none
Grant ADgroup to have full permission on a selected OU RRS feed

  • Question

  • Hi Expert,

    I have a csv file with 2 column (first column Ou path second column ADgroup name).

    How do i insert to the PS below (Grant ADgroup to have full permission on a selected OU)

    $acl = get-acl "ad:OU=CloudDrive,OU=Services,DC=T,DC=com"
    
    $acl.access #to get access right of the OU
    
    $Group = Get-ADGroup "OUAdmin_CloudDrive_A"
    
    $sid = [System.Security.Principal.SecurityIdentifier] $Group.SID
    
    $identity = [System.Security.Principal.IdentityReference] $SID
    
    $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
    
    $type = [System.Security.AccessControl.AccessControlType] "Allow"
    
    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
    
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
    
    $acl.AddAccessRule($ace)
    
    Set-acl -aclobject $acl "ad:OU=CloudDrive,OU=Services,DC=T,DC=com"

    *PS correct me if the script above is incorrect,  i want to grant ADgroup to have full permission on a selected OU.

    • Moved by Bill_Stewart Tuesday, December 11, 2018 8:43 PM Unanswerable drive-by question
    Monday, July 9, 2018 11:58 AM

All replies

  • This should be all you need to do.

    $path = 'ad:OU=CloudDrive,OU=Services,DC=T,DC=com'
    $acl = Get-Acl $path
    $group = Get-ADGroup OUAdmin_CloudDrive_A
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($group.SID,'GenericAll','Allow','All')
    $acl.AddAccessRule($ace)
    Set-Acl -Path $path -aclobject $acl


    \_(ツ)_/


    • Edited by jrv Monday, July 9, 2018 12:09 PM
    Monday, July 9, 2018 12:08 PM
  • Hi Jrv,

    There is some errors on your script, by the way can u tune the script that can import OU and ADgroup from csr file.

    c:\script\FullOuPermisssion.csv

    Ou,ADGroup

    Exchange,OU=Services,DC=T,DC=com,OUAdmin_Exchange_A

    CloudDrive,OU=Services,DC=T,DC=com,OUAdmin_CloudDrive_A

    New-Object : Multiple ambiguous overloads found for "ActiveDirectoryAccessRule" and the 
    argument count: "4".
    At line:4 char:8
    + $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($group.SID, ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
        + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Command 
       s.NewObjectCommand
     
    Exception calling "AddAccessRule" with "1" argument(s): "Value cannot be null.
    Parameter name: rule"
    At line:5 char:1
    + $acl.AddAccessRule($ace)
    + ~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : ArgumentNullException

    Monday, July 9, 2018 12:52 PM
  • Not my script.  It is your script I just removed all of the unnecessary lines.

    This is likely what you wanted:

    $path = 'ad:OU=CloudDrive,OU=Services,DC=T,DC=com'
    $group = Get-ADGroup OUAdmin_CloudDrive_A
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($group.SID,'GenericAll','Allow')
    $acl = Get-Acl $path
    $acl.AddAccessRule($ace)
    Set-Acl -Path $path -aclobject $acl
    


    \_(ツ)_/

    Monday, July 9, 2018 1:11 PM
  • Your script is working now.

    by the way how to set Applies to Descendant group object not This Object Only

    Monday, July 9, 2018 1:44 PM
  • Child objects only?  Child and parent?  All containers and all children?


    \_(ツ)_/

    Monday, July 9, 2018 1:50 PM