Delegate Permissions to an AD Organizational Unit via PowerShell

Scenario: You want to give Full Control delegate access to a AD Group to a specific AD Organizational Unit and its sub objects.


#Add Rights Indiviudally
 $ou = "AD:\OU=New,DC=Domain,DC=Com" 
 $group = Get-ADGroup "Exchange Admins" 
 $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID 
 $acl = get-acl $ou 
 $identity = [System.Security.Principal.IdentityReference] $SID
 $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
 $type = [System.Security.AccessControl.AccessControlType] "Allow"
 $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
 $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
 $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"GenericAll","Allow","All"
 set-acl -AclObject $acl $ou 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: