PowerShell Active Directory Delegation – Part 1

Scenario:

PowerShell Active Directory Delegation.

I wrote this script long ago and I use it when there are changes in Active Directory to apply delegation on the new Organizational Units. I thought that you might find it interesting, so I decided to write this post. We will go through the script and by the end of the series, you will be able to understand what the script is doing. We will divide the script smaller parts and discuss them accordingly.

General Permissions

Microsoft provide us with the ability to perform delegation in Active Directory, through Active Directory User and Computers. Have you ever tried to apply delegation using the GUI? I have tried to do it and it was a nightmare. As you will see later on, the delegation that I had to apply was really detailed and deep that default roles provide by Microsoft were not applicable. To better understand what we are trying to do with this script, we will set our requirements down. First of all we will create our groups based on the permissions that they will have. The groups are the below:

Active Directory Engineer

Active Directory Admin

User Administrator

ComputerAdministrator

Service Desk

Each of the above groups will have different permissions. Each group provides additional permissions, so an administrator needs to be member of all groups to have full access. I will not go through the entire list as we will need a lot of space to list all permissions here. All groups are able to read all properties of all objects. In general the Service Desk group will be able to unlock and reset the password only for user accounts. Computer administrators will be able to do the same with services desk and additionally create, delete,write properties of computer objects in Active Directory. User administrators, additionally, will be ale to create user objects, and write/ modify some properties of the user objects. Active Directory administrators, will be able to perform all of the above and also manage servers and services accounts. Active Directory Engineers will have full control on servers, computers, users and services accounts.

Gather information from Active Directory

Imagine changing all those properties of all current Organizational Units in Active Directory. Also for any new Organizational Unit, you will need also to perform those changes, so the administrators will be able have the same permissions. First we will need to gather some information from our Active Directory.

$rootdse = Get-ADRootDSE

The above command will provide us with the root of a Directory Server information tree. As per Microsoft:

The Get-ADRootDSE cmdlet gets the conceptual object representing the root of the directory information tree of a directory server. This tree provides information about the configuration and capabilities of the directory server, such as the distinguished name for the configuration container, the current time on the directory server, and the functional levels of the directory server and the domain.

After that we will need to create a hash table to store the GUID value of each schema class and attribute. Those values will be used later, to apply the permissions. By using the command below, we declare our hash table and then we fill it accordingly. We keep the LDAP display name and schema GUID number for each value.

$guidmap = @{} Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

Then we have to create another hash table to keep the display name and GUID value for each extended permission right the is included in the forest. The following command will retrieve the information that we need and fill our hash table.

$extendedrightsmap = @{} Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

Create our arrays

The next part is based on your Organizational Unit structure in Active Directory. The difference is the search base that you search to find the organizational units. By using the below commands we will be able to get the domain and a list of the Organizational Units under that one. The we will create our arrays that we will use to perform the delegation and apply the correct permissions.

$domain = Get-ADDomain $AllOUs = Get-ADOrganizationalUnit -Properties DistinguishedName -SearchBase ("OU=Offices,"+$domain.DistinguishedName) -Filter *

After we have gathered all Organizational Units that we want, we will proceed with filtering of that variable. The below is a sample on how we are able to do so. We are using the main array that holds all organizational units that we have gathered before. We create new arrays, by using filtering on it and as you are able to see below, we are creating a list of organizational units that are holding employees under them. For the below example, we have five locations, Cyprus, Greece, Germany, India, United Kingdom, and each one has its own array.

$CyprusEmployeesOUs = ($AllOUs | ? {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName $GreeceEmployeesOUs = ($AllOUs | ? {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*Greece*")}).DistinguishedName $GermanyEmployeesOUs = ($AllOUs | ? {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*Germany*")}).DistinguishedName $IndiaEmployeesOUs = ($AllOUs | ? {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*India*")}).DistinguishedName $UnitedKingdomEmployeesOUs = ($AllOUs | ? {($_.DistinguishedName -like "*Employees*") -and ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName

In the next part we will go through the permissions in more details and ACLs in active directory and how we will apply the delegated permissions. The process of applying delegated permissions is not an one time job. Every time, that there is a new Organizational Unit we will need to apply delegated permissions again. We will put all parts together so we will have a full working script that can be reused every time we have to apply delegated permissions to new organizational units.

Hope you like it. If you have any questions or anything else please let me know in the comments below.

Stay tuned for the next part of this series.

Related Links: