This script set the correct security rights on an organizational unit to delegate the Unlock user account permission for a specific group.
In this script I will use the following informations :
– Authorize the group “Helpdesk_grp” to unlock the user accounts
– the user accounts to unlock are located in the OU : “ou=users,dc=domain,dc=local”

Script

#Variables
$domain = "domain"
$forest = "local"
$dc = "dc01"
$grp = "Helpdesk_grp"
$ou_to_delegate_control = "ou=users,dc=domain,dc=local"
$domain_fqdn = $domain + "." + $forest
$domain_dn = (( $domain_fqdn.split(".") ) | % { "DC=" + $_ }) -join ","
$dc_fqdn = $dc + "." + $domain_fqdn

#Mount PSDrive on the domain
New-PSDrive -Name $domain -PSProvider ActiveDirectory -Root "//RootDSE/" -server $dc_fqdn

#Get OU ACL
$acl = Get-ACL $domain':\'$ou_to_delegate_control

#Get Group SID
$s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Server $dc_fqdn $grp).SID

#Add ACL rule for the right "Unlock user account"	
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$s,"ReadProperty, WriteProperty","Allow",([GUID]("28630ebf-41d5-11d1-a9c1-0000f80367c1")).guid,"Descendents",([GUID]("bf967aba-0de6-11d0-a285-00aa003049e2")).guid))

#Apply both ACL rules above	
Set-ACL $domain":\"$ou_to_delegate_control $acl

References
Lockout-Time attribute (Windows) – MSDN

Using Scripts to Delegate Control of Active Directory

How to create a hashtable to store the GUID value of each schema class and attribute

$rootdse = Get-ADRootDSE
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
$guidmap

How to create a hashtable to store the GUID value of each extended right in the forest

$rootdse = Get-ADRootDSE
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
$extendedrightsmap
Delegate the Unlock user account permission on OU

Leave a Reply

Your email address will not be published. Required fields are marked *