Active Directory PowerShell Delegate Permission to Reset User Passwords for a specific Organizational Unit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

function Set-ResetPasswordDelegation(){
    param(
    [string]$OrganizationalUnit,
    [string]$DelegationGroupName
    )
 
    # Configuration Parameters
    $confADRight = "ExtendedRight"
    $confDelegatedObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2" # User Object Type GUID
    $confExtendedRight = "00299570-246d-11d0-a768-00aa006e0529" # Extended Right PasswordReset GUID
 
    # Collect and prepare Objects
    $delegationGroup = Get-ADGroup -Identity $DelegationGroupName
    $delegationGroupSID = [System.Security.Principal.SecurityIdentifier] $delegationGroup.SID
    $delegationGroupACL = Get-Acl -Path "AD:\$OrganizationalUnit"
 
    # Build Access Control Entry (ACE)
    $aceIdentity = [System.Security.Principal.IdentityReference] $delegationGroupSID
    $aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight
    $aceType = [System.Security.AccessControl.AccessControlType] "Allow"
    $aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confExtendedRight, $aceInheritanceType,$confDelegatedObjectType)
 
    # Apply ACL
    $delegationGroupACL.AddAccessRule($ace)
    Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGroupACL
}
 
# Calling the function
Set-ResetPasswordDelegation -OrganizationalUnit "OU=Users,DC=pwsh,DC=ch" -DelegationGroupName "ServiceDesk-PasswordReset-Allow"

function Set-ResetPasswordDelegation(){ param( [string]$OrganizationalUnit, [string]$DelegationGroupName ) # Configuration Parameters $confADRight = "ExtendedRight" $confDelegatedObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2" # User Object Type GUID $confExtendedRight = "00299570-246d-11d0-a768-00aa006e0529" # Extended Right PasswordReset GUID # Collect and prepare Objects $delegationGroup = Get-ADGroup -Identity $DelegationGroupName $delegationGroupSID = [System.Security.Principal.SecurityIdentifier] $delegationGroup.SID $delegationGroupACL = Get-Acl -Path "AD:\$OrganizationalUnit" # Build Access Control Entry (ACE) $aceIdentity = [System.Security.Principal.IdentityReference] $delegationGroupSID $aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight $aceType = [System.Security.AccessControl.AccessControlType] "Allow" $aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents" $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confExtendedRight, $aceInheritanceType,$confDelegatedObjectType) # Apply ACL $delegationGroupACL.AddAccessRule($ace) Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGroupACL } # Calling the function Set-ResetPasswordDelegation -OrganizationalUnit "OU=Users,DC=pwsh,DC=ch" -DelegationGroupName "ServiceDesk-PasswordReset-Allow"