# Description: Sets Azure AD Connect Password Write Back AD Permissions | |
# Created by: Jan Vidar Elven, Enterprise Mobility MVP, Skill AS | |
# Last Modified: 01.06.2016 | |
# Run this on-premises for your domain/forest | |
Import-Module ActiveDirectory | |
#region Initial Parameters/Variables | |
# Domain Controller in wanted domain, leave blank if using current domain | |
$dcserver = "mydc.domain.local" | |
# Azure AD Connect Synchronization Account | |
$aadcaccount = "MSOL_xxxxx" | |
# Azure AD Connect Account Domain Controller | |
$aadcserver = "mydc.domain.local" | |
# Organizational Unit Distinguished Name, starting point for delegation | |
$oudn = "OU=<UsersOU>,DC=domain,DC=local" | |
#endregion | |
# Check if default current domain or specified domain should be used | |
If ($dcserver -eq $null) { | |
# Get a reference to the RootDSE of the current domain | |
$rootdse = Get-ADRootDSE | |
# Get a reference to the current domain | |
$domain = Get-ADDomain | |
} | |
Else { | |
# Get a reference to the RootDSE of the domain for the specified server | |
$rootdse = Get-ADRootDSE -Server $dcserver | |
# Get a reference to the domain for the specified server | |
$domain = Get-ADDomain -Server $dcserver | |
} | |
# Refer to my Active Directory, either current or specified server from above | |
New-PSDrive -Name "myAD" -Root "" -PsProvider ActiveDirectory -Server $rootdse.dnsHostName | |
# Change to My Active Directory Command Prompt | |
cd myAD: | |
# Create a hashtable to store the GUID value of each schema class and attribute | |
$guidmap = @{} | |
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` | |
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | | |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} | |
# Create a hashtable to store the GUID value of each extended right in the forest | |
$extendedrightsmap = @{} | |
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` | |
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | | |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} | |
# Get a reference to the OU we want to delegate | |
$ou = Get-ADOrganizationalUnit -Identity $oudn | |
# Get the SID value of the Azure AD Connect Sync Account we wish to delegate access to | |
$a = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $aadcaccount -Server $aadcserver).SID | |
# Get a copy of the current DACL on the OU | |
$acl = Get-ACL -Path ($ou.DistinguishedName) | |
# Create an Access Control Entry for new permission we wish to add | |
# Allow the Azure AD Account to reset passwords on all descendent user objects | |
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
$a,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"])) | |
# Allow the Azure AD Account to change passwords on all descendent user objects | |
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
$a,"ExtendedRight","Allow",$extendedrightsmap["Change Password"],"Descendents",$guidmap["user"])) | |
# Allow the Azure AD Account to write lockoutTime extended property | |
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
$a,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"])) | |
# Allow the Azure AD Account to write pwdLastSet extended property | |
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
$a,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"])) | |
# Re-apply the modified DACL to the OU | |
Set-ACL -ACLObject $acl -Path ("myAD:\"+($ou.DistinguishedName)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment