Setting Delegation on Active Directory OU

PowerShell 0 Comments

While working on one of my project about automating SQL AlwaysOn cluster installation and configuration, i come across a requirement where I needed to setup a delegation for the group that contain the Windows Failover cluster computer object, this should be then positioned on an OU so it can manage computer object and be able to configure the cluster correctly.

So like all my posts, i’ll keep it short and straight to the point.

To setup the delegation, you need to construct an object based on the System.DirectoryServices.ActiveDirectoryAccessRule .NET class, then feed it 4 parameters:

  • identity: you can specify the sid of the group
  • adRights: what to allow
  • type: Allow or Deny
  • inheritanceType: duh!
  • inheritedObjectType: the Guid of the object that the permission will apply to.

Here is the function with all the required parameters:

function Set-ComputerDelegation() {
	param(
	[string]$ou,
	[string]$groupName
	)
    $ADRights = "GenericAll"
    $aceType = "Allow"
    # get the schemaIDGuid for the computer class
    $computerObjectGuid = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
    $identity = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $groupName).SID
    $acl = get-acl $ou
    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$ADRights,$aceType,"All",$computerObjectGuid

    $acl.AddAccessRule($ace)
    set-acl -aclobject $acl $ou
}

To make your life easier, here is the direct link to the function Set-ComputerDelegation hosted on my github.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.