gistfile1.txt

param (
    [Parameter(Mandatory=$true)]
    [String[]]$OUPaths, #Comma separated list of OUPaths to which permissions should be applied
    [Parameter(Mandatory=$true)]
    [String]$UserName, #The name of the user to which the ACL should be applied
        [String]$LogDir = "C:\log\",
    [String]$Log = "AddOrganizationalUnitPermissions.XML"
        )

function Init-Logging([string]$logDirectory,[string]$logFile,$scriptName) {
    $LogDir = $logDirectory
    $Log =$logFile

    Write-Log -CodeID 35000 -msg "Logging started $scriptName" -status '200' -Start
}

function End-Logging($scriptName) {
    
    Write-Log -CodeID 35000 -msg "End Logging $scriptName" -status '200' -End
}

function Init-ActiveDirectory {

    Init-Library

    Write-Log -CodeID 35000 -msg "Checking required ActiveDirectory Module" -status '200'

    Try {
            if (-Not(Get-Module -Name "ActiveDirectory")) {
            Import-Module -Name ActiveDirectory
        }
    }
    Catch {
            Write-Log -CodeID 35001 -msg $_.Exception.Message -status '400' -Assembly $_.Exception.TargetSite.Module.Name -Type $_.Exception.TargetSite.ReturnType.Name -Stack $_.Exception.StackTrace -End
    }
}

function Init-Library {
    Add-Type -AssemblyName System.Web
    Write-Log -CodeID 35000 -msg "Initalized Assemblies" -status '200'
}

function Write-Log {
param(
    [Parameter(Mandatory=$true)]
    [String]$CodeID,
    [Parameter(Mandatory=$true)]
    [string]$Status,
    [Parameter(Mandatory=$true)]
    [String]$msg,
    [String]$Assembly,
    [String]$Type,
    [String]$Stack,
    [Switch]$End,
        [Switch]$Start
)
        if (!(Test-Path $LogDir)) { New-Item -type Directory -Path $logdir | Out-Null }
        $Logfile = $LogDir + $Log

        if ($Start) { "<Log>" | Out-File $Logfile }

        if($Assembly) { $Assembly = [System.Web.HttpUtility]::HtmlEncode($Assembly) }
        if($Type) { $Type = [System.Web.HttpUtility]::HtmlEncode($Type) }
        if($Stack) { $Stack = [System.Web.HttpUtility]::HtmlEncode($Stack) }

        [String]$date = Get-Date -Format "dd/MM/yyyy HH:mm:ss"
        "  <Code>" | Out-File $Logfile -Append
        "    <ID>$CodeID</ID>" | Out-File $Logfile -Append
        "    <Date>$date</Date>" | Out-File $Logfile -Append
        "    <Message>$msg</Message>" | Out-File $Logfile -Append
        "    <Status>$Status</Status>" | Out-File $Logfile -Append
        "    <Assembly>$Assembly</Assembly>" | Out-File $Logfile -Append
        "    <Type>$Type</Type>" | Out-File $Logfile -Append
        "    <Stack>$Stack</Stack>" | Out-File $Logfile -Append
        "  </Code>" | Out-File $Logfile -Append

        if ($End) { 
                "</Log>" | Out-File $Logfile -Append
                Exit 0
        }
}
        
Init-Logging $LogDir $Log $MyInvocation.MyCommand.Name

Init-ActiveDirectory

$guidComputerObject      = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2  ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms680987(v=vs.85).aspx 
$guidGroupObject         = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2  ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms682251(v=vs.85).aspx 
$guidOUObject            = new-object Guid bf967aa5-0de6-11d0-a285-00aa003049e2  ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms682251(v=vs.85).aspx 
$guidUserObject          = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2  ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms683980(v=vs.85).aspx        
$guidGroupMembership     = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf  ## http://msdn.microsoft.com/en-us/library/cc223204.aspx

$erroractionpreference = "Stop"  

