Last active
October 25, 2020 05:56
-
-
Save JanVidarElven/32fb55b024767bfb5c65260714b1259a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Description: Sets Azure AD Connect Password Write Back AD Permissions | |
# Created by: Jan Vidar Elven, Enterprise Mobility MVP, Skill AS | |
# Last Modified: 01.06.2016 | |
# Run this on-premises for your domain/forest | |
Import-Module ActiveDirectory | |
#region Initial Parameters/Variables | |
# Domain Controller in wanted domain, leave blank if using current domain | |
$dcserver = "mydc.domain.local" | |
# Azure AD Connect Synchronization Account | |
$aadcaccount = "MSOL_xxxxx" | |
# Azure AD Connect Account Domain Controller | |
$aadcserver = "mydc.domain.local" | |
# Organizational Unit Distinguished Name, starting point for delegation | |
$oudn = "OU=<UsersOU>,DC=domain,DC=local" | |
#endregion | |
# Check if default current domain or specified domain should be used | |
If ($dcserver -eq $null) { | |
# Get a reference to the RootDSE of the current domain | |
$rootdse = Get-ADRootDSE | |
# Get a reference to the current domain | |
$domain = Get-ADDomain | |
} | |
Else { | |
# Get a reference to the RootDSE of the domain for the specified server | |
$rootdse = Get-ADRootDSE -Server $dcserver | |
# Get a reference to the domain for the specified server | |
$domain = Get-ADDomain -Server $dcserver | |
} | |
# Refer to my Active Directory, either current or specified server from above | |
New-PSDrive -Name "myAD" -Root "" -PsProvider ActiveDirectory -Server $rootdse.dnsHostName | |
# Change to My Active Directory Command Prompt | |
cd myAD: | |
# Create a hashtable to store the GUID value of each schema class and attribute | |
$guidmap = @{} | |
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` | |
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | | |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} | |
# Create a hashtable to store the GUID value of each extended right in the forest | |
$extendedrightsmap = @{} | |
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` | |
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | | |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} | |
# Get a reference to the OU we want to delegate | |
$ou = Get-ADOrganizationalUnit -Identity $oudn | |
# Get the SID value of the Azure AD Connect Sync Account we wish to delegate access to | |
$a = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $aadcaccount -Server $aadcserver).SID | |
# Get a copy of the current DACL on the OU | |
$acl = Get-ACL -Path ($ou.DistinguishedName) | |
# Create an Access Control Entry for new permission we wish to add | |
# Allow the Azure AD Account to reset passwords on all descendent user objects | |
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
$a,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"])) | |
# Allow the Azure AD Account to change passwords on all descendent user objects | |
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
$a,"ExtendedRight","Allow",$extendedrightsmap["Change Password"],"Descendents",$guidmap["user"])) | |
# Allow the Azure AD Account to write lockoutTime extended property | |
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
$a,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"])) | |
# Allow the Azure AD Account to write pwdLastSet extended property | |
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
$a,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"])) | |
# Re-apply the modified DACL to the OU | |
Set-ACL -ACLObject $acl -Path ("myAD:\"+($ou.DistinguishedName)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment