We saw how to create an AD security group here
http://msmvps.com/blogs/richardsiddaway/archive/2011/06/28/creating-ad-security-groups.aspx
This is how we can give a user full control of that group
function set-groupsecurity { [CmdletBinding()] param ( [string]$name ) $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $root = $dom.GetDirectoryEntry() $search = [System.DirectoryServices.DirectorySearcher]$root $search.Filter = "(&(objectclass=group)(Name=$name))" $search.SizeLimit = 3000 $result = $search.FindOne() $object = $result.GetDirectoryEntry() $sec = $object.ObjectSecurity ## set the rights and control type $act = [System.Security.AccessControl.AccessControlType]::Allow $adrights = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll ## who does this apply to $domname = ([ADSI]"").Name $who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", "jtest" # apply rule $newrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $adrights, $act $sec.AddAccessRule($newrule) $object.CommitChanges() }
We get a directory object for the group and then get the ObjectSecurity. Create a new rule to allow full control. Assign it to user jtest (could just as easily be a group) and apply the rule
By: Matt on April 18, 2012 at 9:10 pm
When I try to get this to work I get an error message “[System.Management.Automation.PSMethod] does not contain a method called AddAccessRule” thrown when getting to $sec.AddAccessRule($newrule).
The available methods I show for $sec are listed:
Copy
Equals
GetHashCode
get_IsInstance
get_MemberType
get_Name
get_OverloadDefinitions
get_TypeNameOfValue
get_Value
Invoke
set_Value
ToString
Thank you for posting this, I can’t seem to find it anywhere else! Any help you could offer would be greatly appreciated.
By: RichardSiddaway on April 29, 2012 at 8:03 am
what version of Powershell are you using and what version of Active Directory