Copy AD Permissions o antoher group with powershell
Hello,
I am trying to migrate the rights of the group "authenticated user" to another group, there are some wishes to limit the authenticated user. This is just the first step, I want to be able to undo everythin I did just in case some things are completly wrong or broken after that.
So my aproch is to switch over the rights to another group. I could undo it the other way. Since I can't change a permission group, I try to copy everything I have written this code of powershell and now I am Stuck
# define Objekt Gruppe
$ADObject = Get-ADObject "CN=test123,OU=groups,OU=USER_FIRMA,DC=Firma,DC=local"
$GroupToAddPermissions = "CN=DummyGruppe,OU=groups,OU=USER_FIRMA,DC=Firma,DC=local"
# Get Rights of authenticated User
$objectSecurity = Get-ACL "AD:$(($ADObject).distinguishedname)"
$authUsersRules = $objectSecurity.Access | Where-Object {$_.IdentityReference -eq "NT-AUTORITÄT\Authentifizierte Benutzer"} | Where-Object {$_.IsInherited -eq $false }
# Assign Rights to new Group
$groupSID = (Get-ADGroup $GroupToAddPermissions).SID
foreach ($authUsersRule in $authUsersRules) {
$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($groupSID, $authUsersRule.ActiveDirectoryRights, $authUsersRule.AccessControlType)
$objectSecurity.AddAccessRule($accessRule)
}
#Save Changes
Set-Acl "AD:$(($ADObject).distinguishedname)" -AclObject $objectSecurity
First of all the group test123 is a test group wich is newly created, and the authenticated user has 2 rights "Senden an" wich I belive should be "send to" and "Special" (Include many things, all read rights)
When I execute the above script, first of all it only creates one Access rule file, wich seems to combine these two in a single one, but intrestingly it does not only contain "send an" /"send to" but also "senden als" / "send as" a right that does not exist on the orgiinal
Also with multiple runs some times it seems the both send properties are not always shown (is there some sort of cache?)
any tips or help would be appreciated