KentNordstrom/HelloForBusinessPermissionsOnAdminSDHolder.ps1

## HelloForBusinessPermissionsOnAdminSDHolder.ps1
<#
    .SYNOPSIS
    Script to give Azure AD Connect Permission on Protected users that want to use Hello For Business in Hybrid Deployment.
    Gives read/write to msDS-KeyCredentialLink and msDS-ExternalDirectoryObjectID by setting permissions on AdminSDHolder container.
#>

PARAM([string]$SyncUser="MSOL_1234ABC56")

$ADDomain = Get-ADDomain

$AdminSDHolder = "CN=AdminSDHolder,CN=System," + $ADDomain.DistinguishedName
$AzureADConnectUser = $ADDomain.NetBIOSName + "\" + $SyncUser

$Attributes = @("msDS-KeyCredentialLink","msDS-ExternalDirectoryObjectID")

#Add Read/Write to each Property
foreach($Attribute in $Attributes){
$cmd = "dsacls.exe '$AdminSDHolder' /G '`"$AzureADConnectUser`":RPWP;$Attribute'"
Invoke-Expression $cmd | Out-Null
}

#Present Resulting Permissions
$cmd = "dsacls.exe '$AdminSDHolder'"
Invoke-Expression $cmd
	<#
	.SYNOPSIS
	Script to give Azure AD Connect Permission on Protected users that want to use Hello For Business in Hybrid Deployment.
	Gives read/write to msDS-KeyCredentialLink and msDS-ExternalDirectoryObjectID by setting permissions on AdminSDHolder container.
	#>

	PARAM([string]$SyncUser="MSOL_1234ABC56")

	$ADDomain = Get-ADDomain

	$AdminSDHolder = "CN=AdminSDHolder,CN=System," + $ADDomain.DistinguishedName
	$AzureADConnectUser = $ADDomain.NetBIOSName + "\" + $SyncUser

	$Attributes = @("msDS-KeyCredentialLink","msDS-ExternalDirectoryObjectID")

	#Add Read/Write to each Property
	foreach($Attribute in $Attributes){
	$cmd = "dsacls.exe '$AdminSDHolder' /G '`"$AzureADConnectUser`":RPWP;$Attribute'"
	Invoke-Expression $cmd \| Out-Null
	}

	#Present Resulting Permissions
	$cmd = "dsacls.exe '$AdminSDHolder'"
	Invoke-Expression $cmd