I have a small PS script (created with some help from google) to delegate some control on the AD OU but I am having problem with SET-ACL command apparently due to limited access. With domain account it works perfectly but with an another power account with full rights on the OU , although not domain account, getting "set-acl: access is denied" error. I tried on GUI mode with the same account and it is perfectly ok so not sure what kind of rights does the user needs to run set-acl command. Is there any work around for this? or any other alternative to achieve same result? Thank you for your help. here is the script:
Import-Module ActiveDirectory
$uname= "Accountancy"
$ugroup = $uname+"-DATA"
#####
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
######
$container = "OU=$uname,OU=GLOBAL,DC=WORLD,DC=NET"
cd ad:
$group = Get-ADGroup $ugroup
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
$ous = Get-ADOrganizationalUnit -Identity $container
$setacl = Get-acl -path $ous
write-host $setacl
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"ReadProperty, WriteProperty","Allow",$guidmap["member"],"Descendents",$guidmap["group"]
$setacl.AddAccessRule($ace)
set-acl -aclobject $setacl $container