This script set the correct security rights on an organizational unit to delegate the Reset password permission for a specific group.
In this script I will use the following informations :
– Authorize the group “Helpdesk_grp” to reset passwords
– the passwords of the user accounts to reset are located in the OU : “ou=users,dc=domain,dc=local”
Script
#Variables $domain = "domain" $forest = "local" $dc = "dc01" $grp = "Helpdesk_grp" $ou_to_delegate_control = "ou=users,dc=domain,dc=local" $domain_fqdn = $domain + "." + $forest $domain_dn = (( $domain_fqdn.split(".") ) | % { "DC=" + $_ }) -join "," $dc_fqdn = $dc + "." + $domain_fqdn #Mount PSDrive on the domain New-PSDrive -Name $domain -PSProvider ActiveDirectory -Root "//RootDSE/" -server $dc_fqdn #Get OU ACL $acl = Get-ACL $domain':\'$ou_to_delegate_control #Get Group SID $s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Server $dc_fqdn $grp).SID #Add ACL rule for the right "Reset password" $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` $s,"ExtendedRight","Allow",([GUID]("00299570-246d-11d0-a768-00aa006e0529")).guid,"Descendents",([GUID]("bf967aba-0de6-11d0-a285-00aa003049e2")).guid)) #Apply both ACL rules above Set-ACL $domain":\"$ou_to_delegate_control $acl
References
Using Scripts to Manage Active Directory Security
Using Scripts to Delegate Control of Active Directory
How to create a hashtable to store the GUID value of each schema class and attribute
$rootdse = Get-ADRootDSE $guidmap = @{} Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} $guidmap
How to create a hashtable to store the GUID value of each extended right in the forest
$rootdse = Get-ADRootDSE $extendedrightsmap = @{} Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} $extendedrightsmap
Delegate the Reset password permission on OU