Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save KentNordstrom/51ffae43ea0a1aabb141115dfdddc451 to your computer and use it in GitHub Desktop.
Save KentNordstrom/51ffae43ea0a1aabb141115dfdddc451 to your computer and use it in GitHub Desktop.
Allow Hello For Business on Protected Accounts by adding permissions to AdminSDHolder container.
<#
.SYNOPSIS
Script to give Azure AD Connect Permission on Protected users that want to use Hello For Business in Hybrid Deployment.
Gives read/write to msDS-KeyCredentialLink and msDS-ExternalDirectoryObjectID by setting permissions on AdminSDHolder container.
#>
PARAM([string]$SyncUser="MSOL_1234ABC56")
$ADDomain = Get-ADDomain
$AdminSDHolder = "CN=AdminSDHolder,CN=System," + $ADDomain.DistinguishedName
$AzureADConnectUser = $ADDomain.NetBIOSName + "\" + $SyncUser
$Attributes = @("msDS-KeyCredentialLink","msDS-ExternalDirectoryObjectID")
#Add Read/Write to each Property
foreach($Attribute in $Attributes){
$cmd = "dsacls.exe '$AdminSDHolder' /G '`"$AzureADConnectUser`":RPWP;$Attribute'"
Invoke-Expression $cmd | Out-Null
}
#Present Resulting Permissions
$cmd = "dsacls.exe '$AdminSDHolder'"
Invoke-Expression $cmd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment