in PowerShell

Setting Delegation on Active Directory OU

While working on one of my project about automating SQL AlwaysOn cluster installation and configuration, i come across a requirement where I needed to setup a delegation for the group that contain the Windows Failover cluster computer object, this should be then positioned on an OU so it can manage computer object and be able to configure the cluster correctly.

So like all my posts, i’ll keep it short and straight to the point.

To setup the delegation, you need to construct an object based on the System.DirectoryServices.ActiveDirectoryAccessRule .NET class, then feed it 4 parameters:

  • identity: you can specify the sid of the group
  • adRights: what to allow
  • type: Allow or Deny
  • inheritanceType: duh!
  • inheritedObjectType: the Guid of the object that the permission will apply to.

Here is the function with all the required parameters:

function Set-ComputerDelegation() {
    $ADRights = "GenericAll"
    $aceType = "Allow"
    # get the schemaIDGuid for the computer class
    $computerObjectGuid = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
    $identity = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $groupName).SID
    $acl = get-acl $ou
    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$ADRights,$aceType,"All",$computerObjectGuid

    set-acl -aclobject $acl $ou

To make your life easier, here is the direct link to the function Set-ComputerDelegation hosted on my github.

Share your thoughts