Active Directory – Adding Permissions to an Account Using PowerShell

active-directorypowershell

We're deploying Active Directory, and we're using PowerShell scripts for most of it: creating the forest, creating AD elements (users, groups, sites, subnets), etc. We'd like to make some users able to join machines to the domain, but I haven't found a way to do it with PowerShell. It seems there are no cmdlets for that. Is it so? Is it impossible to add this kind of permissions using only PowerShell?

Thanks in advance.

Best Answer

If you want a purely powershell method, you may use info from this technet blog post, or take a look at the Quest powershell cmdlets. http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx

In my company we have several groups that need to create unlimited computer accounts. I continue to use the DSACLS.EXE tool, because I have past experience with it, and while it is cryptic I can accomplish in a few lines what take many many lines of pure powershell with either of the methods mentioned above. DSACLS has a long and very thorough help page. I've pared it down for brevity in this post to only address the perm to create computer accounts. With some research, you should also be able to find the object names and permission levels to create the other things you mention. Remember that Users & Groups would be covered by membership in "Account Operators" and you may want to restrict Site & Subnet creation to members of "Domain Admins"

Grant a group the right to create computer accounts at a given OU path. Replace ThisDom & ThisGroup to fit your environment.

dsacls "OU=coyote,DC=acme,DC=com" /I:T /G 'ThisDom\ThisGroup:CCDC;computer'
dsacls "OU=coyote,DC=acme,DC=com" /I:S /G 'ThisDom\ThisGroup:WO;;computer'
dsacls "OU=coyote,DC=acme,DC=com" /I:S /G 'ThisDom\ThisGroup:WP;userAccountControl;computer'

Usage (edited)

C:\Windows\System32>dsacls /?
Displays or modifies permissions (ACLS) of an Active Directory Domain Services (AD DS) Object

DSACLS object [/I:TSP] [/N] [/P:YN] [/G <group/user>:<perms> [...]]
              [/R <group/user> [...]] [/D <group/user>:<perms> [...]]
              [/S] [/T] [/A] [/resetDefaultDACL] [/resetDefaultSACL]
              [/takeOwnership] [/user:<userName>] [/passwd:<passwd> | *]
              [/simple]
<... skipped lines...>
   /I               Inheritance flags:
                        T: This object and sub objects
                        S: Sub objects only
                        P: Propagate inheritable permissions one level only.
<... skipped lines...>
   /G  <group/user>:<perms>
                    Grant specified group (or user) specified permissions.
                    See below for format of <group/user> and <perms>
<... skipped lines...>
            CC      Create child object
            DC      Delete a child object
            WO      Change owner information
            WP      Write property

Related Solutions

Ldap – SquidGuard and Active Directory groups

Solved.

Assuming the following:

- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"

The query for checking if the user is member of that group would be:

(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))

So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}

Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:

src Internet_Users {
    ldapusersearch  ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Powershell – Active Directory Module for PowerShell Get-ADObject and Set-ADObject don’t work with custom attribute

Get-ADObject only returns a subset of attributes from Active Directory.

You can speficy additional attributes with the Properties parameter:

$ADObjectSplat = @{
    Server     = 'localhost:389'
    SearchBase = 'CN=Academics,CN=Portal,O=Jenzabar,C=US'
    Properties = 'jenzabar-ICSNET-GenericFlags'
}
Get-ADObject @ADObjectSplat | Where-Object { $_.'jenzabar-ICSNET-GenericFlags' -eq 1 }

Best Answer

Related Solutions

Ldap – SquidGuard and Active Directory groups

Powershell – Active Directory Module for PowerShell Get-ADObject and Set-ADObject don’t work with custom attribute

Related Topic