During the MVA Windows 8.1 Deployment Jump Start session, I demonstrated a PowerShell that Mikael Nystrom and I put together for an upcoming book. You find the script below. The Script sets correct permissions in AD for a Domain Join Account to work in OSD. The scripts sets the following permissions:
Scope: This object and all child objects is selected
– Create Computer objects
– Delete Computer objects
Scope: Computer objects
– Read All Properties
– Write All Properties
– Read Permissions
– Modify Permissions
– Change Password
– Reset Password
– Validated write to DNS host name
– Validated write to service principal name
The syntax to run it is: Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=ViaMonstra"
.\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=ViaMonstra"Account is the account in Active Directory for which you want to assign permissions, TargetOU is for which Organizational Unit.
You don't need to specify the domain, the script automatically finds your domain.
<#
Created: 2013-01-08
Version: 1.0
Author Mikael Nystrom and Johan Arwidmark
Homepage: http://www.deploymentfundamentals.com
Disclaimer:
This script is provided "AS IS" with no warranties, confers no rights and
is not supported by the authors or DeploymentArtist.
Author - Mikael Nystrom
Twitter: @mikael_nystrom
Blog : http://deploymentbunny.com
Author - Johan Arwidmark
Twitter: @jarwidmark
Blog : https://deploymentresearch.com
#>
Param
(
[parameter(mandatory=$true,HelpMessage="Please, provide the account name.")][ValidateNotNullOrEmpty()]$Account,
[parameter(mandatory=$true,HelpMessage="Please, provide the target OU.")][ValidateNotNullOrEmpty()]$TargetOU
)
# Start logging to screen
Write-host (get-date -Format u)" - Starting"
# This i what we typed in
Write-host "Account to search for is" $Account
Write-Host "OU to search for is" $TargetOU
if ($TargetOU -like '*dc=*')
{
Write-Warning "Oupps, only specify the OU path. We get the domain for you..."
Break
}
$CurrentDomain = Get-ADDomain
$OrganizationalUnitDN = $TargetOU+","+$CurrentDomain
$SearchAccount = Get-ADUser $Account
$SAM = $SearchAccount.SamAccountName
$UserAccount = $CurrentDomain.NetBIOSName+"\"+$SAM
Write-Host "Account is = $UserAccount"
Write-host "OU is =" $OrganizationalUnitDN
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CCDC;Computer" /I:T | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":LC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WD;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RP;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Reset Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Change Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to service principal name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to DNS host name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN/ Johan
I don't get a domain name back for my user account, it just displays "CM_JD"?
And I don't understand how $UserDomain gets set in the line $UserAccount = $UserDomain+""+$SAM ?
Typo corrected, thanks
/ Johan
Hallelujah! This has been long overdue!
I'll be able to delete my favourites link to Mikes blogpost on this now!
Thanks for the script, sure comes in Handy.
Just a typo correction to prevent confusion:
"[parameter(mandatory=$true,HelpMessage="Please, provide the >>>>>Password<<<<< to be used.")][ValidateNotNullOrEmpty()]$TargetOU"
should be OU, i guess 🙂
Thanks Johan!
Setting those permissions always bored me. Now I have this! 🙂