, i will dump a sample with the LDAPAcl Function | |
| # Get-ADLDAPAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | ? {$_.IsInherited -eq $false} | ? {$_.NTAccount -like "CORPNET\*"} | select PropegationFlags, InheritanceFlags, ObjectType, InheritanceType, InheritedObjectType, ActiveDirectoryRights | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : 00000000-0000-0000-0000-000000000000 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : GenericAll | |
| # | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"GenericAll","Allow",$guidNull,"Descendents",$guidComputerObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # PropagationFlags : None | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf967a86-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : All | |
| # InheritedObjectType : 00000000-0000-0000-0000-000000000000 | |
| # ObjectFlags : ObjectAceTypePresent | |
| # ActiveDirectoryRights : CreateChild, DeleteChild | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"CreateChild, DeleteChild","Allow",$guidComputerObject,"Descendents",$guidNull | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| $ADObject.CommitChanges() | |
| } | |
| catch { | |
| } | |
| } | |
| end { | |
| try { | |
| } | |
| catch { | |
| } | |
| } | |
| } | |
| function Set-ADPremissionManageUserSettings{ | |
| <# | |
| .DESCRIPTION | |
| The function will delegate the premission for a group to manage the Creation, Deletion and Managment of | |
| Group Objects in an OU | |
| .EXAMPLE | |
| Set-ADPremissionResetUserPassword -Group "Delegated Users" -LDAPPath "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $Group, | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $LDAPPath | |
| ) | |
| begin { | |
| try { | |
| import-module activedirectory | |
| $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000 | |
| $guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 | |
| $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1 | |
| $guidPublicInformation = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050 | |
| $guidGeneralInformation = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf | |
| $guidGroupMembership = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf | |
| $guidResetPassword = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 | |
| $guidChangePassword = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b | |
| } | |
| catch { | |
| } | |
| } | |
| process { | |
| try { | |
| # The First Part of the exercise will be to collect the SID for the Group we will be delegating to | |
| $groupObject = Get-ADGroup $Group | |
| $groupSID = new-object System.Security.Principal.SecurityIdentifier $groupObject.SID | |
| #Now we will link to the OU Object | |
| $ADObject = [ADSI]("LDAP://" + $LDAPPath) | |
| # Next we are going to create an Access Control Entry, | |
| # In order to understand what we the entry will look like, i will dump a sample with the LDAPAcl Function | |
| # Get-ADLDAPAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | ? {$_.IsInherited -eq $false} | ? {$_.NTAccount -like "CORPNET\*"} | select PropegationFlags, InheritanceFlags, ObjectType, InheritanceType, InheritedObjectType, ActiveDirectoryRights | |
| # | |
| # http://technet.microsoft.com/en-us/library/cc755430(WS.10).aspx | |
| # | |
| # Read and write personal information | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : 77b5b886-944a-11d1-aebd-0000f80367c1 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| #$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidPersonalInformation,"Descendents",$guidUserObject | |
| #$ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Read and write public information | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : e48d0154-bcf8-11d1-8702-00c04fb96050 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidPublicInformation,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Read and write general information | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : 59ba2f42-79a2-11d0-9020-00c04fc2d3cf | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| #$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidGeneralInformation,"Descendents",$guidUserObject | |
| #$ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Read and write group membership | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bc0ac240-79a9-11d0-9020-00c04fc2d4cf | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidGroupMembership,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Reset password | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : 00299570-246d-11d0-a768-00aa006e0529 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ExtendedRight | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ExtendedRight","Allow",$guidResetPassword,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Change password | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : ab721a53-1e2f-11d0-9819-00aa0040529b | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ExtendedRight | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ExtendedRight","Allow",$guidChangePassword,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| $ADObject.CommitChanges() | |
| } | |
| catch { | |
| } | |
| } | |
| end { | |
| try { | |
| } | |
| catch { | |
| } | |
| } | |
| } | |
| function Set-ADPremissionManageSpecialMailboxSettings{ | |
| <# | |
| .DESCRIPTION | |
| The function will delegate the premission for a group to manage the Creation, Deletion and Managment of | |
| Group Objects in an OU | |
| .EXAMPLE | |
| Set-ADPremissionResetUserPassword -Group "Delegated Users" -LDAPPath "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $Group, | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $LDAPPath | |
| ) | |
| begin { | |
| try { | |
| import-module activedirectory | |
| $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000 | |
| $guidManagerAttrib = new-object Guid bf9679b5-0de6-11d0-a285-00aa003049e2 | |
| $guidCompanyAttrib = new-object Guid f0f8ff88-1191-11d0-a060-00aa006c33ed | |
| $guidTitleAttrib = new-object Guid bf967a55-0de6-11d0-a285-00aa003049e2 | |
| $guidUserDescAttrib = new-object Guid bf967950-0de6-11d0-a285-00aa003049e2 | |
| $guidDepartmentAttrib = new-object Guid bf96794f-0de6-11d0-a285-00aa003049e2 | |
| $guidCommentsAttrib = new-object Guid bf96793e-0de6-11d0-a285-00aa003049e2 | |
| $guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 | |
| } | |
| catch { | |
| } | |
| } | |
| process { | |
| try { | |
| # The First Part of the exercise will be to collect the SID for the Group we will be delegating to | |
| $groupObject = Get-ADGroup $Group | |
| $groupSID = new-object System.Security.Principal.SecurityIdentifier $groupObject.SID | |
| #Now we will link to the OU Object | |
| $ADObject = [ADSI]("LDAP://" + $LDAPPath) | |
| # Next we are going to create an Access Control Entry, | |
| # In order to understand what we the entry will look like, i will dump a sample with the LDAPAcl Function | |
| # Get-ADLDAPAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | ? {$_.IsInherited -eq $false} | ? {$_.NTAccount -like "CORPNET\*"} | select PropegationFlags, InheritanceFlags, ObjectType, InheritanceType, InheritedObjectType, ActiveDirectoryRights | |
| # | |
| # http://technet.microsoft.com/en-us/library/cc755430(WS.10).aspx | |
| # | |
| # Read and write Manager Attribute | |
| # | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf9679b5-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidManagerAttrib,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Read and Write the Company Attribute | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : f0f8ff88-1191-11d0-a060-00aa006c33ed | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidManagerAttrib,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Read and Write the Title Attribute | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf967a55-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidTitleAttrib,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Read and Write User Description Attribute | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf967950-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidUserDescAttrib,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Read and Write Department Attribute | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf96794f-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidDepartmentAttrib,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Read and Write User Comment Attribute | |
| # PropagationFlags : InheritOnly | |
| # InheritanceFlags : ContainerInherit | |
| # ObjectType : bf96793e-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : Descendents | |
| # InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2 | |
| # ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent | |
| # ActiveDirectoryRights : ReadProperty, WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"ReadProperty, WriteProperty","Allow",$guidCommentsAttrib,"Descendents",$guidUserObject | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| $ADObject.CommitChanges() | |
| } | |
| catch { | |
| } | |
| } | |
| end { | |
| try { | |
| } | |
| catch { | |
| } | |
| } | |
| } | |
| function Set-ADPremissionGroupManager{ | |
| <# | |
| .DESCRIPTION | |
| The function will delegate the premission for a group to manage the Creation, Deletion and Managment of | |
| Group Objects in an OU | |
| .EXAMPLE | |
| Set-ADPremissionResetUserPassword -Group "Delegated Users" -LDAPPath "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $Group, | |
| [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=1)] | |
| [ValidateNotNullOrEmpty()] | |
| [System.String] | |
| $LDAPPath | |
| ) | |
| begin { | |
| try { | |
| import-module activedirectory | |
| $guidNull = new-object Guid 00000000-0000-0000-0000-000000000000 | |
| $guidWriteMembers = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2 | |
| } | |
| catch { | |
| } | |
| } | |
| process { | |
| try { | |
| # The First Part of the exercise will be to collect the SID for the Group we will be delegating to | |
| $groupObject = Get-ADGroup $Group | |
| $groupSID = new-object System.Security.Principal.SecurityIdentifier $groupObject.SID | |
| #Now we will link to the OU Object | |
| $ADObject = [ADSI]("LDAP://" + $LDAPPath) | |
| # Next we are going to create an Access Control Entry, | |
| # In order to understand what we the entry will look like, i will dump a sample with the LDAPAcl Function | |
| # Get-ADLDAPAcl -Name "ou=Mobile,ou=Computers,ou=Test2,ou=!Offices,dc=corpnet,dc=liox,dc=org" | ? {$_.IsInherited -eq $false} | ? {$_.NTAccount -like "CORPNET\*"} | select PropegationFlags, InheritanceFlags, ObjectType, InheritanceType, InheritedObjectType, ActiveDirectoryRights | |
| # | |
| # PropagationFlags : None | |
| # InheritanceFlags : None | |
| # ObjectType : bf9679c0-0de6-11d0-a285-00aa003049e2 | |
| # InheritanceType : None | |
| # InheritedObjectType : 00000000-0000-0000-0000-000000000000 | |
| # ObjectFlags : ObjectAceTypePresent | |
| # ActiveDirectoryRights : WriteProperty | |
| $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"WriteProperty","Allow",$guidWriteMembers,"None",$guidNull | |
| $ADObject.ObjectSecurity.AddAccessRule($ace) | |
| # Set the manageBy property | |
| $ManagedByDN = $groupObject.distinguishedname | |
| $mbString = "{0}" -f $ManagedByDN | |
| $ADObject.Put("managedBy",$mbString) | |
| $ADObject.CommitChanges() | |
| } | |
| catch { | |
| } | |
| } | |
| end { | |
| try { | |
| } | |
| catch { | |
| } | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment