<# #> cls #throw "This is not a robus script" $location = Get-Location Set-Location C:\Tools Import-Module ActiveDirectory $Fichier = "OU-Group-Permissions.csv" $List = Import-Csv -Path $Fichier -Delimiter ";" $rootdse = Get-ADRootDSE $domain = Get-ADDomain $guidmap = @{ } Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } $extendedrightsmap = @{ } Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid } $List | ForEach-Object { $ouPrefix = $_.OUPrefix $Group = $_.Group $ouPath = "$OUPrefix,$($domain.DistinguishedName)" $ou = Get-ADOrganizationalUnit -Identity $OUPAth $adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["group"], "ALL")) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["group"])) $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["group"])) Write-Host "Configuring Group Permissions on '$ouPath' for group '$Group'" Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName)) }