How to delegate AD permission to Organisational Units using the PowerShell command Add-QADPermission



Running the add-QADPermission PowerShell command

Step 1. To run the add-QADPermissions PowerShell command click on the PowerShell shortcut (that blue one in the taskbar if you are running 2008/R2).

image

Step 2. Run the command the following command to load the Quest PowerShell commands.

Add-PSSnapin Quest.ActiveRoles.ADManagement

image

Step 3. To test that the new PSSnapin is loaded type “add-qadper” and then press the “Tab” key to complete the command.

image

This should auto-complete the command to “Add-QADPermission”

image

REMEMBER: Every time you launch a new PowerShell window you are going to need to run “Add-PSSnapin Quest.ActiveRoles.ADManagement” to load to load the Quest PowerShell Snapin’s otherwise you will see a message like the image below.

image

Now that we have verified that the new Quest AD PowerShell commands lets take a look at the command that will replicate some of the common tasks in the “Delegation of Control Wizard”. In our example environment that we have an AD with three top level OU’s called “People” “Groups” and “Workstations” (see below). These OU only contain the same type of objects that match the name of the OU (e.g. “People” contains User AD Objects) but it is possible to delegate all the permissions to the same single OU if it contains objects of multiple types (e.g. user,computers and groups).

image

Delegating Create, delete and manage user accounts permissions using add-QADPermission

To delegate the same permission as the “Create, delete, and mange user accounts” (effectively Full Control) option in the “Delegation of Control Wizard” (see below) you need to delegate two permissions to the OU.

image

  1. Allow access to all the properties of the user objects
  2. Create / Delete permission of the user object

The first command will delegate Allow access to all the properties to the group called “User Admins” to all User objects in the OU with the distinguished name of “OU=People,DC=Contoso,DC=Local”.

Add-QADPermission “OU=People,DC=Contoso,DC=Local” –Account “CONTOSO\User Admins” -Rights GenericAll -ApplyTo ChildObjects -ApplyToType User

image

The second command will delegate Create / Delete permission for the User objects to the same OU for the same group.

Add-QADPermission “OU=People,DC=Contoso,DC=Local” -Account “CONTOSO\User Admins” -Rights CreateChild,DeleteChild -ApplyTo All -ChildType User

image

Now we can check the security on the People OU in Active Directory Users and Computer to verify the permission has been added correctly.

imageimage

Note: See how we have used the “-ApplyTo ChildObjects” parameter and the “ApplyTo All” to ensure that these permission will inherit to all objects in this OU and sub-OU’s.

If the OU that you want to give the same Full Control permission to a Computers or Groups AD Object type all you need to do is change the -ApplyToType and -ChildType parameter to “computer” or “group” (See examples below)

Example delegation Create, delete and manage (a.k.a. Full Control) Groups permissions using add-QADPermission

Add-QADPermission “OU=Workstations,DC=Contoso,DC=Local” –Account “CONTOSO\Workstations Admins” -Rights GenericAll -ApplyTo ChildObjects -ApplyToType Computer

Add-QADPermission “OU=Workstations,DC=Contoso,DC=Local” -Account “CONTOSO\Workstations Admins” -Rights CreateChild,DeleteChild -ApplyTo All -ChildType Computer

Example delegation Create, delete and manage (a.k.a. Full Control)  Computers permissions using add-QADPermission

Add-QADPermission “OU=Groups,DC=Contoso,DC=Local” –Account “CONTOSO\Groups Admins” -Rights GenericAll -ApplyTo ChildObjects -ApplyToType Group

Add-QADPermission “OU=Groups,DC=Contoso,DC=Local” -Account “CONTOSO\Groups Admins” -Rights CreateChild,DeleteChild -ApplyTo All -ChildType Group



Author: Alan Burchill

Microsoft MVP (Group Policy)

13 thoughts on “How to delegate AD permission to Organisational Units using the PowerShell command Add-QADPermission

  1. How to delegate AD permission to Organisational Units using the PowerShell command Add-QADPermission

    Is your organization sensational? Is that why you spell it organisational?

  2. Allan;

    When I try to use the Add-QADPermission commandlet (following your example above) in a test environment I get the following error:

    Add-QADPermission : The search filter is invalid.
    At C:\WindowsPowerShell\test-it.ps1:33 char:18
    + Add-QADPermission <<<< -Identity "OU=New-OU,dc=XXX,dc=XXX=dc=XX,dc=XX" -Account "-XXXX Delegation of Authority\Security Role Groups\Role-Adm-Account-Management" -Rights GenericAll -ApplyTo ChildObjects -ApplyToType Group
    + CategoryInfo : NotSpecified: (:) [Add-QADPermission], LdapException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.LdapException,Quest.ActiveRoles.ArsPowerShellSnapIn.Cmdlets.AddPermi
    ssionCmdlet

    I have tried both with and without the '-identity' parameter specified and with the input string as above and also in a variable.

    I haven't run into any similar problems running other commandlets from the snapin but this one has me stumped. Any suggestions as to what I've got wrong.

  3. Not sure if it is just how you typed it but… -Account “-XXXX Delegation of Authority\Security Role Groups\Role-Adm-Account-Management” appears to be wrong… there should not be more than one “\” in the group name…

  4. Okay, now I get.

    WARNING: Can’t lookup account for identity: ‘XXX.XXX.XX.XX\Role-Adm-Account-Management’
    WARNING: No valid accounts specified. Searching permissions for all accounts.
    WARNING: Can’t lookup object for identity: OU=New-OU,dc=XXX,dc=XXX=dc=XX,dc=XX

    I’m running my testing at (this point) as Domain Admin in the test environment so why can’t I look up the identity?

  5. Your post helped me a lot, but had some issues with delegating Reset Password Permission

    Here is what I found out
    The command: Add-QADPermission “OU=People,DC=Contoso,DC=Local” -Account “CONTOSO\User Operators” -ExtendedRight User-Change-Password -ApplyTo ChildObjects -ApplyToType User
    need to be changed to
    Add-QADPermission “OU=People,DC=Contoso,DC=Local” -Account “CONTOSO\User Operators” -ExtendedRight User-Force-Change-Password -ApplyTo ChildObjects -ApplyToType User

    User-Change-Password
    Permits changing password on user account.

    User-Force-Change-Password
    Permits reseting password on user account.

    Reference: http://technet.microsoft.com/en-us/library/ff405676.aspx

    If you use the delegation Wizard to delegate the Reset Password permission, you’ll find out the a get-qadpermission, returns RIGHTS: Reset Password, not Change Password

Leave a Reply