Write-Log -CodeID '100001' -msg "Getting User $UserName" -Status '200'
$userObject = Get-ADUser -Filter {Name -eq $UserName}
    

Write-Log -CodeID '100001' -msg "Getting Users SID" -Status '200'
$userSID = new-object System.Security.Principal.SecurityIdentifier $userObject.SID

foreach($OUPath in $OUPaths) {
    if ([adsi]::Exists("LDAP://" + $OUPath))  
    {         
             # Link to the OU Object 
             $adObject    = [ADSI]("LDAP://" + $OUPath)
             ############################################# 
             ## Create and Delete OU objects            ## 
             ## All descendent objects                  ## 
             ############################################# 
             Write-Log -CodeID '100001' -msg "Creating ACL for create/delete Organizational Units" -Status '200'
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidOUObject 
             ## Grant the ability to manage all descendents 
             $ace2  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidOUObject 
             $adObject.ObjectSecurity.AddAccessRule($ace1) 
             $adObject.ObjectSecurity.AddAccessRule($ace2) 
             $adObject.CommitChanges() 
             Write-Log -CodeID '100001' -msg "Created ACL successfully for Organizational Units" -Status '200'

             ############################################# 
             ## Create and Delete Group objects         ## 
             ## All descendent objects                  ## 
             ############################################# 
             Write-Log -CodeID '100001' -msg "Creating ACL for create/delete groups" -Status '200'
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidGroupObject 
             ## Grant the ability to manage all descendents 
             $ace2  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidGroupObject 
             $adObject.ObjectSecurity.AddAccessRule($ace1) 
             $adObject.ObjectSecurity.AddAccessRule($ace2) 
             $adObject.CommitChanges()
             Write-Log -CodeID '100001' -msg "Created ACL successfully for Groups" -Status '200'

             ############################################# 
             ## Manage Group Membership                 ## 
             ## All descendent objects                  ## 
             ############################################# 
             Write-Log -CodeID '100001' -msg "Creating ACL for adding group members" -Status '200'
             ## Grant the ability to manage all descendents 
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidGroupObject 
             $adObject.ObjectSecurity.AddAccessRule($ace1) 
             $adObject.CommitChanges()

             ############################################# 
             ## Create and Delete User objects          ## 
             ## All descendent objects                  ## 
             ############################################# 
             Write-Log -CodeID '100001' -msg "Creating ACL for create/delete of users" -Status '200'
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidUserObject 
             ## Grant the ability to manage all descendents 
             $ace2  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidUserObject 
             $adObject.ObjectSecurity.AddAccessRule($ace1) 
             $adObject.ObjectSecurity.AddAccessRule($ace2) 
             $adObject.CommitChanges() 

             ############################################# 
             ## Create and Delete Computer objects      ## 
             ## All descendent objects                  ## 
             ############################################# 
             Write-Log -CodeID '100001' -msg "Creating ACL for create/delete of computers" -Status '200'
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidComputerObject 
             ## Grant the ability to manage all descendents 
             $ace2  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidComputerObject 
             $adObject.ObjectSecurity.AddAccessRule($ace1) 
             $adObject.ObjectSecurity.AddAccessRule($ace2) 
             $adObject.CommitChanges()

    }         
}

####################################################################
#Setting permissions on MicrosoftDNS Container to DSN related tasks#
####################################################################
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$root = $domain.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectclass=container)(Name=MicrosoftDNS))"
$search.SizeLimit = 3000
$result = $search.FindOne()

$adobject = $result.GetDirectoryEntry()

$accessControlType = [System.Security.AccessControl.AccessControlType]::Allow
$adRights = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll
$domainName = ([ADSI]"").Name
$domainUser = New-Object -Type System.Security.Principal.NTAccount -ArgumentList "$domainName", "$UserName"
$ace = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $domainUser, $adRights, $accessControlType
$adobject.ObjectSecurity.AddAccessRule($ace)
$adobject.CommitChanges()

End-Logging $MyInvocation.MyCommand.Name