Active Directory Delegation via PowerShell

Active_Directory_Delegation.ps1

# Adapted from Joe Corey's Active Directory Delegation via PowerShell at
# https://blogs.technet.microsoft.com/joec/2013/04/25/active-directory-delegation-via-powershell/ 
 
Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
 
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
 
#Get a reference to the current domain
$domain = Get-ADDomain
 
$ou_DN = "TODO AS OU=A,OU=B,OU=.."
$AD_group = "TODO AS The Group"
$searchbase_DN=$ou_DN+","+$domain.DistinguishedName
$users = Get-AdUser -Filter * -SearchBase $searchbase_DN
$ou = Get-ADOrganizationalUnit -Identity ($searchbase_DN)
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $AD_group).SID
 
#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
 
#Get the SID values of each group we wish to delegate access to
#Get a copy of the current DACL on the OU
$acl = Get-ACL -Path ($ou.DistinguishedName)
    
#Create an Access Control Entry for new permission we wish to add
#Allow the group to write all properties of descendent user objects
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"GenericAll","Allow","Descendents",$guidmap["user"]))
 
#Allow the group to read all properties of descendent user objects    
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"GenericAll","Allow","Descendents",$guidmap["group"]))
 
#Allow the group to create and delete user objects in the container and all sub-containers that may get created
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"))
 
#Allow the group to create and delete group objects in the container and all sub-containers that may get created 
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"CreateChild,DeleteChild","Allow",$guidmap["group"],"All"))    
 
#Re-apply the modified DACL to the OU
Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
 
foreach ($user in $users)
{
    $user_acl = Get-ACL -Path ($user.DistinguishedName)
 
    #Create an Access Control Entry for new permission we wish to add
    #Allow the group to write all properties of descendent user objects
    $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"GenericAll","Allow","Descendents",$guidmap["user"]))
 
    #Allow the group to read all properties of descendent user objects    
    $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"GenericAll","Allow","Descendents",$guidmap["group"]))
 
    #Allow the group to create and delete user objects in the container and all sub-containers that may get created
    $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"))
 
    #Allow the group to create and delete group objects in the container and all sub-containers that may get created 
    $user_acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"CreateChild,DeleteChild","Allow",$guidmap["group"],"All"))    
 
    Set-ACL -ACLObject $user_acl -Path ("AD:\"+($user.DistinguishedName))
}