How to delegate AD permission to Organisational Units using the PowerShell command Add-QADPermission



Delegating Reset user passwords and force password change at next logon using add-QADPermission

To delegate the same permission as the “Reset user passwords and force password change at next logon” option in the “Delegation of Control Wizard” (see below) you again need to delegate two permissions to the OU.

image[48]

  1. Allow Read/Write to the Password Last Set Attribute
  2. Allow access to the “User-Change-Password” Extended Right

In this example we are going to delegate Allow Read and Write permission to the Pwd-Last-Set Attribute to all User objects to the OU with the distinguished name of “OU=People,DC=Contoso,DC=Local” to the group called “User Operators”.

Add-QADPermission “OU=People,DC=Contoso,DC=Local” -Account “CONTOSO\User Operators” -Rights ReadProperty,WriteProperty -Property (‘PwdLastSet’) -ApplyTo ChildObjects -ApplyToType User

image

Now we are going to delegate permissions to the Extended Right User-Change-Password for the User objects to the same OU for the same group.

Add-QADPermission “OU=People,DC=Contoso,DC=Local” -Account “CONTOSO\User Operators” -ExtendedRight User-Change-Password -ApplyTo ChildObjects -ApplyToType User

image

Again check the security on the People OU in Active Directory Users and Computer to verify the permission has been added correctly.

imageimage

Delegating Modify the membership of a group using add-QADPermission

To delegate the same permission as the “Modify the membership of a group” option in the “Delegation of Control Wizard” (see below) you only need to apply one command to delegate the appropriate permissions.

image

  1. Allow access to the Read/Write Members property on the Group

In this example we are going to delegate Change group membership permissions on all the Group objects to the OU with the distinguished name of “OU=Groups,DC=Contoso,DC=Local” to the group called “Group Operators”

Add-QADPermission “OU=Groups,DC=Contoso,DC=Local” -Account “CONTOSO\Group Operators” -Rights ReadProperty,WriteProperty -Property (‘member’) -ApplyTo ChildObjects -ApplyToType Group

image

As always check the security on the People OU in Active Directory Users and Computer to verify the permission has been added correctly.

image

Summary

When used with the other out of the box AD PowerShell commands you should now be able to fully automate the creation AND delegation of permissions to a new OU structure for your environment.

References Sites

Below are some useful links to pages that show you how to use PowerShell when working with Active Directory.

Other AD Security Related Pages

Author: Alan Burchill

Microsoft MVP (Group Policy)

13 thoughts on “How to delegate AD permission to Organisational Units using the PowerShell command Add-QADPermission

  1. How to delegate AD permission to Organisational Units using the PowerShell command Add-QADPermission

    Is your organization sensational? Is that why you spell it organisational?

  2. Allan;

    When I try to use the Add-QADPermission commandlet (following your example above) in a test environment I get the following error:

    Add-QADPermission : The search filter is invalid.
    At C:\WindowsPowerShell\test-it.ps1:33 char:18
    + Add-QADPermission <<<< -Identity "OU=New-OU,dc=XXX,dc=XXX=dc=XX,dc=XX" -Account "-XXXX Delegation of Authority\Security Role Groups\Role-Adm-Account-Management" -Rights GenericAll -ApplyTo ChildObjects -ApplyToType Group
    + CategoryInfo : NotSpecified: (:) [Add-QADPermission], LdapException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.LdapException,Quest.ActiveRoles.ArsPowerShellSnapIn.Cmdlets.AddPermi
    ssionCmdlet

    I have tried both with and without the '-identity' parameter specified and with the input string as above and also in a variable.

    I haven't run into any similar problems running other commandlets from the snapin but this one has me stumped. Any suggestions as to what I've got wrong.

  3. Not sure if it is just how you typed it but… -Account “-XXXX Delegation of Authority\Security Role Groups\Role-Adm-Account-Management” appears to be wrong… there should not be more than one “\” in the group name…

  4. Okay, now I get.

    WARNING: Can’t lookup account for identity: ‘XXX.XXX.XX.XX\Role-Adm-Account-Management’
    WARNING: No valid accounts specified. Searching permissions for all accounts.
    WARNING: Can’t lookup object for identity: OU=New-OU,dc=XXX,dc=XXX=dc=XX,dc=XX

    I’m running my testing at (this point) as Domain Admin in the test environment so why can’t I look up the identity?

  5. Your post helped me a lot, but had some issues with delegating Reset Password Permission

    Here is what I found out
    The command: Add-QADPermission “OU=People,DC=Contoso,DC=Local” -Account “CONTOSO\User Operators” -ExtendedRight User-Change-Password -ApplyTo ChildObjects -ApplyToType User
    need to be changed to
    Add-QADPermission “OU=People,DC=Contoso,DC=Local” -Account “CONTOSO\User Operators” -ExtendedRight User-Force-Change-Password -ApplyTo ChildObjects -ApplyToType User

    User-Change-Password
    Permits changing password on user account.

    User-Force-Change-Password
    Permits reseting password on user account.

    Reference: http://technet.microsoft.com/en-us/library/ff405676.aspx

    If you use the delegation Wizard to delegate the Reset Password permission, you’ll find out the a get-qadpermission, returns RIGHTS: Reset Password, not Change Password

Leave a Reply