Forum Discussion

FragendeIT's avatar
FragendeIT
Copper Contributor
Mar 18, 2024

Copy AD Permissions o antoher group with powershell

Hello,

I am trying to migrate the rights of the group "authenticated user" to another group, there are some wishes to limit the authenticated user. This is just the first step, I want to be able to undo everythin I did just in case some things are completly wrong or broken after that.

 

So my aproch is to switch over the rights to another group. I could undo it the other way. Since I can't change a permission group, I try to copy everything I have written this code of powershell and now I am Stuck

 

 

 

 

 

# define Objekt Gruppe 
$ADObject = Get-ADObject "CN=test123,OU=groups,OU=USER_FIRMA,DC=Firma,DC=local"
$GroupToAddPermissions = "CN=DummyGruppe,OU=groups,OU=USER_FIRMA,DC=Firma,DC=local"
# Get Rights of authenticated User

$objectSecurity = Get-ACL "AD:$(($ADObject).distinguishedname)"
$authUsersRules = $objectSecurity.Access | Where-Object {$_.IdentityReference -eq "NT-AUTORITÄT\Authentifizierte Benutzer"} | Where-Object {$_.IsInherited -eq $false }


# Assign Rights to new Group
$groupSID = (Get-ADGroup $GroupToAddPermissions).SID
foreach ($authUsersRule in $authUsersRules) {
   $accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($groupSID, $authUsersRule.ActiveDirectoryRights, $authUsersRule.AccessControlType)
   $objectSecurity.AddAccessRule($accessRule)
}

#Save Changes
 Set-Acl "AD:$(($ADObject).distinguishedname)" -AclObject $objectSecurity

 

 

 

 

 

 

First of all the group test123 is a test group wich is newly created, and the authenticated user has 2 rights "Senden an" wich I belive should be "send to" and "Special" (Include many things, all read rights)

 

When I execute the above script, first of all it only creates one Access rule file, wich seems to combine these two in a single one, but intrestingly it does not only contain "send an" /"send to" but also "senden als" / "send as" a right that does not exist on the orgiinal

 

Also with multiple runs some times it seems the both send properties are not always shown (is there some sort of cache?)

 

any tips or help would be appreciated

 

No RepliesBe the first to reply

Resources