Powershell: How do you set AD permissions for read and write permissions?

Question

Powershell: How do you set AD permissions for read and write permissions?

In Powershell, how do you set user permissions for a username to read / write a username?

Usually during my build process, I use ADSIedit to navigate to this object, and then look at all the security tabs to go to check the box next to:

Read Service Principal Name
Enter the name of the primary user of the service

But moving around ADSIedit can take a lot of time, so I'm trying to execute a script process. If I have a PowerShell LDAP binding with a new user, how can I use PowerShell to set both of these properties for this account?

Below is a hacked code snippet of possible ulocal parts of my script installation:

$strDomain = "dc=my,dc=com"
$objDomain = [ADSI] "LDAP://" + strDomain 
$strSCCMSQLPW = Read-Host -assecurestring "Please enter a password for the " + $strSCCMSQL + " account: "
New-ADUser -SamAccountName $strSCCMSQL + -Name $strSCCMSQL -AccountPassword $strSCCMSQLPW -Enabled $true -Path $strUsersOU + "," + $strDomain -PasswordNeverExpires $true

+3

powershell active-directory

thepip3r 11 . '10 16:35

3

Quest .

-, Quest:

Add-PSSnapin Quest.ActiveRoles.ADManagement;

( Add-QADPermission):

Get-QADUser UserName | Add-QADPermission -Account 'SELF' -Rights 'ReadProperty,WriteProperty' -Property 'servicePrincipalName' -ApplyTo 'ThisObjectOnly';

+1

Kevin Verhoeven 29 . '12 23:31

AD AD.. AD PowerShell.

, AD AD.

Add-QADPermission, .

0

Harvey Kwok 28 . '11 6:15

CosmosKey · Accepted Answer · 2011-06-09T10:04:26+0000

ActiveDirectoryAccessRule ACL . , , schemaIDGUID . schemaIDGUID --. --, ldapDisplay, , , . :

Function Set-SpnPermission {
    param(
        [adsi]$TargetObject,
        [Security.Principal.IdentityReference]$Identity,
        [switch]$Write,
        [switch]$Read
    )
    if(!$write -and !$read){
        throw "Missing either -read or -write"
    }
    $rootDSE = [adsi]"LDAP://RootDSE"
    $schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
    $spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
    $spnEntry = [adsi]$spnDN
    $guidArg=@("")
    $guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
    $spnSecGuid = new-object GUID $guidArg

    if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
    if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
    if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
    $accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
    $spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
    $TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
    $TargetObject.psbase.CommitChanges()    
    return $spnAce
}

...

$TargetObject = "LDAP://CN=User,OU=My User Org,DC=domain,DC=net"
$Identity = [security.principal.ntaccount]"domain\user"

Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -read

Powershell: How do you set AD permissions for read and write permissions?

More articles: