我想将TestUsers组织单位的控制权委托给用户NickA并为其授予以下权限:
Create, delete, and manage user accountsReset user passwords and force password change at next logonRead all user informationCreate, delete and manage groupsModify the membership of a group
我找到的唯一方法如下,但我找不到要分配的正确权限:
$acc = Get-ADUser NickA
$sid = new-object System.Security.Principal.SecurityIdentifier $acc.SID
$guid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$ou = Get-ADOrganizationalUnit -Identity TestUsers
$acl = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule($(new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild,DeleteChild","Allow",$guid))
Set-ACL -ACLObject $acl -Path "AD:$($ou.DistinguishedName)"