# Powershell Active Directory OU Deligation Access Rules

• ### Question

• Hi Guys,

I'm searching for a way to create kind of Access Rule templates via powershell.

Anyone known if its possible with powershell to export ACL of certain security group on OU.

So I can apply it on any OU I want it to be applied?

Thanks!

• Moved by Wednesday, September 4, 2019 6:33 PM This is not "scripts on demand"
Tuesday, March 12, 2019 4:47 PM

### All replies

• Just extract the SDDL of any object.  It can be applied by using the SDDL to create an ACL and then applied to a target object.

\_(ツ)_/

Tuesday, March 12, 2019 6:26 PM
• With bellow script I get complete security of TestOU_01, I want only to export the security that has been set with security group: it-admin .

Can this be filtered out with powershell to export and add this group on any other ou?

Import-Module activedirectory

$rootDSE = Get-ADRootDSE$domain = Get-ADDomain

$container = Get-ADObject -Identity ("OU=TestOU_01,OU=Testing," +$domain.DistinguishedName)

$acl1 = Get-ACL -Path ($container.DistinguishedName)

$acl1.Sddl Output-------------------------------- PSPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=TestOU_01,OU=Testing,DC=cochlear,DC=com PSParentPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=Testing,DC=cochlear,DC=com PSChildName : OU=TestOU_01 PSDrive : AD PSProvider : Microsoft.ActiveDirectory.Management\ActiveDirectory CentralAccessPolicyId : CentralAccessPolicyName : Path : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=TestOU_01,OU=Testing,DC=cochlear,DC=com Owner : COCHLEAR\Domain Admins Group : COCHLEAR\Domain Users Access : {System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule...} Sddl : O:DAG:DUD:PAI(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;C....83-79217) AccessToString : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow NT AUTHORITY\Authenticated Users Allow NT AUTHORITY\SYSTEM Allow COCHLEAR\Domain Admins Allow COCHLEAR\it-admin Allow AuditToString : AccessRightType : System.DirectoryServices.ActiveDirectoryRights AccessRuleType : System.DirectoryServices.ActiveDirectoryAccessRule AuditRuleType : System.DirectoryServices.ActiveDirectoryAuditRule AreAccessRulesProtected : True AreAuditRulesProtected : False AreAccessRulesCanonical : True AreAuditRulesCanonical : True • Edited by Wednesday, March 13, 2019 8:15 AM using code block Wednesday, March 13, 2019 7:00 AM • Please do no t post colorized code. Use the code posting tool provided on the edit bar. Edit your post and fix it please. \_(ツ)_/ Wednesday, March 13, 2019 7:51 AM • Use the SDDL string to copy the security. \_(ツ)_/ Wednesday, March 13, 2019 7:52 AM • How do I get the SDDL string for only 1 security group instead of the complete collection? Example group: it-admin Wednesday, March 13, 2019 8:16 AM • You just returned the security for one object. I am not sure what you are looking for. Get-Acl returns one ACL object. You can see the SDDL. \_(ツ)_/ Wednesday, March 13, 2019 8:19 AM • $dn = (Get-AdGroup testgrp2).Distinguishedname
Get-Acl "AD:\$dn" | Select sddl $dn = (Get-AdGroup testgrp2).Distinguishedname
(Get-Acl "AD:\$dn").GetSecurityDescriptorSddlForm('Access') Warning: Copying SDDL can have unintended consequences. \_(ツ)_/ • Edited by Wednesday, March 13, 2019 8:25 AM Wednesday, March 13, 2019 8:24 AM • I understand what you are trying to tell, but this will only set default security I guess? Not the deligation access properties like for computer objects --> delete computer object Wednesday, March 13, 2019 8:58 AM • To add a specific delegation you need to create the security ACE and add it to the target. You can also just get the Access Aces and copy the one you want. Get-Acl "AD:\$dn" | select -expand access

\_(ツ)_/

• Edited by Wednesday, March 13, 2019 9:18 AM
Wednesday, March 13, 2019 9:17 AM
• If you are trying to save a particular ACE then this is how:

# get ACEs for ACL
$aces = Get-Acl "AD:\$dn" | Select-Object -ExpandProperty access

# select specific ACE to save
$aces[0] | Export-CliXml ace.xml # import saved ACE$ace = Import-CliXml ace.xml


\_(ツ)_/

Wednesday, March 13, 2019 9:25 AM
• That's not what I'm looking for.

You are pointing to ACL on Security group.

I need to have export of the security that is set on certain OU with certain security group.

As example I gave:

OU=  TestOU_01

Wednesday, March 13, 2019 10:00 AM
• It works the same for an OU.

Before pursuing his you should take some time to learn how AD works and an API level as well as how to use PowerShell.

To access an OU just use this command

$dn = 'OU=YourOuName, … path to OU ...' \_(ツ)_/ Wednesday, March 13, 2019 2:45 PM • Import-Module activedirectory$rootDSE = Get-ADRootDSE
$domain = Get-ADDomain Set-Location AD:\ # Vars$SecurityGroupToApply = "it-admin"
$Destination_OU = "OU=TestOU_03,OU=Testing,$domain"
$Source_OU = "OU=TestOU_01,OU=Testing,$domain"
$Current_ACL = Get-ACL -Path$Destination_OU
$Source_ACL = Get-ACL -Path$Source_OU

# get ACEs for ACL
$ACEs =$Source_ACL.Access | Where-Object{$_.IdentityReference -eq$SecurityGroupToApply}

$Current_ACL.AddAccessRule($ACEs[0])
$Current_ACL.AddAccessRule($ACEs[1])
set-acl -aclobject $Current_ACL$Destination_OU -WhatIf -Verbose