Powershell Active Directory OU Deligation Access Rules RRS feed

  • Question

  • Hi Guys,

    I'm searching for a way to create kind of Access Rule templates via powershell.

    Anyone known if its possible with powershell to export ACL of certain security group on OU.

    So I can apply it on any OU I want it to be applied?



    • Moved by Bill_Stewart Wednesday, September 4, 2019 6:33 PM This is not "scripts on demand"
    Tuesday, March 12, 2019 4:47 PM

All replies

  • Just extract the SDDL of any object.  It can be applied by using the SDDL to create an ACL and then applied to a target object.


    Tuesday, March 12, 2019 6:26 PM
  • With bellow script I get complete security of TestOU_01, I want only to export the security that has been set with security group: it-admin .

    Can this be filtered out with powershell to export and add this group on any other ou?

    Import-Module activedirectory
    $rootDSE = Get-ADRootDSE
    $domain = Get-ADDomain
    $container = 
    Get-ADObject -Identity ("OU=TestOU_01,OU=Testing," +
    $acl1 = Get-ACL -Path ($container.DistinguishedName)


    PSPath                  : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=TestOU_01,OU=Testing,DC=cochlear,DC=com
    PSParentPath            : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=Testing,DC=cochlear,DC=com
    PSChildName             : OU=TestOU_01
    PSDrive                 : AD
    PSProvider              : Microsoft.ActiveDirectory.Management\ActiveDirectory
    CentralAccessPolicyId   :
    CentralAccessPolicyName :
    Path                    : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=TestOU_01,OU=Testing,DC=cochlear,DC=com
    Owner                   : COCHLEAR\Domain Admins
    Group                   : COCHLEAR\Domain Users
    Access                  : {System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule...}
    Sddl                    : O:DAG:DUD:PAI(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;C....83-79217)
                              NT AUTHORITY\Authenticated Users Allow
                              NT AUTHORITY\SYSTEM Allow
                              COCHLEAR\Domain Admins Allow
                              COCHLEAR\it-admin Allow
    AuditToString           :
    AccessRightType         : System.DirectoryServices.ActiveDirectoryRights
    AccessRuleType          : System.DirectoryServices.ActiveDirectoryAccessRule
    AuditRuleType           : System.DirectoryServices.ActiveDirectoryAuditRule
    AreAccessRulesProtected : True
    AreAuditRulesProtected  : False
    AreAccessRulesCanonical : True
    AreAuditRulesCanonical  : True

    • Edited by DavidRdx Wednesday, March 13, 2019 8:15 AM using code block
    Wednesday, March 13, 2019 7:00 AM
  • Please do no t post colorized code.  Use the code posting tool provided on the edit bar.  Edit your post and fix it please.


    Wednesday, March 13, 2019 7:51 AM
  • Use the SDDL string to copy the security.


    Wednesday, March 13, 2019 7:52 AM
  • How do I get the SDDL string for only 1 security group instead of the complete collection? 

    Example group: it-admin

    Wednesday, March 13, 2019 8:16 AM
  • You just returned the security for one object.  I am not sure what you are looking for.  Get-Acl returns one ACL object.  You can see the SDDL.


    Wednesday, March 13, 2019 8:19 AM
  • $dn = (Get-AdGroup testgrp2).Distinguishedname
    Get-Acl "AD:\$dn" | Select sddl
     $dn = (Get-AdGroup testgrp2).Distinguishedname
     (Get-Acl "AD:\$dn").GetSecurityDescriptorSddlForm('Access')

    Warning:  Copying SDDL can have unintended consequences.


    • Edited by jrv Wednesday, March 13, 2019 8:25 AM
    Wednesday, March 13, 2019 8:24 AM
  • I understand what you are trying to tell, but this will only set default security I guess?

    Not the deligation access properties like for computer objects --> delete computer object 

    Wednesday, March 13, 2019 8:58 AM
  • To add a specific delegation you need to create the security ACE and add it to the target.

    You can also just get the Access Aces and copy the one you want.

    Get-Acl "AD:\$dn" | select -expand access


    • Edited by jrv Wednesday, March 13, 2019 9:18 AM
    Wednesday, March 13, 2019 9:17 AM
  • If you are trying to save a particular ACE then this is how:

    # get ACEs for ACL
    $aces = Get-Acl "AD:\$dn" | Select-Object -ExpandProperty access
    # select specific ACE to save
    $aces[0] | Export-CliXml ace.xml
    # import saved ACE
    $ace = Import-CliXml ace.xml


    Wednesday, March 13, 2019 9:25 AM
  • That's not what I'm looking for.

    You are pointing to ACL on Security group.

    I need to have export of the security that is set on certain OU with certain security group.

    As example I gave:

    OU=  TestOU_01

    Security group = it-admin

    Wednesday, March 13, 2019 10:00 AM
  • It works the same for an OU.

    Before pursuing his you should take some time to learn how AD works and an API level as well as how to use PowerShell.

    To access an OU just use this command

    $dn = 'OU=YourOuName, … path to OU ...'


    Wednesday, March 13, 2019 2:45 PM
  • Import-Module activedirectory
    $rootDSE = Get-ADRootDSE
    $domain = Get-ADDomain
    Set-Location AD:\
    # Vars
    $SecurityGroupToApply = "it-admin"
    $Destination_OU = "OU=TestOU_03,OU=Testing,$domain"
    $Source_OU = "OU=TestOU_01,OU=Testing,$domain"
    $Current_ACL = Get-ACL -Path $Destination_OU
    $Source_ACL = Get-ACL -Path $Source_OU
    # get ACEs for ACL
    $ACEs = $Source_ACL.Access | Where-Object{$_.IdentityReference -eq $SecurityGroupToApply}
    #Add Access Rules
    set-acl -aclobject $Current_ACL $Destination_OU -WhatIf -Verbose

    I think that will somehow do it. I could export it to clixml. 

    Wednesday, March 13, 2019 7:47 PM