| # Description: Sets Azure AD Connect Password Write Back AD Permissions | |
| # Created by: Jan Vidar Elven, Enterprise Mobility MVP, Skill AS | |
| # Last Modified: 01.06.2016 | |
| # Run this on-premises for your domain/forest | |
| Import-Module ActiveDirectory | |
| #region Initial Parameters/Variables | |
| # Domain Controller in wanted domain, leave blank if using current domain | |
| $dcserver = "mydc.domain.local" | |
| # Azure AD Connect Synchronization Account | |
| $aadcaccount = "MSOL_xxxxx" | |
| # Azure AD Connect Account Domain Controller | |
| $aadcserver = "mydc.domain.local" | |
| # Organizational Unit Distinguished Name, starting point for delegation | |
| $oudn = "OU=<UsersOU>,DC=domain,DC=local" | |
| #endregion | |
| # Check if default current domain or specified domain should be used | |
| If ($dcserver -eq $null) { | |
| # Get a reference to the RootDSE of the current domain | |
| $rootdse = Get-ADRootDSE | |
| # Get a reference to the current domain | |
| $domain = Get-ADDomain | |
| } | |
| Else { | |
| # Get a reference to the RootDSE of the domain for the specified server | |
| $rootdse = Get-ADRootDSE -Server $dcserver | |
| # Get a reference to the domain for the specified server | |
| $domain = Get-ADDomain -Server $dcserver | |
| } | |
| # Refer to my Active Directory, either current or specified server from above | |
| New-PSDrive -Name "myAD" -Root "" -PsProvider ActiveDirectory -Server $rootdse.dnsHostName | |
| # Change to My Active Directory Command Prompt | |
| cd myAD: | |
| # Create a hashtable to store the GUID value of each schema class and attribute | |
| $guidmap = @{} | |
| Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` | |
| "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | | |
| % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} | |
| # Create a hashtable to store the GUID value of each extended right in the forest | |
| $extendedrightsmap = @{} | |
| Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` | |
| "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | | |
| % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} | |
| # Get a reference to the OU we want to delegate | |
| $ou = Get-ADOrganizationalUnit -Identity $oudn | |
| # Get the SID value of the Azure AD Connect Sync Account we wish to delegate access to | |
| $a = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $aadcaccount -Server $aadcserver).SID | |
| # Get a copy of the current DACL on the OU | |
| $acl = Get-ACL -Path ($ou.DistinguishedName) | |
| # Create an Access Control Entry for new permission we wish to add | |
| # Allow the Azure AD Account to reset passwords on all descendent user objects | |
| $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
| $a,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"])) | |
| # Allow the Azure AD Account to change passwords on all descendent user objects | |
| $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
| $a,"ExtendedRight","Allow",$extendedrightsmap["Change Password"],"Descendents",$guidmap["user"])) | |
| # Allow the Azure AD Account to write lockoutTime extended property | |
| $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
| $a,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"])) | |
| # Allow the Azure AD Account to write pwdLastSet extended property | |
| $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
| $a,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"])) | |
| # Re-apply the modified DACL to the OU | |
| Set-ACL -ACLObject $acl -Path ("myAD:\"+($ou.DistinguishedName)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment