48 lines
2.6 KiB
PowerShell
48 lines
2.6 KiB
PowerShell
<#
|
|
|
|
#>
|
|
|
|
cls
|
|
|
|
#throw "This is not a robus script"
|
|
$location = Get-Location
|
|
Set-Location C:\Tools
|
|
|
|
Import-Module ActiveDirectory
|
|
|
|
$Fichier = "OU-User-Permissions.csv"
|
|
|
|
$List = Import-Csv -Path $Fichier -Delimiter ";"
|
|
|
|
$rootdse = Get-ADRootDSE
|
|
$domain = Get-ADDomain
|
|
$guidmap = @{ }
|
|
|
|
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
|
|
|
|
$extendedrightsmap = @{ }
|
|
|
|
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName, rightsGuid | ForEach-Object { $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid }
|
|
|
|
$List | ForEach-Object {
|
|
$ouPrefix = $_.OUPrefix
|
|
$Group = $_.Group
|
|
$ouPath = "$OUPrefix,$($domain.DistinguishedName)"
|
|
$ou = Get-ADOrganizationalUnit -Identity $OUPAth
|
|
|
|
$adGroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Identity $Group).SID
|
|
|
|
$acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
|
|
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "CreateChild", "Allow", $guidmap["user"], "ALL"))
|
|
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", "Descendents", $guidmap["user"]))
|
|
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", "Descendents", $guidmap["user"]))
|
|
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ExtendedRight", "Allow", $extendedrightsmap["Reset Password"], "Descendents", $guidmap["user"]))
|
|
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"]))
|
|
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["lockoutTime"], "Descendents", $guidmap["user"]))
|
|
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "ReadProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"]))
|
|
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adGroup, "WriteProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"]))
|
|
|
|
Write-host "Configuring User Permissions on '$ouPath' for group '$Group'"
|
|
Set-ACL -ACLObject $acl -Path ("AD:\" + ($ou.DistinguishedName))
|
|
}
|