JanVidarElven/AzureADConnectSSPRPermissions.ps1

## AzureADConnectSSPRPermissions.ps1
# Description: Sets Azure AD Connect Password Write Back AD Permissions
# Created by: Jan Vidar Elven, Enterprise Mobility MVP, Skill AS
# Last Modified: 01.06.2016
# Run this on-premises for your domain/forest

Import-Module ActiveDirectory

#region Initial Parameters/Variables

# Domain Controller in wanted domain, leave blank if using current domain
$dcserver = "mydc.domain.local"

# Azure AD Connect Synchronization Account
$aadcaccount = "MSOL_xxxxx"

# Azure AD Connect Account Domain Controller
$aadcserver = "mydc.domain.local"

# Organizational Unit Distinguished Name, starting point for delegation
$oudn = "OU=<UsersOU>,DC=domain,DC=local"

#endregion

# Check if default current domain or specified domain should be used

If ($dcserver -eq $null) {
    # Get a reference to the RootDSE of the current domain
    $rootdse = Get-ADRootDSE
    # Get a reference to the current domain
    $domain = Get-ADDomain
}
Else {
    # Get a reference to the RootDSE of the domain for the specified server
    $rootdse = Get-ADRootDSE -Server $dcserver
    # Get a reference to the domain for the specified server
    $domain = Get-ADDomain -Server $dcserver
}

# Refer to my Active Directory, either current or specified server from above
New-PSDrive -Name "myAD" -Root "" -PsProvider ActiveDirectory -Server $rootdse.dnsHostName

# Change to My Active Directory Command Prompt
cd myAD:

# Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

# Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

# Get a reference to the OU we want to delegate
$ou = Get-ADOrganizationalUnit -Identity $oudn

# Get the SID value of the Azure AD Connect Sync Account we wish to delegate access to
$a = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $aadcaccount -Server $aadcserver).SID

# Get a copy of the current DACL on the OU
$acl = Get-ACL -Path ($ou.DistinguishedName)

# Create an Access Control Entry for new permission we wish to add

# Allow the Azure AD Account to reset passwords on all descendent user objects
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$a,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))

# Allow the Azure AD Account to change passwords on all descendent user objects
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$a,"ExtendedRight","Allow",$extendedrightsmap["Change Password"],"Descendents",$guidmap["user"]))

# Allow the Azure AD Account to write lockoutTime extended property
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$a,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"]))

# Allow the Azure AD Account to write pwdLastSet extended property
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$a,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"]))

# Re-apply the modified DACL to the OU
Set-ACL -ACLObject $acl -Path ("myAD:\"+($ou.DistinguishedName))
	# Description: Sets Azure AD Connect Password Write Back AD Permissions
	# Created by: Jan Vidar Elven, Enterprise Mobility MVP, Skill AS
	# Last Modified: 01.06.2016
	# Run this on-premises for your domain/forest

	Import-Module ActiveDirectory

	#region Initial Parameters/Variables

	# Domain Controller in wanted domain, leave blank if using current domain
	$dcserver = "mydc.domain.local"

	# Azure AD Connect Synchronization Account
	$aadcaccount = "MSOL_xxxxx"

	# Azure AD Connect Account Domain Controller
	$aadcserver = "mydc.domain.local"

	# Organizational Unit Distinguished Name, starting point for delegation
	$oudn = "OU=<UsersOU>,DC=domain,DC=local"

	#endregion

	# Check if default current domain or specified domain should be used

	If ($dcserver -eq $null) {
	# Get a reference to the RootDSE of the current domain
	$rootdse = Get-ADRootDSE
	# Get a reference to the current domain
	$domain = Get-ADDomain
	}
	Else {
	# Get a reference to the RootDSE of the domain for the specified server
	$rootdse = Get-ADRootDSE -Server $dcserver
	# Get a reference to the domain for the specified server
	$domain = Get-ADDomain -Server $dcserver
	}

	# Refer to my Active Directory, either current or specified server from above
	New-PSDrive -Name "myAD" -Root "" -PsProvider ActiveDirectory -Server $rootdse.dnsHostName

	# Change to My Active Directory Command Prompt
	cd myAD:

	# Create a hashtable to store the GUID value of each schema class and attribute
	$guidmap = @{}
	Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
	"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID \|
	% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

	# Create a hashtable to store the GUID value of each extended right in the forest
	$extendedrightsmap = @{}
	Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
	"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid \|
	% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

	# Get a reference to the OU we want to delegate
	$ou = Get-ADOrganizationalUnit -Identity $oudn

	# Get the SID value of the Azure AD Connect Sync Account we wish to delegate access to
	$a = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $aadcaccount -Server $aadcserver).SID

	# Get a copy of the current DACL on the OU
	$acl = Get-ACL -Path ($ou.DistinguishedName)

	# Create an Access Control Entry for new permission we wish to add

	# Allow the Azure AD Account to reset passwords on all descendent user objects
	$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
	$a,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]))

	# Allow the Azure AD Account to change passwords on all descendent user objects
	$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
	$a,"ExtendedRight","Allow",$extendedrightsmap["Change Password"],"Descendents",$guidmap["user"]))

	# Allow the Azure AD Account to write lockoutTime extended property
	$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
	$a,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"]))

	# Allow the Azure AD Account to write pwdLastSet extended property
	$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
	$a,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"]))

	# Re-apply the modified DACL to the OU
	Set-ACL -ACLObject $acl -Path ("myAD:\"+($ou.DistinguishedName))