PowerShell Active Directory Delegation – Part 2

Scenario:

PowerShell Active Directory Delegation – Part 2

In Part 1 of this series we have discussed about getting the information from Active Directory. We have created our arrays to keep the information that we will need. We created We have also seen sample of the lists, that we can create, to process them later and apply delegation on each Organizational Unit. In this part we will go though the Access Control List in Active Directory and how we will perform our changes to accomplish the delegation in Active Directory. Also, we will see a sample of the attributes that we will provide to local IT administrators.

Active Directory Access Control List

In order to be able to modify the access control list, we need first to retrieve the current list so we will be able to add our delegated access and not to disturb and lose the current setup that we already have. So we need to use the below command to get the current access control list of a specific organizational unit.

$acl = get-acl $currentuserou

The above command will get all access control entries in the current access control list of an organizational unit and will save them in a variable so we will be able to modify it.

Modify the Access Control List

Now we want to modify the access control list that we have saved in the variable. In order to modify it we will have to create and add access control entries in the access control list. Then after the list has been edited with our changes. To create the new access control entries we need to create the objects accordingly. In the access control entries that we will create, we have to define a few variables. These variables will include all the information that we need to provide delegated access to our local IT administrators. As you are able to see below, there are different permissions that we can apply. In general, we have to first provide the group of local IT administrators that we get those permissions. Then we define the right that we want to apply to the group. After that we apply the action and then the objects that will be applied to.

Create the Access Control Entries

Below are some examples of access control entries. Let’s explain them a bit to understand better how you will be able to create you own. On $ace1service , we first define the group that will get the permissions ( $servicegroup ). Then we define the access, which in this case Read all properties of the organizational unit that will be applied. After that we have to define the access permission which is “Allow” for this one. We apply this, not only to the specific organizational unit but also to any objects under that, which are user objects. As you can see, to define the correct object, we need to define the correct GUID. We have already created in part 1 of the series our GUID hash table and we use it at this point to provide the permissions accordingly. In this specific access control entry we use $guidmap[user] in order to provide these permissions for user objects.

There are different types of rights that you can provide to local IT administrators, depending on what you are trying to achieve. On $ace3service we have ExtendedRight and we user the other hash table that we have created in part 1 of the series ( $extendedrightsmap ). Hash tables allow us to use the display names instead of the GUID values for the permissions that we will provide.

In $ace1user we allow our local IT administrators to create child objects under the specific organizational unit. The objects that we allow them to create are users. In $ace2user we allow our local It administrators to write and modify “company” attribute for all user objects under the specific organizational unit.

$ace1service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"ReadProperty","Allow","Descendents",$guidmap["user"] $ace3service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"] $ace1user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"CreateChild","Allow",$guidmap["user"] $ace2user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"] $ace3user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"] $ace4user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"] $ace5user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"]

The above commands will create access control entries that we need to add in the access control list that we have retrieved before. In order to apply the new access control entries in the access control list, we have to use the below command. After the list is ready with all access control entries in it, we have to set the access control list back to our organizational unit by using the below command.

$acl.AddAccessRule($ace1user) set-acl -aclobject $acl -Path $currentuserou

Permissions to our Local IT Administrators

Below are lists with permissions that we will provide to our local IT administrators for user objects, computer objects, group objects. Each group of local IT administrators will get the permissions accordingly based on the groups that we have discussed in Part 1 of this series.

User Objects

Read

Read All Properties

Reset Password

Write Company (Company under Organization Tab)

Write Department (Department under Organization Tab)

Write Description (Description under General Tab)

Write Display Name (Display Name under General Tab)

Write Fax Number (Fax under Telephones Tab)

Write Fax Number (Others) (Enable Additions of others for Fax)

Write First Name (First Name under General Tab)

Write Home Drive (Home Drive under Profile Tab)

Write Home Folder (Home Folder under Profile Tab)

Write Home Phone (Home under Telephones Tab)

Write Home Phone (Others) (Enable Additions of others for Home)

Write Initials (Initials under General Tab)

Write Job Title (Job Title under Organization Tab)

Write lockoutTime (Unlock Account under Account Tab)

Write Logon Name (User Logon Name under Account Tab)

Write Logon Name (pre-Windows 2000) (under Account Tab)

Write Manager (Manager under Organization Tab)

Write Mobile Number (Mobile under Telephones Tab)

Write Mobile Number (Others) (Enable Additions of other on Mobile)

Write Name

Write name

Write Notes (Notes under Telephones Tab)

Write Phone Number (Others) (Enable Additions of other on Telephone Number)

Write Post Office Box (P. O. Box under Address Tab)

Write pwdLastSet ((User must change password at next logon under Account Tab)

Write Street Address (Street under Address Tab)

Write Telephone Number (Telephone Number under General Tab)

Write thumbnailPhoto (change Users Photo)

Write userAccountControl (Enable/Disable Account and other Account options under Account Tab)

Write Web Page Address (Web Page under General Tab)

Write ZIP/Postal Code (ZIP/Postal Code under Address Tab)

sn – attribute (Last Name)

st – attribute (State)

c – attribute (Country/Region)

l – attribute (City)

physicalDeliveryOfficeName – attribute (Office)

Group Objects

Read

Read All Properties

Write Description

Write Group name (pre-Windows 2000)

Write group Type

Write Members

Write Name

Write name

Write Notes

Computer Objects

Read

Read All Properties

Write All Properties

Reset Password

Read and Write account restrictions

Validated write to DNs host name

Validated write to service principal name

Applying Our knowledge in the script

The below script is a sample and needs to be review and edited accordingly so you will be able to use it. You may give permissions, or remove permissions that you do not want and create issues with your systems. The main point of the above, is that we have to retrieve the access control lists from the organizational units. Then, we create our new access control entries and add them to the current access control list. After we have everything ready will need to apply the access control list to the organizational unit, so the delegated permissions will be applied.

Run the Script

As you are able to see below in the script a few loops are used in order to remove some input errors. Another main loop is used so that you will be able to run the script again either for different object or different country without the need to exit the script and run it from the beginning. When the application of the modified access control list is completed, then we receive a green output, that delegation for the specific organizational unit has been applied.

When you run the script will will ask you first to select on which option you want to apply delegation. After you select the object type, the script will ask you to select on which country you want to apply the delegated permissions. At this stage the script will start processing based on your input and will give you the results accordingly. After the script has completed providing the delegated permissions to the specific organizational units it will ask you if you would like to run the script again for another object or country. It accepts only “y” or “n”. If your input is yes then the script will start from the beginning and will ask you again to give the options. If your input is no, the script will exit. In order to run the script, you will need to run PowerShell as an administrator with domain admin permissions.

You can download the script here or copy it from below.

Hope you like it.

If you have any questions or anything else please let me know in the comments below.

Related Links:

Solution Script:

<# .SYNOPSIS Name: Set-ADDelegation.ps1 The purpose of this script is to provide delegated access to administrator in Active Directory. .DESCRIPTION The script will provide the predefined permissions to IT administrators by modifying the ACLs of Organizational Units so they will be able to perform their jobs with the least possible permissions. .RELATED LINKS Home .NOTES Version: 1.0 Release Date: 16-03-2018 Author: Stephanos Constantinou .EXAMPLE Set-ADDelegation.ps1 #> Import-module ActiveDirectory cd ad: $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{} Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | foreach {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} $extendedrightsmap = @{} Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` "(&;(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | foreach {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} $objectinfo = @" List of the objects that you can delegate control: 1. User 2. Computer 3. Group 4. Service Accounts 5. Servers "@ $countryinfo = @" List of the countries that you want to apply the delegation for: 1. Cyprus 2. Greece 3. Germany 4. India 5. United Kingdom "@ $AllOUs = Get-ADOrganizationalUnit -Properties DistinguishedName -SearchBase ("OU=Offices,"+$domain.DistinguishedName) -Filter * $ServersOUs = Get-ADOrganizationalUnit -Properties DistinguishedName -SearchBase ("OU=Servers,"+$domain.DistinguishedName) -Filter * $again = "y" $userinput = "wrong" while ($again -eq "y"){ do { Write-Host $objectinfo $objectoption = Read-Host -Prompt 'Please select the number of the object' } until (($objectoption -eq "1") -or ($objectoption -eq "2") -or ($objectoption -eq "3") -or ($objectoption -eq "4") -or ($objectoption -eq "5")) do { Write-Host $countryinfo $countryoption = Read-Host -Prompt 'Please select the number of the country' } until (($countryoption -eq "1") -or ($countryoption -eq "2") -or ($countryoption -eq "3") -or ($countryoption -eq "4") -or ($countryoption -eq "5")) switch ($countryoption){ 1 {$CyprusEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName $CyprusComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName $CyprusGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName $CyprusServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName $CyprusServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and ($_.DistinguishedName -like "*2012*") -and ($_.DistinguishedName -like "*2016*") -and ($_.DistinguishedName -like "*Linux*") -and ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName $servicedesk = "cy-ServiceDesk" $computeradmin = "cy-DesktopAdmin" $useradmin = "cy-UserAdmin" $adadmin = "cy-ADAdmin" $activeuserou = $CyprusEmployeesOUs $activedesktopou = $CyprusComputersOUs $activegroupou = $CyprusGroupsOUs $activeserviceou = $CyprusServiceOUs $activeserverou = $CyprusServersOUs $country = "Cyprus"} 2 {$GreeceEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*Greece*")}).DistinguishedName $GreeceComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and ($_.DistinguishedName -like "*Greece*")}).DistinguishedName $GreeceGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and ($_.DistinguishedName -like "*Greece*")}).DistinguishedName $GreeceServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and ($_.DistinguishedName -like "*Greece*")}).DistinguishedName $GreeceServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and ($_.DistinguishedName -like "*2012*") -and ($_.DistinguishedName -like "*2016*") -and ($_.DistinguishedName -like "*Linux*") -and ($_.DistinguishedName -like "*Greece*")}).DistinguishedName $servicedesk = "gr-ServiceDesk" $computeradmin = "gr-DesktopAdmin" $useradmin = "gr-UserAdmin" $adadmin = "gr-ADAdmin" $activeuserou = $GreeceEmployeesOUs $activedesktopou = $GreeceComputersOUs $activegroupou = $GreeceGroupsOUs $activeserviceou = $GreeceServiceOUs $activeserverou = $GreeceServersOUs $country = "Greece"} 3 {$GermanyEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*Germany*")}).DistinguishedName $GermanyComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and ($_.DistinguishedName -like "*Germany*")}).DistinguishedName $GermanyGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and ($_.DistinguishedName -like "*Germany*")}).DistinguishedName $GermanyServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and ($_.DistinguishedName -like "*Germany*")}).DistinguishedName $GermanyServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and ($_.DistinguishedName -like "*2012*") -and ($_.DistinguishedName -like "*2016*") -and ($_.DistinguishedName -like "*Linux*") -and ($_.DistinguishedName -like "*Germany*")}).DistinguishedName $servicedesk = "de-ServiceDesk" $computeradmin = "de-DesktopAdmin" $useradmin = "de-UserAdmin" $adadmin = "de-ADAdmin" $activeuserou = $GermanyEmployeesOUs $activedesktopou = $GermanyComputersOUs $activegroupou = $GermanyGroupsOUs $activeserviceou = $GermanyServiceOUs $activeserverou = $GermanyServersOUs $country = "Germany"} 4 {$IndiaEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*India*")}).DistinguishedName $IndiaComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and ($_.DistinguishedName -like "*India*")}).DistinguishedName $IndiaGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and ($_.DistinguishedName -like "*India*")}).DistinguishedName $IndiaServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and ($_.DistinguishedName -like "*India*")}).DistinguishedName $IndiaServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and ($_.DistinguishedName -like "*2012*") -and ($_.DistinguishedName -like "*2016*") -and ($_.DistinguishedName -like "*Linux*") -and ($_.DistinguishedName -like "*India*")}).DistinguishedName $servicedesk = "in-ServiceDesk" $computeradmin = "in-DesktopAdmin" $useradmin = "in-UserAdmin" $adadmin = "in-ADAdmin" $activeuserou = $IndiaEmployeesOUs $activedesktopou = $IndiaComputersOUs $activegroupou = $IndiaGroupsOUs $activeserviceou = $IndiaServiceOUs $activeserverou = $IndiaServersOUs $country = "India"} 5 {$UnitedKingdomEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName $UnitedKingdomComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName $UnitedKingdomGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName $UnitedKingdomServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName $UnitedKingdomServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and ($_.DistinguishedName -like "*2012*") -and ($_.DistinguishedName -like "*2016*") -and ($_.DistinguishedName -like "*Linux*") -and ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName $servicedesk = "uk-ServiceDesk" $computeradmin = "uk-DesktopAdmin" $useradmin = "uk-UserAdmin" $adadmin = "uk-ADAdmin" $activeuserou = $UnitedKingdomEmployeesOUs $activedesktopou = $UnitedKingdomComputersOUs $activegroupou = $UnitedKingdomGroupsOUs $activeserviceou = $UnitedKingdomServiceOUs $activeserverou = $UnitedKingdomServersOUs $country = "United Kingdom"} default {"You have entered a wrong number. Run the script again"; Exit}} $servicegroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$servicedesk").SID $computergroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$computeradmin").SID $usergroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$useradmin").SID $adgroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$adadmin").SID $engineergroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "group-ADEngineer").SID $ownerrights = New-Object System.Security.Principal.SecurityIdentifier 'S-1-3-4' switch ($objectoption){ 1 {foreach ($currentuserou in $activeuserou){ $acl = get-acl $currentuserou $ace1service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"ReadProperty","Allow","Descendents",$guidmap["user"] $ace2service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"] $ace3service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"] $ace1user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"CreateChild","Allow",$guidmap["user"] $ace2user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"] $ace3user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"] $ace4user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"] $ace5user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"] $ace6user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["facsimileTelephoneNumber"],"Descendents",$guidmap["user"] $ace7user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["otherFacsimileTelephoneNumber"],"Descendents",$guidmap["user"] $ace8user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["givenName"],"Descendents",$guidmap["user"] $ace9user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["homeDrive"],"Descendents",$guidmap["user"] $ace10user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["homeDirectory"],"Descendents",$guidmap["user"] $ace11user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["homePhone"],"Descendents",$guidmap["user"] $ace12user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["otherHomePhone"],"Descendents",$guidmap["user"] $ace13user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["initials"],"Descendents",$guidmap["user"] $ace14user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["title"],"Descendents",$guidmap["user"] $ace15user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["userPrincipalName"],"Descendents",$guidmap["user"] $ace16user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["user"] $ace17user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["manager"],"Descendents",$guidmap["user"] $ace18user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["mobile"],"Descendents",$guidmap["user"] $ace19user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["otherMobile"],"Descendents",$guidmap["user"] $ace20user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["user"] $ace21user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["user"] $ace22user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["user"] $ace23user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["otherTelephone"],"Descendents",$guidmap["user"] $ace24user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["postOfficeBox"],"Descendents",$guidmap["user"] $ace25user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"] $ace26user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["streetAddress"],"Descendents",$guidmap["user"] $ace27user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["telephoneNumber"],"Descendents",$guidmap["user"] $ace28user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["thumbnailPhoto"],"Descendents",$guidmap["user"] $ace29user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["wWWHomePage"],"Descendents",$guidmap["user"] $ace30user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["postalCode"],"Descendents",$guidmap["user"] $ace31user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["sn"],"Descendents",$guidmap["user"] $ace32user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["st"],"Descendents",$guidmap["user"] $ace33user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["c"],"Descendents",$guidmap["user"] $ace34user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["l"],"Descendents",$guidmap["user"] $ace35user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["physicalDeliveryOfficeName"],"Descendents",$guidmap["user"] $ace36user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["userAccountControl"],"Descendents",$guidmap["user"] $ace37user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["extensionAttribute2"],"Descendents",$guidmap["user"] $ace38user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["userWorkstations"],"Descendents",$guidmap["user"] $ace39user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["logonHours"],"Descendents",$guidmap["user"] $ace1engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["user"] $ace2engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"] $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"] $ace4engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["user"] $ace5engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["user"] $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"] $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"] $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"] $ace9engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"] $ace10engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["facsimileTelephoneNumber"],"Descendents",$guidmap["user"] $ace11engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherFacsimileTelephoneNumber"],"Descendents",$guidmap["user"] $ace12engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["givenName"],"Descendents",$guidmap["user"] $ace13engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homeDrive"],"Descendents",$guidmap["user"] $ace14engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homeDirectory"],"Descendents",$guidmap["user"] $ace15engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homePhone"],"Descendents",$guidmap["user"] $ace16engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherHomePhone"],"Descendents",$guidmap["user"] $ace17engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["initials"],"Descendents",$guidmap["user"] $ace18engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["title"],"Descendents",$guidmap["user"] $ace19engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userPrincipalName"],"Descendents",$guidmap["user"] $ace20engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["user"] $ace21engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["manager"],"Descendents",$guidmap["user"] $ace22engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["mobile"],"Descendents",$guidmap["user"] $ace23engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherMobile"],"Descendents",$guidmap["user"] $ace24engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["user"] $ace25engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["user"] $ace26engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["user"] $ace27engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherTelephone"],"Descendents",$guidmap["user"] $ace28engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["postOfficeBox"],"Descendents",$guidmap["user"] $ace29engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"] $ace30engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["streetAddress"],"Descendents",$guidmap["user"] $ace31engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["telephoneNumber"],"Descendents",$guidmap["user"] $ace32engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["thumbnailPhoto"],"Descendents",$guidmap["user"] $ace33engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["wWWHomePage"],"Descendents",$guidmap["user"] $ace34engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["postalCode"],"Descendents",$guidmap["user"] $ace35engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sn"],"Descendents",$guidmap["user"] $ace36engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["st"],"Descendents",$guidmap["user"] $ace37engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["c"],"Descendents",$guidmap["user"] $ace38engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["l"],"Descendents",$guidmap["user"] $ace39engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["physicalDeliveryOfficeName"],"Descendents",$guidmap["user"] $ace40engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userAccountControl"],"Descendents",$guidmap["user"] $ace41engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["extensionAttribute2"],"Descendents",$guidmap["user"] $ace42engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userWorkstations"],"Descendents",$guidmap["user"] $ace43engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["logonHours"],"Descendents",$guidmap["user"] $ace1owner = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ownerrights,"ReadProperty","Allow","Descendents",$guidmap["user"] $acl.AddAccessRule($ace1service) $acl.AddAccessRule($ace2service) $acl.AddAccessRule($ace3service) $acl.AddAccessRule($ace1user) $acl.AddAccessRule($ace2user) $acl.AddAccessRule($ace3user) $acl.AddAccessRule($ace4user) $acl.AddAccessRule($ace5user) $acl.AddAccessRule($ace6user) $acl.AddAccessRule($ace7user) $acl.AddAccessRule($ace8user) $acl.AddAccessRule($ace9user) $acl.AddAccessRule($ace10user) $acl.AddAccessRule($ace11user) $acl.AddAccessRule($ace12user) $acl.AddAccessRule($ace13user) $acl.AddAccessRule($ace14user) $acl.AddAccessRule($ace15user) $acl.AddAccessRule($ace16user) $acl.AddAccessRule($ace17user) $acl.AddAccessRule($ace18user) $acl.AddAccessRule($ace19user) $acl.AddAccessRule($ace20user) $acl.AddAccessRule($ace21user) $acl.AddAccessRule($ace22user) $acl.AddAccessRule($ace23user) $acl.AddAccessRule($ace24user) $acl.AddAccessRule($ace25user) $acl.AddAccessRule($ace26user) $acl.AddAccessRule($ace27user) $acl.AddAccessRule($ace28user) $acl.AddAccessRule($ace29user) $acl.AddAccessRule($ace30user) $acl.AddAccessRule($ace31user) $acl.AddAccessRule($ace32user) $acl.AddAccessRule($ace33user) $acl.AddAccessRule($ace34user) $acl.AddAccessRule($ace35user) $acl.AddAccessRule($ace36user) $acl.AddAccessRule($ace37user) $acl.AddAccessRule($ace38user) $acl.AddAccessRule($ace39user) $acl.AddAccessRule($ace1engineer) $acl.AddAccessRule($ace2engineer) $acl.AddAccessRule($ace3engineer) $acl.AddAccessRule($ace4engineer) $acl.AddAccessRule($ace5engineer) $acl.AddAccessRule($ace6engineer) $acl.AddAccessRule($ace7engineer) $acl.AddAccessRule($ace8engineer) $acl.AddAccessRule($ace9engineer) $acl.AddAccessRule($ace10engineer) $acl.AddAccessRule($ace11engineer) $acl.AddAccessRule($ace12engineer) $acl.AddAccessRule($ace13engineer) $acl.AddAccessRule($ace14engineer) $acl.AddAccessRule($ace15engineer) $acl.AddAccessRule($ace16engineer) $acl.AddAccessRule($ace17engineer) $acl.AddAccessRule($ace18engineer) $acl.AddAccessRule($ace19engineer) $acl.AddAccessRule($ace20engineer) $acl.AddAccessRule($ace21engineer) $acl.AddAccessRule($ace22engineer) $acl.AddAccessRule($ace23engineer) $acl.AddAccessRule($ace24engineer) $acl.AddAccessRule($ace25engineer) $acl.AddAccessRule($ace26engineer) $acl.AddAccessRule($ace27engineer) $acl.AddAccessRule($ace28engineer) $acl.AddAccessRule($ace29engineer) $acl.AddAccessRule($ace30engineer) $acl.AddAccessRule($ace31engineer) $acl.AddAccessRule($ace32engineer) $acl.AddAccessRule($ace33engineer) $acl.AddAccessRule($ace34engineer) $acl.AddAccessRule($ace35engineer) $acl.AddAccessRule($ace36engineer) $acl.AddAccessRule($ace37engineer) $acl.AddAccessRule($ace38engineer) $acl.AddAccessRule($ace39engineer) $acl.AddAccessRule($ace40engineer) $acl.AddAccessRule($ace41engineer) $acl.AddAccessRule($ace42engineer) $acl.AddAccessRule($ace43engineer) $acl.AddAccessRule($ace1owner) set-acl -aclobject $acl -Path $currentuserou $Confirmation = "User objects delegation on $currentuserou for $country was successful." Write-Host $Confirmation -ForegroundColor Green}} 2 {foreach ($currentdesktopou in $activedesktopou){ $acl = get-acl $currentdesktopou $ace1desktop = new-object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"CreateChild","Allow",$guidmap["computer"] $ace2desktop = new-object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"DeleteChild","Allow",$guidmap["computer"] $ace3desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ReadProperty","Allow","Descendents",$guidmap["computer"] $ace4desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"WriteProperty","Allow","Descendents",$guidmap["computer"] $ace5desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"] $ace6desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ExtendedRight","Allow",$extendedrightsmap["Account Restrictions"],"Descendents",$guidmap["computer"] $ace7desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"] $ace8desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"] $ace1engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["computer"] $ace2engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["computer"] $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["computer"] $ace4engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow","Descendents",$guidmap["computer"] $ace5engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"] $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Account Restrictions"],"Descendents",$guidmap["computer"] $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"] $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"] $acl.AddAccessRule($ace1desktop) $acl.AddAccessRule($ace2desktop) $acl.AddAccessRule($ace3desktop) $acl.AddAccessRule($ace4desktop) $acl.AddAccessRule($ace5desktop) $acl.AddAccessRule($ace6desktop) $acl.AddAccessRule($ace7desktop) $acl.AddAccessRule($ace8desktop) $acl.AddAccessRule($ace1engineer) $acl.AddAccessRule($ace2engineer) $acl.AddAccessRule($ace3engineer) $acl.AddAccessRule($ace4engineer) $acl.AddAccessRule($ace5engineer) $acl.AddAccessRule($ace6engineer) $acl.AddAccessRule($ace7engineer) $acl.AddAccessRule($ace8engineer) set-acl -aclobject $acl -Path $currentdesktopou $Confirmation = "Computer objects delegation on $currentdesktopou for $country was successful." Write-Host $Confirmation -ForegroundColor Green}} 3 {foreach ($currentgroupou in $activegroupou){ $acl = get-acl $currentgroupou $ace1ad = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"CreateChild","Allow",$guidmap["group"] $ace2ad = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"DeleteChild","Allow",$guidmap["group"] $ace3ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ReadProperty","Allow","Descendents",$guidmap["group"] $ace4ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["group"] $ace5ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["group"] $ace6ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["groupType"],"Descendents",$guidmap["group"] $ace7ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["member"],"Descendents",$guidmap["group"] $ace8ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["group"] $ace9ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["group"] $ace10ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["group"] $ace1engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["group"] $ace2engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["group"] $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["group"] $ace4engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["group"] $ace5engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["group"] $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["groupType"],"Descendents",$guidmap["group"] $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["member"],"Descendents",$guidmap["group"] $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["group"] $ace9engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["group"] $ace10engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["group"] $acl.AddAccessRule($ace1ad) $acl.AddAccessRule($ace2ad) $acl.AddAccessRule($ace3ad) $acl.AddAccessRule($ace4ad) $acl.AddAccessRule($ace5ad) $acl.AddAccessRule($ace6ad) $acl.AddAccessRule($ace7ad) $acl.AddAccessRule($ace8ad) $acl.AddAccessRule($ace9ad) $acl.AddAccessRule($ace10ad) $acl.AddAccessRule($ace1engineer) $acl.AddAccessRule($ace2engineer) $acl.AddAccessRule($ace3engineer) $acl.AddAccessRule($ace4engineer) $acl.AddAccessRule($ace5engineer) $acl.AddAccessRule($ace6engineer) $acl.AddAccessRule($ace7engineer) $acl.AddAccessRule($ace8engineer) $acl.AddAccessRule($ace9engineer) $acl.AddAccessRule($ace10engineer) set-acl -aclobject $acl -Path $currentgroupou $Confirmation = "Group objects delegation on $currentgroupou for $country was successful." Write-Host $Confirmation -ForegroundColor Green}} 4 {foreach ($currentserviceou in $activeserviceou){ $acl = get-acl $currentserviceou $ace1ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ReadProperty","Allow","Descendents",$guidmap["user"] $ace2ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"] $ace3ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"] $ace4ad = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"CreateChild","Allow",$guidmap["user"] $ace5ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"] $ace6ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"] $ace7ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"] $ace8ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"] $ace9ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["facsimileTelephoneNumber"],"Descendents",$guidmap["user"] $ace10ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["otherFacsimileTelephoneNumber"],"Descendents",$guidmap["user"] $ace11ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["givenName"],"Descendents",$guidmap["user"] $ace12ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["homeDrive"],"Descendents",$guidmap["user"] $ace13ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["homeDirectory"],"Descendents",$guidmap["user"] $ace14ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["homePhone"],"Descendents",$guidmap["user"] $ace15ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["otherHomePhone"],"Descendents",$guidmap["user"] $ace16ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["initials"],"Descendents",$guidmap["user"] $ace17ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["title"],"Descendents",$guidmap["user"] $ace18ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["userPrincipalName"],"Descendents",$guidmap["user"] $ace19ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["user"] $ace20ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["manager"],"Descendents",$guidmap["user"] $ace21ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["mobile"],"Descendents",$guidmap["user"] $ace22ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["otherMobile"],"Descendents",$guidmap["user"] $ace23ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["user"] $ace24ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["user"] $ace25ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["user"] $ace26ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["otherTelephone"],"Descendents",$guidmap["user"] $ace27ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["postOfficeBox"],"Descendents",$guidmap["user"] $ace28ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"] $ace29ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["streetAddress"],"Descendents",$guidmap["user"] $ace30ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["telephoneNumber"],"Descendents",$guidmap["user"] $ace31ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["thumbnailPhoto"],"Descendents",$guidmap["user"] $ace32ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["wWWHomePage"],"Descendents",$guidmap["user"] $ace33ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["postalCode"],"Descendents",$guidmap["user"] $ace34ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["sn"],"Descendents",$guidmap["user"] $ace35ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["st"],"Descendents",$guidmap["user"] $ace36ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["c"],"Descendents",$guidmap["user"] $ace37ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["l"],"Descendents",$guidmap["user"] $ace38ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["physicalDeliveryOfficeName"],"Descendents",$guidmap["user"] $ace39ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["userAccountControl"],"Descendents",$guidmap["user"] $ace1engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["user"] $ace2engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"] $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"] $ace4engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["user"] $ace5engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["user"] $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"] $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"] $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"] $ace9engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"] $ace10engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["facsimileTelephoneNumber"],"Descendents",$guidmap["user"] $ace11engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherFacsimileTelephoneNumber"],"Descendents",$guidmap["user"] $ace12engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["givenName"],"Descendents",$guidmap["user"] $ace13engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homeDrive"],"Descendents",$guidmap["user"] $ace14engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homeDirectory"],"Descendents",$guidmap["user"] $ace15engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homePhone"],"Descendents",$guidmap["user"] $ace16engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherHomePhone"],"Descendents",$guidmap["user"] $ace17engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["initials"],"Descendents",$guidmap["user"] $ace18engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["title"],"Descendents",$guidmap["user"] $ace19engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userPrincipalName"],"Descendents",$guidmap["user"] $ace20engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["user"] $ace21engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["manager"],"Descendents",$guidmap["user"] $ace22engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["mobile"],"Descendents",$guidmap["user"] $ace23engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherMobile"],"Descendents",$guidmap["user"] $ace24engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["user"] $ace25engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["user"] $ace26engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["user"] $ace27engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherTelephone"],"Descendents",$guidmap["user"] $ace28engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["postOfficeBox"],"Descendents",$guidmap["user"] $ace29engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"] $ace30engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["streetAddress"],"Descendents",$guidmap["user"] $ace31engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["telephoneNumber"],"Descendents",$guidmap["user"] $ace32engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["thumbnailPhoto"],"Descendents",$guidmap["user"] $ace33engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["wWWHomePage"],"Descendents",$guidmap["user"] $ace34engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["postalCode"],"Descendents",$guidmap["user"] $ace35engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sn"],"Descendents",$guidmap["user"] $ace36engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["st"],"Descendents",$guidmap["user"] $ace37engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["c"],"Descendents",$guidmap["user"] $ace38engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["l"],"Descendents",$guidmap["user"] $ace39engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["physicalDeliveryOfficeName"],"Descendents",$guidmap["user"] $ace40engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userAccountControl"],"Descendents",$guidmap["user"] $acl.AddAccessRule($ace1ad) $acl.AddAccessRule($ace2ad) $acl.AddAccessRule($ace3ad) $acl.AddAccessRule($ace4ad) $acl.AddAccessRule($ace5ad) $acl.AddAccessRule($ace6ad) $acl.AddAccessRule($ace7ad) $acl.AddAccessRule($ace8ad) $acl.AddAccessRule($ace9ad) $acl.AddAccessRule($ace10ad) $acl.AddAccessRule($ace11ad) $acl.AddAccessRule($ace12ad) $acl.AddAccessRule($ace13ad) $acl.AddAccessRule($ace14ad) $acl.AddAccessRule($ace15ad) $acl.AddAccessRule($ace16ad) $acl.AddAccessRule($ace17ad) $acl.AddAccessRule($ace18ad) $acl.AddAccessRule($ace19ad) $acl.AddAccessRule($ace20ad) $acl.AddAccessRule($ace21ad) $acl.AddAccessRule($ace22ad) $acl.AddAccessRule($ace23ad) $acl.AddAccessRule($ace24ad) $acl.AddAccessRule($ace25ad) $acl.AddAccessRule($ace26ad) $acl.AddAccessRule($ace27ad) $acl.AddAccessRule($ace28ad) $acl.AddAccessRule($ace29ad) $acl.AddAccessRule($ace30ad) $acl.AddAccessRule($ace31ad) $acl.AddAccessRule($ace32ad) $acl.AddAccessRule($ace33ad) $acl.AddAccessRule($ace34ad) $acl.AddAccessRule($ace35ad) $acl.AddAccessRule($ace36ad) $acl.AddAccessRule($ace37ad) $acl.AddAccessRule($ace38ad) $acl.AddAccessRule($ace39ad) $acl.AddAccessRule($ace1engineer) $acl.AddAccessRule($ace2engineer) $acl.AddAccessRule($ace3engineer) $acl.AddAccessRule($ace4engineer) $acl.AddAccessRule($ace5engineer) $acl.AddAccessRule($ace6engineer) $acl.AddAccessRule($ace7engineer) $acl.AddAccessRule($ace8engineer) $acl.AddAccessRule($ace9engineer) $acl.AddAccessRule($ace10engineer) $acl.AddAccessRule($ace11engineer) $acl.AddAccessRule($ace12engineer) $acl.AddAccessRule($ace13engineer) $acl.AddAccessRule($ace14engineer) $acl.AddAccessRule($ace15engineer) $acl.AddAccessRule($ace16engineer) $acl.AddAccessRule($ace17engineer) $acl.AddAccessRule($ace18engineer) $acl.AddAccessRule($ace19engineer) $acl.AddAccessRule($ace20engineer) $acl.AddAccessRule($ace21engineer) $acl.AddAccessRule($ace22engineer) $acl.AddAccessRule($ace23engineer) $acl.AddAccessRule($ace24engineer) $acl.AddAccessRule($ace25engineer) $acl.AddAccessRule($ace26engineer) $acl.AddAccessRule($ace27engineer) $acl.AddAccessRule($ace28engineer) $acl.AddAccessRule($ace29engineer) $acl.AddAccessRule($ace30engineer) $acl.AddAccessRule($ace31engineer) $acl.AddAccessRule($ace32engineer) $acl.AddAccessRule($ace33engineer) $acl.AddAccessRule($ace34engineer) $acl.AddAccessRule($ace35engineer) $acl.AddAccessRule($ace36engineer) $acl.AddAccessRule($ace37engineer) $acl.AddAccessRule($ace38engineer) $acl.AddAccessRule($ace39engineer) $acl.AddAccessRule($ace40engineer) set-acl -aclobject $acl -Path $currentserviceou $Confirmation = "User objects (Services Accounts) delegation on $currentserviceou for $country was successful." Write-Host $Confirmation -ForegroundColor Green}} 5 {foreach ($currentserversou in $activeserverou){ $acl = get-acl $currentserversou $ace1server = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"CreateChild","Allow",$guidmap["computer"] $ace2server = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"DeleteChild","Allow",$guidmap["computer"] $ace3server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ReadProperty","Allow","Descendents",$guidmap["computer"] $ace4server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow","Descendents",$guidmap["computer"] $ace5server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"] $ace6server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Account Restrictions"],"Descendents",$guidmap["computer"] $ace7server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"] $ace8server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"] $ace1engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["computer"] $ace2engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["computer"] $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["computer"] $ace4engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["computer"] $ace5engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"] $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Account Restrictions"],"Descendents",$guidmap["computer"] $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"] $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"] $acl.AddAccessRule($ace1server) $acl.AddAccessRule($ace2server) $acl.AddAccessRule($ace3server) $acl.AddAccessRule($ace4server) $acl.AddAccessRule($ace5server) $acl.AddAccessRule($ace6server) $acl.AddAccessRule($ace7server) $acl.AddAccessRule($ace8server) $acl.AddAccessRule($ace1engineer) $acl.AddAccessRule($ace2engineer) $acl.AddAccessRule($ace3engineer) $acl.AddAccessRule($ace4engineer) $acl.AddAccessRule($ace5engineer) $acl.AddAccessRule($ace6engineer) $acl.AddAccessRule($ace7engineer) $acl.AddAccessRule($ace8engineer) set-acl -aclobject $acl -Path $currentserversou $Confirmation = "Computer objects (Servers) delegation on $currentserversou for $country was successful." Write-Host $Confirmation -ForegroundColor Green}} default {"You have entered a wrong number. Run the script again"; Exit}} do{$answer = Read-Host -Prompt 'Do you want to run delegation script again for another object or country? (y or n)' If (($answer -eq "n") -or ($answer -eq "y")){ $userinput = "correct"} else{ $userinput = "wrong" Write-Host @" You have entered a wrong answer. Please enter y [YES] or n [NO] "@ } } while ($userinput -eq "wrong") $again = $answer}