In case you need to delegate permissions on an Active Directory (AD) Organizational Unit (OU) for a security principal such as a User or a Group, you can easily do that with the follwing PowerShell function.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | function Set-Delegation(){ param( [string]$OrganizationalUnit, [string]$DelegationGroupName ) # Configuration Parameters $confADRight = "GenericAll" $confDelegatedObjectType = "00000000-0000-0000-0000-000000000000" # Collect and prepare Objects $delegationGroup = Get-ADGroup -Identity $DelegationGroupName $delegationGroupSID = [System.Security.Principal.SecurityIdentifier] $delegationGroup.SID $delegationGroupACL = Get-Acl -Path "AD:\$OrganizationalUnit" # Build Access Control Entry (ACE) $aceIdentity = [System.Security.Principal.IdentityReference] $delegationGroupSID $aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight $aceType = [System.Security.AccessControl.AccessControlType] "Allow" $aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendent" $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confDelegatedObjectType, $aceInheritanceType) # Apply ACL $delegationGroupACL.AddAccessRule($ace) Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGroupACL } # Calling the function Set-Delegation -OrganizationalUnit "OU=My,OU=Servers,DC=contoso,DC=com" -DelegationGroupName "global-server-admins-full" |
Using the function as it is written above would set Full Control for members of the security group “global-server-admins-full” for all descendent objects (00000000-0000-0000-0000-000000000000) of the Organizational Unit “OU=My,OU=Servers,DC=contoso,DC=com” but not for the OU itself. Therefore, Users of the security group “global-server-admins-full” cannot modify or delete the OU itself.