PowerShell Script to set permissions in Active Directory for OSD

During the MVA Windows 8.1 Deployment Jump Start session, I demonstrated a PowerShell that me and Mikael Nystrom put together for an upcoming book. Here it is:

The syntax to run it is: Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=ViaMonstra"

.\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=ViaMonstra"

Account is the account in Active Directory for which you want to assign permissions, TargetOU is for which Organizational Unit.

You don't need to specify the domain, the script automatically finds your domain.

Created:	 2013-01-08
Version:	 1.0
Author       Mikael Nystrom and Johan Arwidmark       
Homepage:    http://www.deploymentfundamentals.com

This script is provided "AS IS" with no warranties, confers no rights and 
is not supported by the authors or DeploymentArtist.

Author - Mikael Nystrom
    Twitter: @mikael_nystrom
    Blog   : http://deploymentbunny.com

Author - Johan Arwidmark
    Twitter: @jarwidmark
    Blog   : https://deploymentresearch.com

[parameter(mandatory=$true,HelpMessage="Please, provide the account name.")][ValidateNotNullOrEmpty()]$Account,
[parameter(mandatory=$true,HelpMessage="Please, provide the target OU.")][ValidateNotNullOrEmpty()]$TargetOU

# Start logging to screen
Write-host (get-date -Format u)" - Starting"

# This i what we typed in
Write-host "Account to search for is" $Account
Write-Host "OU to search for is" $TargetOU

if ($TargetOU -like '*dc=*')
    Write-Warning "Oupps, only specify the OU path. We get the domain for you..."

$CurrentDomain = Get-ADDomain

$OrganizationalUnitDN = $TargetOU+","+$CurrentDomain
$SearchAccount = Get-ADUser $Account

$SAM = $SearchAccount.SamAccountName
$UserAccount = $CurrentDomain.NetBIOSName+"\"+$SAM

Write-Host "Account is = $UserAccount"
Write-host "OU is =" $OrganizationalUnitDN

dsacls.exe $OrganizationalUnitDN /G $UserAccount":CCDC;Computer" /I:T | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":LC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WD;;Computer" /I:S  | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;;Computer" /I:S  | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RP;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Reset Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Change Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to service principal name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to DNS host name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN

/ Johan

About the author

Johan Arwidmark

0 0 votes
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
7 years ago

I don't get a domain name back for my user account, it just displays "CM_JD"?

And I don't understand how $UserDomain gets set in the line $UserAccount = $UserDomain+""+$SAM ?

7 years ago

Typo corrected, thanks

/ Johan

Jiff Lemon
Jiff Lemon
7 years ago

Hallelujah! This has been long overdue!
I'll be able to delete my favourites link to Mikes blogpost on this now!

7 years ago

Thanks for the script, sure comes in Handy.
Just a typo correction to prevent confusion:
"[parameter(mandatory=$true,HelpMessage="Please, provide the >>>>>Password<<<<< to be used.")][ValidateNotNullOrEmpty()]$TargetOU"
should be OU, i guess 🙂

7 years ago

Thanks Johan!
Setting those permissions always bored me. Now I have this! 🙂