Categories

Setting Security permissions on an AD group

We saw how to create an AD security group here

http://msmvps.com/blogs/richardsiddaway/archive/2011/06/28/creating-ad-security-groups.aspx

 

This is how we can give a user full control of that group

function set-groupsecurity {            
[CmdletBinding()]            
param (            
 [string]$name            
)            
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()            
$root = $dom.GetDirectoryEntry()            
            
$search = [System.DirectoryServices.DirectorySearcher]$root            
$search.Filter = "(&(objectclass=group)(Name=$name))"            
$search.SizeLimit = 3000            
$result = $search.FindOne()            
            
$object = $result.GetDirectoryEntry()            
            
$sec = $object.ObjectSecurity            
            
## set the rights and control type            
$act = [System.Security.AccessControl.AccessControlType]::Allow            
$adrights = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll            
            
## who does this apply to            
$domname = ([ADSI]"").Name            
$who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", "jtest"            
            
# apply rule            
$newrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $adrights, $act            
$sec.AddAccessRule($newrule)            
$object.CommitChanges()            
}


We get a directory object for the group and then get the ObjectSecurity. Create a new rule to allow full control. Assign it to user jtest (could just as easily be a group) and apply the rule

2 Responses to Setting Security permissions on an AD group

  • Matt says:

    When I try to get this to work I get an error message “[System.Management.Automation.PSMethod] does not contain a method called AddAccessRule” thrown when getting to $sec.AddAccessRule($newrule).

    The available methods I show for $sec are listed:
    Copy
    Equals
    GetHashCode
    get_IsInstance
    get_MemberType
    get_Name
    get_OverloadDefinitions
    get_TypeNameOfValue
    get_Value
    Invoke
    set_Value
    ToString

    Thank you for posting this, I can’t seem to find it anywhere else! Any help you could offer would be greatly appreciated.

  • RichardSiddaway says:

    what version of Powershell are you using and what version of Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>