Hey everyone! I'm trying to figure out if there's a way to assign only create/delete permissions for Active Directory group objects in a specific Organizational Unit (OU). I know I can do this using the GUI, but I'm having trouble finding the right PowerShell commands. The closest I've found deals with child AD objects, but that covers computers, users, and groups, not just groups. I also looked into some C# classes, but they don't handle permissions in that detail. Is it possible to manage these permissions through PowerShell? Any help would be appreciated!
2 Answers
Yes, it’s absolutely possible! Check out the ActiveDirectoryDsc module for PowerShell. It has resources specifically for AD permissions like the `ADObjectPermissionEntry`—that could be perfect for your needs. You essentially use PowerShell like navigating a file system. Here are some links to help:
- [ActiveDirectoryDsc on GitHub](https://github.com/dsccommunity/ActiveDirectoryDsc)
- [ADObjectPermissionEntry](https://github.com/dsccommunity/ActiveDirectoryDsc/wiki/ADObjectPermissionEntry)
You can definitely manage permissions with PowerShell! Here's a method I pulled from an Okta LCM setup. The key command here is `dsacls`, which can grant create permissions limited to group objects. Just make sure you handle the formatting correctly. Here's a script to get you started:
```
$Group = '' # Example: 'CORPGroupDelegation'
$TargetOU = '' # Example: 'OU=Groups,DC=Contoso,DC=org'
dsacls $TargetOU /G $Group:CCDC;group
```
This grants the create privileges, and you'll want to add more lines like this for any properties you want to modify. Let me know how it works out!
By the way, I asked about deleting group objects under an OU, and it's similar. You can run:
`dsacls "OU=OU1,DC=contoso,DC=com" /G "CONTOSOGroup:SD;Delete;group"`
Also, here’s a reference to the `dsacls` command: [Dsacls | Microsoft Learn](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc771151(v=ws.11))
Thanks for the resource! I'll definitely check that out.