Active Directory Delegation PowerShell

Hello,

Active Directory delegation can be complicated to implement. Get it right can be long and hard depending of your needs. By default, Microsoft offers some delegation trough builtin groups like:

• Account Operators
• Terminal Server License Servers
• Print Operators
• Domain Admins
• …

There are a very few of them available to you, and the scope is often domain wide, they aren’t scoped to an organizational unit.

Since the very firsts releases of Active Directory, Microsoft provide tools to create your own delegation model:

• Delegate Control
• DSACLS
• PowerShell

Delegate Control

This method is very intensive on your mouse, and can’t be automated, hereunder an example to delegate the user management permissions:

You can access this wizard from a right click on any organizational unit, and a the domain root from “Active Directory Users and Computers” (dsa.msc) console.

This method works well if:

• You only have a few OU
• You want to create a delegation based on a provided template (simple actions)

DSACLS

DSACLS is an executable that you can call from the command line with some parameters to create your own delegations.

Official documentation is available here, trust me, if you want to use it, you really need to read it.

Hereunder an example for delegating the creation of user objects:

dsacls "OU=Test,DC=D2K12R2,DC=local" /I:T /G "D2K12R2DelegGroup:CC;user"

As you can see, the syntax is quite special, but your delegation need should be pretty similar from AD to AD, or OU to OU, so a lot of reuse can help reduce the extra overhead from the syntax.

This method works well if:

• You have a lot of delegation to create
• You know around scripting

Active Directory Delegation PowerShell

There is also a way with PowerShell. You can create your own System.DirectoryServices.ActiveDirectoryAccessRule object, and then, add it to your organizational unit. As you can see in the documentation, this method require you to know the GUID of each object, permission, or attribute you want to delegate. This information is available in the schema partition:

So, you can delegate a GenericAll permission on user objects on a given OU with an Access Control Entry like this one:

$GenericAllUserAce = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSecId,'GenericAll','Allow','00000000-0000-0000-0000-000000000000','Descendents','bf967aba-0de6-11d0-a285-00aa003049e2'

Then, you just need to add it to the Access Control List of the OU, and apply the changes:

$Acl = Get-Acl "AD:OU=Test,DC=D2K12R2,DC=local"
$Acl.AddAccessRule($GenericAllUserAce)
$Acl | Set-Acl

Note: To use this, you need the Active Directory PowerShell module, indeed, this is the one responsible for mapping the “AD:” PSDrive to your current domain.

This method works well if:

• You have a good knowledge of PowerShell
• You know how to find the required GUID

Bonus: You can use Get-ACL to view current ACE. You can copy them, or adapt them to fit your needs. We can even imagine set the “template” of your delegation model using the GUI in the first example, and then use the Get-ACL method to copy the ACE, and then apply them on all your organizational units with a simple PowerShell script with a ForEach loop.

Active Directory Delegation PowerShell with a Function

I wrote a small function to ease the process of searching for GUID and searching for different type of inheritance. You can find it on GitHub:

https://github.com/edemilliere/ADSI/blob/master/Grant-ADPermission.ps1

You can use it like this :

Grant-ADPermission -GroupDistinguishedName 'CN=StarWars-Computers_CreateDelete,OU=Groups,OU=Admins,DC=D2K8R2,DC=itfordummies,DC=net' -AdRights CreateChild,DeleteChild -AccessControlType Allow -Inheritance Children -OrgUnitDN 'OU=Computers,OU=Star Wars,OU=Production,DC=D2K8R2,DC=itfordummies,DC=net' -ObjectType computer -InheritedObjectType null