KentNordstrom · July 17, 2018 07:20
diff --git a/HelloForBusinessPermissionsOnAdminSDHolder.ps1 b/HelloForBusinessPermissionsOnAdminSDHolder.ps1
 <#
    .SYNOPSIS
    Script to give Azure AD Connect Permission on Protected users that want to use Hello For Business in Hybrid Deployment.
    Gives read/write to msDS-KeyCredentialLink and msDS-ExternalDirectoryObjectID by setting permissions on AdminSDHolder container. 
 #>

 PARAM([string]$SyncUser="MSOL_1234ABC56")

 $ADDomain = Get-ADDomain

 $AdminSDHolder = "CN=AdminSDHolder,CN=System," + $ADDomain.DistinguishedName
 $AzureADConnectUser = $ADDomain.NetBIOSName + "\" + $SyncUser

 $Attributes = @("msDS-KeyCredentialLink","msDS-ExternalDirectoryObjectID")

 #Add Read/Write to each Property
 foreach($Attribute in $Attributes){
 $cmd = "dsacls.exe '$AdminSDHolder' /G '`"$AzureADConnectUser`":RPWP;$Attribute'"
 Invoke-Expression $cmd | Out-Null
 }

 #Present Resulting Permissions
 $cmd = "dsacls.exe '$AdminSDHolder'"
 Invoke-Expression $cmd
	<#
	.SYNOPSIS
	Script to give Azure AD Connect Permission on Protected users that want to use Hello For Business in Hybrid Deployment.
	Gives read/write to msDS-KeyCredentialLink and msDS-ExternalDirectoryObjectID by setting permissions on AdminSDHolder container.
	#>

	PARAM([string]$SyncUser="MSOL_1234ABC56")

	$ADDomain = Get-ADDomain

	$AdminSDHolder = "CN=AdminSDHolder,CN=System," + $ADDomain.DistinguishedName
	$AzureADConnectUser = $ADDomain.NetBIOSName + "\" + $SyncUser

	$Attributes = @("msDS-KeyCredentialLink","msDS-ExternalDirectoryObjectID")

	#Add Read/Write to each Property
	foreach($Attribute in $Attributes){
	$cmd = "dsacls.exe '$AdminSDHolder' /G '`"$AzureADConnectUser`":RPWP;$Attribute'"
	Invoke-Expression $cmd \| Out-Null
	}

	#Present Resulting Permissions
	$cmd = "dsacls.exe '$AdminSDHolder'"
	Invoke-Expression $cmd