Skip to content

Instantly share code, notes, and snippets.

  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Allow Hello For Business on Protected Accounts by adding permissions to AdminSDHolder container.
Script to give Azure AD Connect Permission on Protected users that want to use Hello For Business in Hybrid Deployment.
Gives read/write to msDS-KeyCredentialLink and msDS-ExternalDirectoryObjectID by setting permissions on AdminSDHolder container.
$ADDomain = Get-ADDomain
$AdminSDHolder = "CN=AdminSDHolder,CN=System," + $ADDomain.DistinguishedName
$AzureADConnectUser = $ADDomain.NetBIOSName + "\" + $SyncUser
$Attributes = @("msDS-KeyCredentialLink","msDS-ExternalDirectoryObjectID")
#Add Read/Write to each Property
foreach($Attribute in $Attributes){
$cmd = "dsacls.exe '$AdminSDHolder' /G '`"$AzureADConnectUser`":RPWP;$Attribute'"
Invoke-Expression $cmd | Out-Null
#Present Resulting Permissions
$cmd = "dsacls.exe '$AdminSDHolder'"
Invoke-Expression $cmd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment