rljohnsn/gist:8357534

## gistfile1.txt
param (
    [Parameter(Mandatory=$true)]
    [String[]]$OUPaths, #Comma separated list of OUPaths to which permissions should be applied
    [Parameter(Mandatory=$true)]
    [String]$UserName, #The name of the user to which the ACL should be applied
        [String]$LogDir = "C:\log\",
    [String]$Log = "AddOrganizationalUnitPermissions.XML"
        )

function Init-Logging([string]$logDirectory,[string]$logFile,$scriptName) {
    $LogDir = $logDirectory
    $Log =$logFile

    Write-Log -CodeID 35000 -msg "Logging started $scriptName" -status '200' -Start
}

function End-Logging($scriptName) {

    Write-Log -CodeID 35000 -msg "End Logging $scriptName" -status '200' -End
}

function Init-ActiveDirectory {

    Init-Library

    Write-Log -CodeID 35000 -msg "Checking required ActiveDirectory Module" -status '200'

    Try {
            if (-Not(Get-Module -Name "ActiveDirectory")) {
            Import-Module -Name ActiveDirectory
        }
    }
    Catch {
            Write-Log -CodeID 35001 -msg $_.Exception.Message -status '400' -Assembly $_.Exception.TargetSite.Module.Name -Type $_.Exception.TargetSite.ReturnType.Name -Stack $_.Exception.StackTrace -End
    }
}

function Init-Library {
    Add-Type -AssemblyName System.Web
    Write-Log -CodeID 35000 -msg "Initalized Assemblies" -status '200'
}

function Write-Log {
param(
    [Parameter(Mandatory=$true)]
    [String]$CodeID,
    [Parameter(Mandatory=$true)]
    [string]$Status,
    [Parameter(Mandatory=$true)]
    [String]$msg,
    [String]$Assembly,
    [String]$Type,
    [String]$Stack,
    [Switch]$End,
        [Switch]$Start
)
        if (!(Test-Path $LogDir)) { New-Item -type Directory -Path $logdir | Out-Null }
        $Logfile = $LogDir + $Log

        if ($Start) { "<Log>" | Out-File $Logfile }

        if($Assembly) { $Assembly = [System.Web.HttpUtility]::HtmlEncode($Assembly) }
        if($Type) { $Type = [System.Web.HttpUtility]::HtmlEncode($Type) }
        if($Stack) { $Stack = [System.Web.HttpUtility]::HtmlEncode($Stack) }

        [String]$date = Get-Date -Format "dd/MM/yyyy HH:mm:ss"
        "  <Code>" | Out-File $Logfile -Append
        "    <ID>$CodeID</ID>" | Out-File $Logfile -Append
        "    <Date>$date</Date>" | Out-File $Logfile -Append
        "    <Message>$msg</Message>" | Out-File $Logfile -Append
        "    <Status>$Status</Status>" | Out-File $Logfile -Append
        "    <Assembly>$Assembly</Assembly>" | Out-File $Logfile -Append
        "    <Type>$Type</Type>" | Out-File $Logfile -Append
        "    <Stack>$Stack</Stack>" | Out-File $Logfile -Append
        "  </Code>" | Out-File $Logfile -Append

        if ($End) {
                "</Log>" | Out-File $Logfile -Append
                Exit 0
        }
}

Init-Logging $LogDir $Log $MyInvocation.MyCommand.Name

Init-ActiveDirectory

$guidComputerObject      = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2  ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms680987(v=vs.85).aspx
$guidGroupObject         = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2  ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms682251(v=vs.85).aspx
$guidOUObject            = new-object Guid bf967aa5-0de6-11d0-a285-00aa003049e2  ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms682251(v=vs.85).aspx
$guidUserObject          = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2  ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms683980(v=vs.85).aspx
$guidGroupMembership     = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf  ## http://msdn.microsoft.com/en-us/library/cc223204.aspx

$erroractionpreference = "Stop"

Write-Log -CodeID '100001' -msg "Getting User $UserName" -Status '200'
$userObject = Get-ADUser -Filter {Name -eq $UserName}


Write-Log -CodeID '100001' -msg "Getting Users SID" -Status '200'
$userSID = new-object System.Security.Principal.SecurityIdentifier $userObject.SID

foreach($OUPath in $OUPaths) {
    if ([adsi]::Exists("LDAP://" + $OUPath))
    {
             # Link to the OU Object
             $adObject    = [ADSI]("LDAP://" + $OUPath)
             #############################################
             ## Create and Delete OU objects            ##
             ## All descendent objects                  ##
             #############################################
             Write-Log -CodeID '100001' -msg "Creating ACL for create/delete Organizational Units" -Status '200'
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidOUObject
             ## Grant the ability to manage all descendents
             $ace2  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidOUObject
             $adObject.ObjectSecurity.AddAccessRule($ace1)
             $adObject.ObjectSecurity.AddAccessRule($ace2)
             $adObject.CommitChanges()
             Write-Log -CodeID '100001' -msg "Created ACL successfully for Organizational Units" -Status '200'

             #############################################
             ## Create and Delete Group objects         ##
             ## All descendent objects                  ##
             #############################################
             Write-Log -CodeID '100001' -msg "Creating ACL for create/delete groups" -Status '200'
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidGroupObject
             ## Grant the ability to manage all descendents
             $ace2  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidGroupObject
             $adObject.ObjectSecurity.AddAccessRule($ace1)
             $adObject.ObjectSecurity.AddAccessRule($ace2)
             $adObject.CommitChanges()
             Write-Log -CodeID '100001' -msg "Created ACL successfully for Groups" -Status '200'

             #############################################
             ## Manage Group Membership                 ##
             ## All descendent objects                  ##
             #############################################
             Write-Log -CodeID '100001' -msg "Creating ACL for adding group members" -Status '200'
             ## Grant the ability to manage all descendents
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidGroupObject
             $adObject.ObjectSecurity.AddAccessRule($ace1)
             $adObject.CommitChanges()

             #############################################
             ## Create and Delete User objects          ##
             ## All descendent objects                  ##
             #############################################
             Write-Log -CodeID '100001' -msg "Creating ACL for create/delete of users" -Status '200'
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidUserObject
             ## Grant the ability to manage all descendents
             $ace2  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidUserObject
             $adObject.ObjectSecurity.AddAccessRule($ace1)
             $adObject.ObjectSecurity.AddAccessRule($ace2)
             $adObject.CommitChanges()

             #############################################
             ## Create and Delete Computer objects      ##
             ## All descendent objects                  ##
             #############################################
             Write-Log -CodeID '100001' -msg "Creating ACL for create/delete of computers" -Status '200'
             $ace1  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidComputerObject
             ## Grant the ability to manage all descendents
             $ace2  = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidComputerObject
             $adObject.ObjectSecurity.AddAccessRule($ace1)
             $adObject.ObjectSecurity.AddAccessRule($ace2)
             $adObject.CommitChanges()

    }
}

####################################################################
#Setting permissions on MicrosoftDNS Container to DSN related tasks#
####################################################################
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$root = $domain.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectclass=container)(Name=MicrosoftDNS))"
$search.SizeLimit = 3000
$result = $search.FindOne()

$adobject = $result.GetDirectoryEntry()

$accessControlType = [System.Security.AccessControl.AccessControlType]::Allow
$adRights = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll
$domainName = ([ADSI]"").Name
$domainUser = New-Object -Type System.Security.Principal.NTAccount -ArgumentList "$domainName", "$UserName"
$ace = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $domainUser, $adRights, $accessControlType
$adobject.ObjectSecurity.AddAccessRule($ace)
$adobject.CommitChanges()

End-Logging $MyInvocation.MyCommand.Name
	param (
	[Parameter(Mandatory=$true)]
	[String[]]$OUPaths, #Comma separated list of OUPaths to which permissions should be applied
	[Parameter(Mandatory=$true)]
	[String]$UserName, #The name of the user to which the ACL should be applied
	[String]$LogDir = "C:\log\",
	[String]$Log = "AddOrganizationalUnitPermissions.XML"
	)

	function Init-Logging([string]$logDirectory,[string]$logFile,$scriptName) {
	$LogDir = $logDirectory
	$Log =$logFile

	Write-Log -CodeID 35000 -msg "Logging started $scriptName" -status '200' -Start
	}

	function End-Logging($scriptName) {

	Write-Log -CodeID 35000 -msg "End Logging $scriptName" -status '200' -End
	}

	function Init-ActiveDirectory {

	Init-Library

	Write-Log -CodeID 35000 -msg "Checking required ActiveDirectory Module" -status '200'

	Try {
	if (-Not(Get-Module -Name "ActiveDirectory")) {
	Import-Module -Name ActiveDirectory
	}
	}
	Catch {
	Write-Log -CodeID 35001 -msg $_.Exception.Message -status '400' -Assembly $_.Exception.TargetSite.Module.Name -Type $_.Exception.TargetSite.ReturnType.Name -Stack $_.Exception.StackTrace -End
	}
	}

	function Init-Library {
	Add-Type -AssemblyName System.Web
	Write-Log -CodeID 35000 -msg "Initalized Assemblies" -status '200'
	}

	function Write-Log {
	param(
	[Parameter(Mandatory=$true)]
	[String]$CodeID,
	[Parameter(Mandatory=$true)]
	[string]$Status,
	[Parameter(Mandatory=$true)]
	[String]$msg,
	[String]$Assembly,
	[String]$Type,
	[String]$Stack,
	[Switch]$End,
	[Switch]$Start
	)
	if (!(Test-Path $LogDir)) { New-Item -type Directory -Path $logdir \| Out-Null }
	$Logfile = $LogDir + $Log

	if ($Start) { "<Log>" \| Out-File $Logfile }

	if($Assembly) { $Assembly = [System.Web.HttpUtility]::HtmlEncode($Assembly) }
	if($Type) { $Type = [System.Web.HttpUtility]::HtmlEncode($Type) }
	if($Stack) { $Stack = [System.Web.HttpUtility]::HtmlEncode($Stack) }

	[String]$date = Get-Date -Format "dd/MM/yyyy HH:mm:ss"
	" <Code>" \| Out-File $Logfile -Append
	" <ID>$CodeID</ID>" \| Out-File $Logfile -Append
	" <Date>$date</Date>" \| Out-File $Logfile -Append
	" <Message>$msg</Message>" \| Out-File $Logfile -Append
	" <Status>$Status</Status>" \| Out-File $Logfile -Append
	" <Assembly>$Assembly</Assembly>" \| Out-File $Logfile -Append
	" <Type>$Type</Type>" \| Out-File $Logfile -Append
	" <Stack>$Stack</Stack>" \| Out-File $Logfile -Append
	" </Code>" \| Out-File $Logfile -Append

	if ($End) {
	"</Log>" \| Out-File $Logfile -Append
	Exit 0
	}
	}

	Init-Logging $LogDir $Log $MyInvocation.MyCommand.Name

	Init-ActiveDirectory

	$guidComputerObject = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2 ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms680987(v=vs.85).aspx
	$guidGroupObject = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2 ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms682251(v=vs.85).aspx
	$guidOUObject = new-object Guid bf967aa5-0de6-11d0-a285-00aa003049e2 ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms682251(v=vs.85).aspx
	$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 ## http://msdn.microsoft.com/en-us/library/windows/desktop/ms683980(v=vs.85).aspx
	$guidGroupMembership = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf ## http://msdn.microsoft.com/en-us/library/cc223204.aspx

	$erroractionpreference = "Stop"

	Write-Log -CodeID '100001' -msg "Getting User $UserName" -Status '200'
	$userObject = Get-ADUser -Filter {Name -eq $UserName}


	Write-Log -CodeID '100001' -msg "Getting Users SID" -Status '200'
	$userSID = new-object System.Security.Principal.SecurityIdentifier $userObject.SID

	foreach($OUPath in $OUPaths) {
	if ([adsi]::Exists("LDAP://" + $OUPath))
	{
	# Link to the OU Object
	$adObject = [ADSI]("LDAP://" + $OUPath)
	#############################################
	## Create and Delete OU objects ##
	## All descendent objects ##
	#############################################
	Write-Log -CodeID '100001' -msg "Creating ACL for create/delete Organizational Units" -Status '200'
	$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidOUObject
	## Grant the ability to manage all descendents
	$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidOUObject
	$adObject.ObjectSecurity.AddAccessRule($ace1)
	$adObject.ObjectSecurity.AddAccessRule($ace2)
	$adObject.CommitChanges()
	Write-Log -CodeID '100001' -msg "Created ACL successfully for Organizational Units" -Status '200'

	#############################################
	## Create and Delete Group objects ##
	## All descendent objects ##
	#############################################
	Write-Log -CodeID '100001' -msg "Creating ACL for create/delete groups" -Status '200'
	$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidGroupObject
	## Grant the ability to manage all descendents
	$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidGroupObject
	$adObject.ObjectSecurity.AddAccessRule($ace1)
	$adObject.ObjectSecurity.AddAccessRule($ace2)
	$adObject.CommitChanges()
	Write-Log -CodeID '100001' -msg "Created ACL successfully for Groups" -Status '200'

	#############################################
	## Manage Group Membership ##
	## All descendent objects ##
	#############################################
	Write-Log -CodeID '100001' -msg "Creating ACL for adding group members" -Status '200'
	## Grant the ability to manage all descendents
	$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidGroupObject
	$adObject.ObjectSecurity.AddAccessRule($ace1)
	$adObject.CommitChanges()

	#############################################
	## Create and Delete User objects ##
	## All descendent objects ##
	#############################################
	Write-Log -CodeID '100001' -msg "Creating ACL for create/delete of users" -Status '200'
	$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidUserObject
	## Grant the ability to manage all descendents
	$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidUserObject
	$adObject.ObjectSecurity.AddAccessRule($ace1)
	$adObject.ObjectSecurity.AddAccessRule($ace2)
	$adObject.CommitChanges()

	#############################################
	## Create and Delete Computer objects ##
	## All descendent objects ##
	#############################################
	Write-Log -CodeID '100001' -msg "Creating ACL for create/delete of computers" -Status '200'
	$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"CreateChild,DeleteChild","Allow",$guidComputerObject
	## Grant the ability to manage all descendents
	$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $userSID,"GenericAll","Allow","Descendents",$guidComputerObject
	$adObject.ObjectSecurity.AddAccessRule($ace1)
	$adObject.ObjectSecurity.AddAccessRule($ace2)
	$adObject.CommitChanges()

	}
	}

	####################################################################
	#Setting permissions on MicrosoftDNS Container to DSN related tasks#
	####################################################################
	$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

	$root = $domain.GetDirectoryEntry()
	$search = [System.DirectoryServices.DirectorySearcher]$root
	$search.Filter = "(&(objectclass=container)(Name=MicrosoftDNS))"
	$search.SizeLimit = 3000
	$result = $search.FindOne()

	$adobject = $result.GetDirectoryEntry()

	$accessControlType = [System.Security.AccessControl.AccessControlType]::Allow
	$adRights = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll
	$domainName = ([ADSI]"").Name
	$domainUser = New-Object -Type System.Security.Principal.NTAccount -ArgumentList "$domainName", "$UserName"
	$ace = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $domainUser, $adRights, $accessControlType
	$adobject.ObjectSecurity.AddAccessRule($ace)
	$adobject.CommitChanges()

	End-Logging $MyInvocation.MyCommand.Name