Can't Get-ACL Active Directory OU

I need to delegate rights (read, write, create child object, etc.) on AD OU for a service account.

I used the following code found here.

Import-Module ActiveDirectory

$rootdse = Get-ADRootDSE

$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

$domain = Get-ADDomain


$OU = Get-ADOrganizationalUnit -Identity 'MyOU'

$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADuser "testaccount").SID
$acl = Get-ACL $ou.DistinguishedName | Select-Object -ExpandProperty Access

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `

Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))

I'm stuck with the get-ACL command which returns that the path in my AD does not exist, but it does.

Thanks for any help.

1 answer

  • answered 2019-02-06 11:16 TobyU

    You're setting the ACL using:

    Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))

    Why not getting it get same way?

    Get-ACL -Path ("AD:\"+($ou.DistinguishedName))

    Or like that:

    Get-ACL -Path "AD:\$($ou.DistinguishedName)"