Skip to content

Instantly share code, notes, and snippets.

  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Allow Hello For Business on Protected Accounts by adding permissions to AdminSDHolder container.
<#
.SYNOPSIS
Script to give Azure AD Connect Permission on Protected users that want to use Hello For Business in Hybrid Deployment.
Gives read/write to msDS-KeyCredentialLink and msDS-ExternalDirectoryObjectID by setting permissions on AdminSDHolder container.
#>
PARAM([string]$SyncUser="MSOL_1234ABC56")
$ADDomain = Get-ADDomain
$AdminSDHolder = "CN=AdminSDHolder,CN=System," + $ADDomain.DistinguishedName
$AzureADConnectUser = $ADDomain.NetBIOSName + "\" + $SyncUser
$Attributes = @("msDS-KeyCredentialLink","msDS-ExternalDirectoryObjectID")
#Add Read/Write to each Property
foreach($Attribute in $Attributes){
$cmd = "dsacls.exe '$AdminSDHolder' /G '`"$AzureADConnectUser`":RPWP;$Attribute'"
Invoke-Expression $cmd | Out-Null
}
#Present Resulting Permissions
$cmd = "dsacls.exe '$AdminSDHolder'"
Invoke-Expression $cmd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment