Setting Security permissions on an AD group

We saw how to create an AD security group here

http://msmvps.com/blogs/richardsiddaway/archive/2011/06/28/creating-ad-security-groups.aspx

 

This is how we can give a user full control of that group

function set-groupsecurity {            
[CmdletBinding()]            
param (            
 [string]$name            
)            
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()            
$root = $dom.GetDirectoryEntry()            
            
$search = [System.DirectoryServices.DirectorySearcher]$root            
$search.Filter = "(&(objectclass=group)(Name=$name))"            
$search.SizeLimit = 3000            
$result = $search.FindOne()            
            
$object = $result.GetDirectoryEntry()            
            
$sec = $object.ObjectSecurity            
            
## set the rights and control type            
$act = [System.Security.AccessControl.AccessControlType]::Allow            
$adrights = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll            
            
## who does this apply to            
$domname = ([ADSI]"").Name            
$who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", "jtest"            
            
# apply rule            
$newrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $adrights, $act            
$sec.AddAccessRule($newrule)            
$object.CommitChanges()            
}

We get a directory object for the group and then get the ObjectSecurity. Create a new rule to allow full control. Assign it to user jtest (could just as easily be a group) and apply the rule

Published Wed, Jun 29 2011 20:41 by RichardSiddaway
Filed under: ,

Comments

# re: Setting Security permissions on an AD group

When I try to get this to work I get an error message "[System.Management.Automation.PSMethod] does not contain a method called AddAccessRule" thrown when getting to $sec.AddAccessRule($newrule).

The available methods I show for $sec are listed:

Copy

Equals

GetHashCode

get_IsInstance

get_MemberType

get_Name

get_OverloadDefinitions

get_TypeNameOfValue

get_Value

Invoke

set_Value

ToString

Thank you for posting this, I can't seem to find it anywhere else! Any help you could offer would be greatly appreciated.

Wednesday, April 18, 2012 9:10 PM by Matt

# re: Setting Security permissions on an AD group

what version of Powershell are you using and what version of Active Directory

Sunday, April 29, 2012 8:03 AM by RichardSiddaway

Leave a Comment

(required) 
(required) 
(optional)
(required) 
If you can't read this number refresh your screen
Enter the numbers above: