Active Directory PowerShell Delegate Permission to Reset User Passwords for a specific Organizational Unit

Is there an easy solution to allow Helpdesk Users to reset passwords for user accounts for a specific Active Directory Organizational Unit (OU) with PowerShell?

Yes, there is! Just use the script/function below to set the necessary Active Directory Delegation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
function Set-ResetPasswordDelegation(){
    param(
    [string]$OrganizationalUnit,
    [string]$DelegationGroupName
    )
 
    # Configuration Parameters
    $confADRight = "ExtendedRight"
    $confDelegatedObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2" # User Object Type GUID
    $confExtendedRight = "00299570-246d-11d0-a768-00aa006e0529" # Extended Right PasswordReset GUID
 
    # Collect and prepare Objects
    $delegationGroup = Get-ADGroup -Identity $DelegationGroupName
    $delegationGroupSID = [System.Security.Principal.SecurityIdentifier] $delegationGroup.SID
    $delegationGroupACL = Get-Acl -Path "AD:\$OrganizationalUnit"
 
    # Build Access Control Entry (ACE)
    $aceIdentity = [System.Security.Principal.IdentityReference] $delegationGroupSID
    $aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight
    $aceType = [System.Security.AccessControl.AccessControlType] "Allow"
    $aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confExtendedRight, $aceInheritanceType,$confDelegatedObjectType)
 
    # Apply ACL
    $delegationGroupACL.AddAccessRule($ace)
    Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGroupACL
}
 
# Calling the function
Set-ResetPasswordDelegation -OrganizationalUnit "OU=Users,DC=pwsh,DC=ch" -DelegationGroupName "ServiceDesk-PasswordReset-Allow"

Get-ADUser not returning all user attributes [solution]

Using the Active Directory PowerShell command Get-ADUser with the –properties * (asterisk) switch does not return all available user attributes.

Properties like “msDS-UserPasswordExpiryTimeComputed” will not show up like that and have to be explicitly specified to be returned:

1
Get-ADUser –Properties msDS-UserPasswordExpiryTimeComputed

The following code returns all values of the user object:

1
2
$properties = Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -Filter {name -eq "User"} -Properties MayContain,SystemMayContain | Select-Object @{name="Properties";expression={$_.maycontain+$_.systemmaycontain}} | Select-Object -ExpandProperty Properties
Get-ADUser -Identity username -Properties $properties | fl $properties

In the above example, all available properties of the Active Directory ObjectClass “user” are retrieved and stored in an array, which is then used to specify the wanted properties using the Get-ADUser cmdlet.

Delegate Permission on Active Directory Organizational Unit using Powershell

In case you need to delegate permissions on an Active Directory (AD) Organizational Unit (OU) for a security principal such as a User or a Group, you can easily do that with the follwing PowerShell function.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
function Set-Delegation(){
    param(
    [string]$OrganizationalUnit,
    [string]$DelegationGroupName
    )
 
    # Configuration Parameters
    $confADRight = "GenericAll"
    $confDelegatedObjectType = "00000000-0000-0000-0000-000000000000"
 
    # Collect and prepare Objects
    $delegationGroup = Get-ADGroup -Identity $DelegationGroupName
    $delegationGroupSID = [System.Security.Principal.SecurityIdentifier] $delegationGroup.SID
    $delegationGroupACL = Get-Acl -Path "AD:\$OrganizationalUnit"
 
    # Build Access Control Entry (ACE)
    $aceIdentity = [System.Security.Principal.IdentityReference] $delegationGroupSID
    $aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight
    $aceType = [System.Security.AccessControl.AccessControlType] "Allow"
    $aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendent"
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confDelegatedObjectType, $aceInheritanceType)
 
    # Apply ACL
    $delegationGroupACL.AddAccessRule($ace)
    Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGroupACL
}
 
# Calling the function
Set-Delegation -OrganizationalUnit "OU=My,OU=Servers,DC=contoso,DC=com" -DelegationGroupName "global-server-admins-full"

Using the function as it is written above would set Full Control for members of the security group “global-server-admins-full” for all descendent objects (00000000-0000-0000-0000-000000000000) of the Organizational Unit “OU=My,OU=Servers,DC=contoso,DC=com” but not for the OU itself. Therefore, Users of the security group “global-server-admins-full” cannot modify or delete the OU itself.

How to Install Active Directory on a Windows Server 2016 Core using PowerShell

How to add a freshly installed Windows Server 2016 Core to a domain and promote it as Domain Controller in a few easy steps.
In this scenario we assume that there already is an existing domain in an existing forest and the new Domain Controller should just be added to the existing domain.

Rename the Computer properly

1
Rename-Computer -NewName dc-w2016

Restart the computer to make the renaming effective

1
Restart-Computer

Configure an IP Adresse
Therefore you need to know the name of the network interface you want to use. Get a list of all network interfaces using:

1
Get-NetAdapter

Configure the IP Address

1
New-NetIPAddress -InterfaceAlias MyInterface -IPAddress 192.168.1.20 -PrefixLength 24 -AddressFamily IPv4 -DefaultGateway 192.168.1.1

Configure the DNS Server
To successfully join the new computer to the domain and promote it to a Domain Controller, the DNS Server entries should point to already existing Domain Controllers

1
Set-DnsClientServerAddress -InterfaceAlias MyInterface -ServerAddresses [IP_of_existing_DC]

Add the computer as a member to the specific domain

1
Add-Computer -DomainName lab.mydaomain.com

Insert the credentials of a Domain administrator account when prompted.

Restart the computer to make the domain join effective

1
Restart-Computer

Note: from this point on you can easily remote administer your computer using the Remote Server Administration Tools (RSAT) from any computer in your network

Now install the Active Directory Domain Services (ADDS) Features
Using the switch -IncludeManagementTools installs the management tools.

1
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Finally promote the computer as a Domain Controller
The switch -InstallDns installs the DNS Server Role on the computer and integrates it with Active Directory

1
Install-ADDSDomainController -DomaiName lab.mydaomain.com -InstallDns

After restarting the computer (there will be a prompt), the computer has successfully been joined to the domain and promoted as a Domain Controller.