Set-Acl on several Computers in AD via PowerShell RRS feed

  • Question

  • I have about 1000 computers that I have to set NT AUTHORITY\Authenticated Users allow-to-authenticate on. I've tried to compose a script based on several google searches, but it doesn't work. Please have a look at my script. Perhaps I am missing something.

    Import-Module ActiveDirectory
    Set-Location AD:\
    $ALLDTPC = Get-Content H:\dtcomputer.txt
    foreach ($PC In $ALLDTPC) {
        $ace = (Get-Acl "AD:$((Get-ADComputer $PC).DistinguishedName)").Access 
        foreach ($acl in $ace.Access) {
            $accessrule = New-Object System.Security.AccessControl.ActiceDirectoryAccessRule("NT AUTHORITY\Authenticated Users", "Allow")
            Set-Acl -AclObject $ace $PC.DistinguishedName -Verbose -Passthru

    • Moved by Bill_Stewart Friday, July 7, 2017 6:56 PM User should not be doing this
    Tuesday, May 30, 2017 6:19 AM

All replies

  • Users are allowed to authenticate by being a member of the Domain Users group which is part of every joined computer's "Users" group.  You should NOT be doing what you are trying to do.  This is not how AD works or how users are authenticated to a computer.


    • Edited by jrv Tuesday, May 30, 2017 7:03 AM
    Tuesday, May 30, 2017 7:02 AM