This PowerShell script is a custom script designed for managing Active Directory groups. Let me break down the key components and functionality of this script:
- Synopsis and Description:
- The script begins with a description of what it
does and a summary of its functionality.
- Parameters:
- It accepts two mandatory parameters:
- GroupNamesFile: Specifies the path to a text file containing a list of group names
that the script will process.
- ManagerUser: Specifies the username (SAMAccountName) of the user to be assigned
as the manager of the groups.
- Reading Group Names:
- The script reads a list of group names from the
specified text file ($GroupNamesFile) using the Get-Content
cmdlet.
- Looping Through Group Names:
- It then enters a loop to process each group name.
- For each group, it retrieves the specified manager
user object using Get-ADUser and assigns this user as the manager
of the group using Set-ADGroup.
- Access Rights Assignment:
- The script appears to grant specific access rights
to the manager user on each group. This is done by creating an access
control rule (ACE) using the System.DirectoryServices.ActiveDirectoryAccessRule
class.
- It specifies an Access Control Type, a set of
rights, and a GUID for this rule.
- It retrieves the existing Access Control List (ACL)
for the group using Get-Acl, adds the access rule to the ACL, and
sets the modified ACL using Set-Acl.
- Author and Notes:
- The script includes information about the author
and additional notes about prerequisites and file name.
This script is designed for Active
Directory management and is intended for use in an environment where Active
Directory is in use. It's important to ensure that you have the necessary
permissions and the Active Directory PowerShell module installed to run this
script.
Before using this script in a production environment, you should thoroughly test it in a controlled setting and review the security implications of granting specific access rights to users on Active Directory groups.
<#
.SYNOPSIS
This script
assigns a specified user as the manager of Active Directory groups listed in a
text file and grants access rights to those groups.
.DESCRIPTION
This script
reads a list of group names from a text file, assigns a user as the manager of
each group, and grants specific access rights to the user on each group.
.PARAMETER GroupNamesFile
Specifies the
path to the text file containing the list of group names to process.
.PARAMETER ManagerUser
Specifies the
username (SAMAccountName) of the user to be assigned as the manager of the
groups.
.AUTHOR
Navinya Ambre
Date:
10/10/2023
.NOTES
File Name : Assign-GroupManager.ps1
Prerequisite : Active Directory
PowerShell module
#>
# Read input parameters
param (
[Parameter(Mandatory=$true)]
[string]$GroupNamesFile,
[Parameter(Mandatory=$true)]
[string]$ManagerUser
)
# Read group names from the file
$groupNames = Get-Content -Path $GroupNamesFile
# Loop through each group name
foreach ($groupName in $groupNames) {
$user = Get-ADUser $ManagerUser
Set-ADGroup -Identity $groupName -Replace @{managedBy=$user.DistinguishedName}
$guid = [guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
$sid = [System.Security.Principal.SecurityIdentifier]$user.sid
$ctrlType = [System.Security.AccessControl.AccessControlType]::Allow
$rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, $rights, $ctrlType, $guid)
$group = Get-ADGroup $groupName
$aclPath = "AD:\" + $group.distinguishedName
$acl = Get-Acl $aclPath
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path $aclPath
}
Please consider this an open forum for sharing your thoughts, modifications, and suggestions regarding the script. Your input and feedback are highly encouraged and valued.
No comments:
Post a Comment