Active Directory Powershell implements two Powershell Provider cmdlets specifically for access control management in Active Directory: Get-ACL and Set-ACL. This blog series is to give a few examples on how to use them. Note that it is not intended for a detailed explanation of access control and delegation in Active Directory and with an assumption that the readers have had basic knowledge. Additional information on Active Directory access control and delegation can be found in the Best Practices for Delegating ActiveDirectory Administration and related topics in MSDN.
One of the unique aspects in access control management in Active Directory is the introduction of object specific ACEs which allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by setting ObjectType field in an object specific ACE to the rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the InheritedObjectType field to the schemaIDGuid of the class. For more information on how to retrieve the rightsGuid or schemaIDGuid using Active Directory Powershell, please refer to Swami’s blog How to find extended rights that apply to a schema class. In the example below, we are going to create two object specific ACEs with one granting the group “myGroup” the extended right “Reset Password” for all users and the other giving it permission to delete computer objects, all under the organizationUnit “myOU”.
## Load Active Directory Powershell Module
PS C:\> cd ad:
## Create myOU
PS AD:\> $ou = new-adorganizationalunit -name myOU -passthru
## Create myGroup and obtain its SID
PS AD:\> $group = new-adgroup myGroup -groupscope global -passthru
PS AD:\> $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
## Get the DACL of myOU
PS AD:\> $acl = get-acl $ou
## The following object specific ACE is to grant myGroup permission to create computer objects under myOU.
## Note that bf967a86-0de6-11d0-a285-00aa003049e2 is the schemaIDGuid for the computer class.
PS AD:\> $objectguid = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
PS AD:\> $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild","Allow",$objectguid
## The following object specific ACE is to grant myGroup permission to change user password on all user objects
## under myOU. 00299570-246d-11d0-a768-00aa006e0529 is the rightsGuid for the extended right
## User-Force-Change-Password (“Reset Password”). bf967aba-0de6-11d0-a285-00aa003049e2 is the schemaIDGuid
## for the user class.
PS AD:\> $objectguid = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
PS AD:\> $inheritedobjectguid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"ExtendedRight",$objectGuid,"Descendents",$inheritedobjectguid
## Add the ACE in the ACL and set the ACL on the object
PS AD:\> $acl.AddAccessRule($ace1)
PS AD:\> $acl.AddAccessRule($ace2)
PS AD:\> set-acl -aclobject $acl $ou