Powershell: Update Active Directory Permissions

If you’re new to manipulating Active Directory in Powershell and you want to answer a question like ‘How do I give domain user prod\bruce write access to AD object LDAP://adserver.prod.com/cn=MegaServer, cn=Computers, cn=prod, cn=net’, then this brilliant article by Richard Siddaway ‘Windows Server 2008 Protection from Accidental Deletion’ is just what you need.

I’m just linking it here because its title makes it a bit difficult to find and it deserves more exposure.

Here’s the guts of it

$ou = [ADSI]"LDAP://ou=Thunderbirds,dc=starking,dc=org"

$sec = $ou.psbase.ObjectSecurity

## set the rights and control type

$act = [System.Security.AccessControl.AccessControlType]::Deny

$adrights = [System.DirectoryServices.ActiveDirectoryRights]::Delete

$adrights2 = [System.DirectoryServices.ActiveDirectoryRights]::DeleteTree

## who does this apply to

$who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "", "prod\bruce"

# stop delete

$newrule1 = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $adrights, $act

$sec.AddAccessRule($newrule1)

$ou.psbase.CommitChanges()

# stop deletetree

$newrule2 = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $adrights2, $act

$sec.AddAccessRule($newrule2)

$ou.psbase.CommitChanges()

Advertisements

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: