Reputation: 1121
Security permissions of an OU
I'm trying to customize the Security section in the properties of a new OU. But I really can't find anything that can modify that section directly. Basically I need to add to that section two groups, remove one and be able to modify the permissions of each group (allow or deny). I think that I can access the permissions with
(Get-Acl $DistinguishedName).Access |
Format-List identityreference, accesscontroltype, activedirectoryrights
But don't know how to modify them.
Upvotes: 2
Views: 6168
Answers (1)
Reputation: 200303
You modify AD ACLs the same way you modify other ACLs. You just need to use the correct AccessRule type (ActiveDirectoryAccessRule in this case).
$dn = 'CN=foo,OU=bar,DC=example,DC=org'
$sid = (Get-ADGroup -Identity 'groupname').SID
$acl = Get-Acl -Path "AD:$dn"
$ace = New-Object DirectoryServices.ActiveDirectoryAccessRule $sid,
'ReadProperty', 'Allow', '00000000-0000-0000-0000-000000000000',
'All', '00000000-0000-0000-0000-000000000000'
$acl.SetAccessRuleProtection($true, $true) # remove inheritance
$acl.AddAccessRule($ace)
Set-Acl -Path "AD:$dn" -AclObject $acl
If you want to modify existing ACEs you need to copy ACEs you want to preserve, re-create ACEs you want to change with modified settings, remove all existing ACEs (by changing the second argument of SetAccessRuleProtection() to $false), then add the new, copied, and modified ACEs.
Upvotes: 1
Related Questions
- Can't Get-ACL Active Directory OU
- PowerShell Script to display all users part of AD security groups within an OU in AD
- Add OU of users / computers to a security group
- Powershell for O365 GUI: permissions
- How to Enable Inherent Permission of an OU to All Users via Powershell
- Groups within a certain OU that a user is part of
- Report for OU advanced security permissions
- PowerShell and checking local administrator rights
- Interacting with USER OU in Powershell
- Active Directory Powershell - Get OU details