Can't Get-ACL Active Directory OU

I need to delegate rights (read, write, create child object, etc.) on AD OU for a service account.

I used the following code found here.

Import-Module ActiveDirectory

$rootdse = Get-ADRootDSE

$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

$domain = Get-ADDomain

MyOU is like "OU=xxx - [xx],OU=XXXXX,OU=XXX,DC=AD,DC=GROUPE,DC=NET"

$OU = Get-ADOrganizationalUnit -Identity 'MyOU'

$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADuser "testaccount").SID
$acl = Get-ACL $ou.DistinguishedName | Select-Object -ExpandProperty Access

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"WriteProperty","Allow","Descendents",$guidmap["user"]))

Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))

I'm stuck with the get-ACL command which returns that the path in my AD does not exist, but it does.

Thanks for any help.

1 answer

  • answered 2019-02-06 11:16 TobyU

    You're setting the ACL using:

    Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
    

    Why not getting it get same way?

    Get-ACL -Path ("AD:\"+($ou.DistinguishedName))
    

    Or like that:

    Get-ACL -Path "AD:\$($ou.DistinguishedName)"