AzureADConnectSSPRPermissions.ps1

# Description: Sets Azure AD Connect Password Write Back AD Permissions
# Created by: Jan Vidar Elven, Enterprise Mobility MVP, Skill AS
# Last Modified: 01.06.2016
# Run this on-premises for your domain/forest

Import-Module ActiveDirectory

#region Initial Parameters/Variables

# Domain Controller in wanted domain, leave blank if using current domain
$dcserver = "mydc.domain.local"

# Azure AD Connect Synchronization Account
$aadcaccount = "MSOL_xxxxx"

# Azure AD Connect Account Domain Controller
$aadcserver = "mydc.domain.local"

# Organizational Unit Distinguished Name, starting point for delegation
$oudn = "OU=<UsersOU>,DC=domain,DC=local"

#endregion

# Check if default current domain or specified domain should be used

If ($dcserver -eq $null) {
    # Get a reference to the RootDSE of the current domain
    $rootdse = Get-ADRootDSE
    # Get a reference to the current domain
    $domain = Get-ADDomain
}
Else {
    # Get a reference to the RootDSE of the domain for the specified server
    $rootdse = Get-ADRootDSE -Server $dcserver
    # Get a reference to the domain for the specified server
    $domain = Get-ADDomain -Server $dcserver
}

# Refer to my Active Directory, either current or specified server from above
New-PSDrive -Name "myAD" -Root "" -PsProvider ActiveDirectory -Server $rootdse.dnsHostName

# Change to My Active Directory Command Prompt
cd myAD:

# Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

# Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

# Get a reference to the OU we want to delegate
$ou = Get-ADOrganizationalUnit -Identity $oudn

# Get the SID value of the Azure AD Connect Sync Account we wish to delegate access to
$a = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $aadcaccount -Server $aadcserver).SID

# Get a copy of the current DACL on the OU
$acl = Get-ACL -Path ($ou.DistinguishedName)

# Create an Access Control Entry for new permission we wish to add

# Allow the Azure AD Account to reset passwords on all descendent user objects
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$a,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))

# Allow the Azure AD Account to change passwords on all descendent user objects
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$a,"ExtendedRight","Allow",$extendedrightsmap["Change Password"],"Descendents",$guidmap["user"]))

# Allow the Azure AD Account to write lockoutTime extended property 
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$a,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"]))

# Allow the Azure AD Account to write pwdLastSet extended property 
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$a,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"]))

# Re-apply the modified DACL to the OU
Set-ACL -ACLObject $acl -Path ("myAD:\"+($ou.DistinguishedName))