PowerShell Script to set permissions in Active Directory for OSD

During the MVA Windows 8.1 Deployment Jump Start session, I demonstrated a PowerShell that Mikael Nystrom and I put together for an upcoming book. You find the script below. The Script sets correct permissions in AD for a Domain Join Account to work in OSD. The scripts sets the following permissions:

Scope: This object and all child objects is selected
– Create Computer objects
– Delete Computer objects

Scope: Computer objects
– Read All Properties
– Write All Properties
– Read Permissions
– Modify Permissions
– Change Password
– Reset Password
– Validated write to DNS host name
– Validated write to service principal name

The syntax to run it is: Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=ViaMonstra"

.\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=ViaMonstra"

Account is the account in Active Directory for which you want to assign permissions, TargetOU is for which Organizational Unit.

You don't need to specify the domain, the script automatically finds your domain.

Created:	 2013-01-08
Version:	 1.0
Author       Mikael Nystrom and Johan Arwidmark       
Homepage:    http://www.deploymentfundamentals.com

This script is provided "AS IS" with no warranties, confers no rights and 
is not supported by the authors or DeploymentArtist.

Author - Mikael Nystrom
    Twitter: @mikael_nystrom
    Blog   : http://deploymentbunny.com

Author - Johan Arwidmark
    Twitter: @jarwidmark
    Blog   : https://deploymentresearch.com

[parameter(mandatory=$true,HelpMessage="Please, provide the account name.")][ValidateNotNullOrEmpty()]$Account,
[parameter(mandatory=$true,HelpMessage="Please, provide the target OU.")][ValidateNotNullOrEmpty()]$TargetOU

# Start logging to screen
Write-host (get-date -Format u)" - Starting"

# This i what we typed in
Write-host "Account to search for is" $Account
Write-Host "OU to search for is" $TargetOU

if ($TargetOU -like '*dc=*')
    Write-Warning "Oupps, only specify the OU path. We get the domain for you..."

$CurrentDomain = Get-ADDomain

$OrganizationalUnitDN = $TargetOU+","+$CurrentDomain
$SearchAccount = Get-ADUser $Account

$SAM = $SearchAccount.SamAccountName
$UserAccount = $CurrentDomain.NetBIOSName+"\"+$SAM

Write-Host "Account is = $UserAccount"
Write-host "OU is =" $OrganizationalUnitDN

dsacls.exe $OrganizationalUnitDN /G $UserAccount":CCDC;Computer" /I:T | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":LC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WD;;Computer" /I:S  | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;;Computer" /I:S  | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RP;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Reset Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Change Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to service principal name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to DNS host name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN

/ Johan

About the author

Johan Arwidmark

5 1 vote
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
10 years ago

I don't get a domain name back for my user account, it just displays "CM_JD"?

And I don't understand how $UserDomain gets set in the line $UserAccount = $UserDomain+""+$SAM ?

10 years ago

Typo corrected, thanks

/ Johan

Jiff Lemon
Jiff Lemon
10 years ago

Hallelujah! This has been long overdue!
I'll be able to delete my favourites link to Mikes blogpost on this now!

10 years ago

Thanks for the script, sure comes in Handy.
Just a typo correction to prevent confusion:
"[parameter(mandatory=$true,HelpMessage="Please, provide the >>>>>Password<<<<< to be used.")][ValidateNotNullOrEmpty()]$TargetOU"
should be OU, i guess 🙂

10 years ago

Thanks Johan!
Setting those permissions always bored me. Now I have this! 🙂