Using PowerShell to delete user's permissions?

Similar Messages

• How to Use PowerShell to Delete FIM Users That Have a Null attribute name

  FIM Community Information Center Article
  Wiki Page:
  How to Use PowerShell to Delete FIM Users That Have a Null <attribute name>
  Go to the FIM Community Information Center
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

  Have you run side-by-side metrics on this?
  I've run the Delete Object method and your script against similar data sets and yours appears to take a fair bit longer. I'd have to re-run in identical circumstances, a few times, to really say for sure, but my initial impression is that it will take hours
  longer.
  I guess the point is somewhat moot anyway, as for me the bit that generally takes longest is the actual query, rather than the deletions.
  Boy how I wish I could just enter something into the FIM Portal directly that would blast out a bunch of users matching a query. One day...
  FIMSpecialist.com | MCTS: FIM 2010 | Now Offering
  ECMA1->ECMA2 Upgrade Services

• Using Powershell to delete all users from the Portal

  Summary
  This script will delete all users from the Portal except for Administrator and the Built-In Sync account.
  Based on Markus's "Delete a User" script.
  Useful when developing your system if you want to quickly clear out the data and start again.
  set-variable -name URI -value "http://localhost:5725/resourcemanagementservice' " -option constant
  function DeleteObject
  PARAM($objectType, $objectId)
  END
  $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
  $importObject.ObjectType = $objectType
  $importObject.TargetObjectIdentifier = $objectId
  $importObject.SourceObjectIdentifier = $objectId
  $importObject.State = 2
  $importObject | Import-FIMConfig -uri $URI
  if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
  $allobjects = export-fimconfig -uri $URI `
  –onlyBaseResources `
  -customconfig "/Person"
  $allobjects | Foreach-Object {
  $displayName = $_.ResourceManagementObject.ResourceManagementAttributes | `
  Where-Object {$_.AttributeName -eq "DisplayName"}
  if([string]::Compare($displayName.Value, "Administrator", $True) -eq 0)
  {write-host "Administrator NOT deleted"}
  elseif([string]::Compare($displayName.Value, "Built-in Synchronization Account", $True) -eq 0)
  {write-host "Built-in Synchronization Account NOT deleted"}
  else {
  $objectId = (($_.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
  DeleteObject -objectType "Person" `
  -objectId $objectId
  write-host "`nObject deleted`n" $displayName.Value }
  Go to the FIM ScriptBox
  http://www.wapshere.com/missmiis

  The DeleteObject function opens and closes a connection for each object.  This approach is faster:
  http://social.technet.microsoft.com/wiki/contents/articles/23570.how-to-use-powershell-to-delete-fim-users-that-have-a-null-attribute-name.aspx
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

• Unable to set NTFS permissions on share using PowerShell. The user shows up with no rights checked off.

  I am having a little problem here with setting NTFS permissions via PowerShell. 
  Basically I am able to make a new directory on the share, and assign a user NTFS permissions however it just assigns the select user without any permissions set.
  $username = "test.user"
  $directory = "\\testlab-sv01\Share\newfolder"
  New-Item -Path $directory -ItemType Directory
  $colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
  $objType =[System.Security.AccessControl.AccessControlType]::Allow
  $objUser = New-Object System.Security.Principal.NTAccount("$username")
  $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
  $objACL = Get-ACL $directory
  $objACL.AddAccessRule($objACE)
  Set-ACL $directory $objACL
  A side question, why isn't this native in Powershell? Is it for security reasons? I expected there to be a cmdlet for it. 
  Thanks. 
  Kyle

  When you say there are no permissions, do mean that the ACL Editor is showing 'Special permissions' and none of the other boxes are checked?
  Try changing the inheritance and propagation flags to this:
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit, ObjectInherit"
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
  That sets the ACE to apply to the folder (InheritOnly propagation flag isn't set) , subfolders (ContainerInherit inheritance flag is set), and files (ObjectInherit inheritance flag is set), which is necessary for the ACE to not be considered 'special' in
  the ACL Editor.
  Awesome. Thanks. That did work. 
  And yes I did mean that it was showing special permissions with nothing checked. 
  Kyle

• How to use Powershell to update user details in Active Directory?

  Hi,
  I received an updated contact list from HR of about 1500 names, and I want to update (make corrections and add missing data) ADUC quickly without having to do each user manually. How would I go about that using power-shell?
  The fields that need updating are:
  Under the General tab -> Description, Telephone number
  Everything under the Address tab
  Under the Telephone tab - > Mobile
  Under the Organization tab -> Job Title, Department, Company, Manager
  The server we're using is Windows Server 2008 R2.
  Many thanks,
  Nick

  There are 100 of such scripts are there online.
  here are few tips and codes. you will get more.  
  https://gallery.technet.microsoft.com/scriptcenter/Feeding-data-to-Active-0227d15c
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/31/use-powershell-to-modify-existing-user-accounts-in-active-directory.aspx
  http://powershell.org/wp/forums/topic/ad-import-csv-update-attributes-script/
  Please mark this as answer if it helps

• Using Powershell to Delete Excel Rows

  Hi everyone.  Again, I am having trouble working with Excel via Powershell.  I am slowly learning my way around but cannot correctly utilize any information I may find that helps me get the correct results.  So far I am working on a project
  at work that is automating the testing of our build process.  I am "borrowing" an excel sheet that I will save to my local machine to save as CSV.  However, before saving to CSV I need to remove the empty rows.  Unfortunately, the cells are
  not really blank but still contain links to the server I pulled the workbook from.
  I'm not sure what is easiest to do, but the "blanks" are within this range: A49:F320  and this is the range I'd like to delete.  The code I am currently working with is:
  $Excel = new-object -comobject excel.application
  $Excel.Visible = $False
  $Workbook = $Excel.Workbooks.Open($BuildXLS)
  $Worksheet = $Workbook.Worksheets.Item(1)
  $i = 1
      If ($Worksheet.Cells.Item($i, 1).Value() -eq "  ") {
          $Range = $Worksheet.Cells.Item($i, 1).EntireRow
          $a = $Range.Delete()
          $i -= 1
      $i += 1
   Incidentally, mjolinor helped with an earlier issue parsing through the CSV.  It was only after looking at the output that I discovered my real issue is working with the Excel.
  $data = import-csv $csv | Where-Object {$_.juris -ne " "}
  #format Juris-Version results
  foreach ($line in $data)
    if ($line.juris -eq 'US'){$line.Version = $FedVerNum}
     else {$line.Version = $ContentVer}
         write-output $line.juris$line.version | Out-File -Append "C:\1_JurisVersion.txt"
  The output from that help session looks like:
  US
  $FedVerNum
  State
  $ContentVer
  State
  $ContentVer
  Is there a away I can get this to read as
  US $FedVerNum
  state $ContentVer
  state $ContentVer
  state $ContentVer
  Many thanks for the help and expertise!

  The Excel constants are "magic" numbers that can be found in Excel via the Object Browser in the Visual Basic Editor.
  There are several that I use all the time, so I made a list of the ones I use most often:
  Const ForReading = 1
  Const xlAscending = 1
  Const xlGuess = 0
  Const xlTopToBottom = 1
  Const xlSortNormal = 0
  Const xlCount = -4112
  Const xlArea = 1
  Const xlBar = 2
  Const xlColumn = 3
  Const xlLine = 4
  Const xlPie = 5
  Const xlRadar = -4151
  Const xlXYScatter = -4169
  Const xlCombination = -4111
  Const xl3DArea = -4098
  Const xl3DBar = -4099
  Const xl3DColumn = -4100
  Const xl3DLine = -4101
  Const xl3DPie = -4102
  Const xl3DSurface = -4103
  Const xlDoughnut = -4120
  Const xlPasteValuesAndNumberFormats = 12
  Const xlpasteFormats = -4122
  Const xlpasteValues = -4163
  Const xlValues = &HFFFFEFBD ' -4163
  Const xlNone   = &HFFFFEFD2 ' -4142
  Const xlSelect = 3
  Const xlCellTypeLastCell = 11 
  Or you can "Include" them like this:
  [reflection.assembly]::loadWithPartialname("Microsoft.Office.Interop.Excel") |
  Out-Null
  $xlConstants = "microsoft.office.interop.excel.Constants" -as [type]
  $ws.columns.item("F").HorizontalAlignment = $xlConstants::xlCenter
  $ws.columns.item("K").HorizontalAlignment = $xlConstants::xlCenter
   If you know what constants you need.
  You can read about this here:
  http://technet.microsoft.com/en-us/magazine/2009.01.heyscriptingguy.aspx

• Using PowerShell to delete an ExpectedRuleEntry

  Summary
  The script code below deletes an ExpectedRuleEntry object from your environment.
  To run this script, you need to configure a Management Policy Rule that grants you permission to perform this operation:
  Management Policy Rule Configuration
  Name
  Administration: Administrators can delete Expected Rule Entries
  Type
  Request
  Grants Permissions
  True
  Disabled
  False
  Requestors and Operators
  Requestor
  Administrators
  Operation
  Delete
  Target Resources
  Before Request
  All expected rule resources
  After Request
  (Attribute)
  Resources Attributes
  All Attributes
  set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" -option constant
  If(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
  if($args.count -ne 1) {throw "Missing GUID parameter"}
  $objectGUID = $args[0]
  $exportObject = export-fimconfig -uri $URI `
  –onlyBaseResources `
  -customconfig "/ExpectedRuleEntry[ObjectID='$objectGUID']" `
  -ErrorVariable Err `
  -ErrorAction SilentlyContinue
  If($Err){Throw $Err}
  If($exportObject -eq $null) {throw "ERE not found"}
  $ImportObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
  $ImportObject.ObjectType = "ExpectedRuleEntry"
  $ImportObject.TargetObjectIdentifier = (($exportObject.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
  $ImportObject.SourceObjectIdentifier = (($exportObject.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
  $ImportObject.State = 2
  $ImportObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue
  If($Err){Throw $Err}
  Write-Host "`nCommand completed successfully`n"
  trap
  Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
  Exit 1
  Go to the FIM ScriptBox
  Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

  I am getting error:-
  Missing GUID parameterIs there any problem with script? Kindly help

• Using powershell to delete a View

  Something happened to a View on our test server. Under Review Activities, the Activities Assigned to Me is broken. Don't know what I did. Probably stared at it too long and it broke. Never worked with a product so fragile. Anyway, when I right click the
  View, the only option is Refresh. The View works, I just can't edit or delete it.
  I just want to get rid of it. I have already replaced it with another View. Outside of the console commands, how do you remove a View from existence?

  It's in a Management Pack called "Service Manager Activity Management Configuration Library". There are views that come OOTB that are are in unsealed MP's. I think if you look this MP up in the console you will find that it's unsealed in your SCSM
  installation as well? Is it possible that someone exported this MP, made changes to it and reimported it? You can actually change a lot of console behavoir via the Management Packs.
  A possible solution for you might be to reimport an original version of this management pack. Just export your current version first and keep as a backup, in case someone stored some important configuration in there (which they should not do btw).

• Reinstall deleted user

  Hello,
  I'm trying to reinstall a deleted user account. I followed the directions given through Macintosh Help, which work fine, up until the point where it says
  "click on create user", and then "click on Use Existing Folder".
  As soon as I click on Create User, there is no option anymore to click on Use Existing Folder, which means, I have created a new user that can't use the old Deleted User account.
  I tried to exchange the new folders within the new user with those from the old deleted user, but it only gets very complicated and I don't succeed.
  What to do? How can I reinstall a deleted user account, saved as a dmg in the Deleted User's folder.

  sorry, that didn't do the job.
  I managed to open the new account with the same username and password, but this new user couldn't open the Deleted User's account. It says this new user isn't authorized to open it. So I'm not any further with this.

• How to add multiple users permissions to a calendar using powershell?

  I have an organization that was recently setup in Exchange Online and they have unique circumstances in that every user in the organization needs "reviewer"
  access to every other users calendars.  I cannot change the default permission since new users added after this should not be able to see these calendars details.  There are a few I will go back to run a Set command on to change an individual permission
  here and there for specific needs, but the main need is below.
  I have basic experience with powershell commands and have found how to manually add a single users permissions to a calendar using the command below:
  Add-MailboxFolderPermission -Identity alias:\calendar -user alias -AccessRights reviewer
  Since it's not realistic to run this command thousands of times changing the user aliases each time, I was hoping someone could help me build a command to run on a single mailbox's calendar that would add every current user in the organization with certain
  permissions such as "reviewer" or "availabilityonly".
  Thanks for the help!

  Hi,
  A possible solution is to do this via Security Groups.
  Add-MailboxFolderPermission -Identity [email protected]:\Calendar -User [email protected] -AccessRights Owner
  This way, you simply add users that require access to the CalendarOwnerAccessGroup
  You still have to run this on every mailbox that should have this feature, but that could be solved using powershell piping.
  http://technet.microsoft.com/en-us/library/ee176927.aspx
  /Anders Eide

• Set user inherit permissions check box using powershell

  Hi All,
  How can I set the the  "include inherit permissions from this objects parent" propertiy in Active Directory user object to a list of users using powershell.
  This option is not checked for some of my users and I'll like to set it using a powershell script.
  Thanks
  Simon
  MCSA, MCSE, MCITP:SA, MCITP:EA, MCITP:Enterprise Messaging Administrator 2010, CCNA

  download Quest Active Directory:
   Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance
  or 
  Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance
  or 
  $user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
  $acl = $ouser.objectSecurity
  $isProtected = $false # allows inheritance
  $preserveInheritance = $true # preserve inherited rules
  $acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
  $user.commitchanges()
  I had this issue and using both of Kazun's methods worked. A mod should mark this as the answer.Paul Frankovich

• How can I capture delete user event in Active Directory 2008 using Powershell command

  Hi,
  In my Active Directory every user have own home drive in the file server. When I delete user I also need to delete folder from the server. 
  My target is make the process automated, so that when I delete user account form AD, the folder associate with user also delete.
  Can I write any power shell script to grep the delete event  and remove folder from file server.
  Thanks
  Tamim Khan

  You can setup event viewer to provide alerts (email alerts) for event id 630.
  Find an existing Event ID 630 entry, right click on it and "Attach Task To This Event...."
  Follow the wizard.
  ** Event ID Sample **
  Event ID: 630
  Type: Success Audit
  Description: User Account Deleted:
  Target Account Name: %1 Target Domain: %2
  Target Account ID: %3 Caller User Name: %4
  Caller Domain: %5 Caller Logon ID: %6
  Privileges: %7
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• How to use Powershell to set delegate for user mailbox in Exchange 2010 and Office 365

  Hello,
  Can you please tell me if I can set delegate for user mailbox in Exchange 2010 or Office 365 using Powershell?
  If I can, then how can I do that? (which Powershell commands for setting the delegate?)
  Many thanks, and have a good day!

  Hi,
  If you wanted to add a delegate to possiblly a large number of users or you do this during mailbox provisioning. So the following script will use
  impersonation to access another users mailbox and add a delegate.
  $mbtoDelegate = "[email protected]"
  $delegatetoAdd = "[email protected]"
  $dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\1.0\Microsoft.Exchange.WebServices.dll"
  [void][Reflection.Assembly]::LoadFile($dllpath)
  $service = new-object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1)
  $windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
  $sidbind = "LDAP://<SID=" + $windowsIdentity.user.Value.ToString() + ">"
  $aceuser = [ADSI]$sidbind
  $service.AutodiscoverUrl($aceuser.mail.ToString())
  $service.ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress,
  $mbtoDelegate);
  $mbMailbox = new-object Microsoft.Exchange.WebServices.Data.Mailbox($mbtoDelegate)
  $dgUser = new-object Microsoft.Exchange.WebServices.Data.DelegateUser($delegatetoAdd)
  $dgUser.ViewPrivateItems = $false
  $dgUser.ReceiveCopiesOfMeetingMessages = $false
  $dgUser.Permissions.CalendarFolderPermissionLevel = [Microsoft.Exchange.WebServices.Data.DelegateFolderPermissionLevel]::Editor
  $dgUser.Permissions.InboxFolderPermissionLevel = [Microsoft.Exchange.WebServices.Data.DelegateFolderPermissionLevel]::Reviewer
  $dgArray = new-object Microsoft.Exchange.WebServices.Data.DelegateUser[] 1
  $dgArray[0] = $dgUser
  $service.AddDelegates($mbMailbox, [Microsoft.Exchange.WebServices.Data.MeetingRequestsDeliveryScope]::DelegatesAndMe, $dgArray);
  Hope this helps.

• [Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

  As we all know, the
  ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
  To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
  System.DirectoryServices.ActiveDirectoryAccessRule class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectoryRights
  class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
  System.Security.AccessControl.AccessControlType class:
  http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectorySecurityInheritance class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
  In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
  we use Active Directory Service Interfaces (ADSI) or
  Active Directory module cmdlets
  with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
  more complex permission settings.
  Method 1: Using ADSI
    1. Get current permissions of an organization unit (OU)
  We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
  $Name = "OU=xxx,DC=com"
  $ADObject = [ADSI]"LDAP://$Name"
  $aclObject = $ADObject.psbase.ObjectSecurity
  $aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
  $output=@()
  foreach($acl in $aclList)
  $objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
       $info = @{
  'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
  'InheritanceType' = $acl.InheritanceType;
  'ObjectType' = $acl.ObjectType;
  'InheritedObjectType' = $acl.InheritedObjectType;
  'ObjectFlags' = $acl.ObjectFlags;
  'AccessControlType' = $acl.AccessControlType;
  'IdentityReference' = $acl.IdentityReference;
  'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
  'IsInherited' = $acl.IsInherited;
  'InheritanceFlags' = $acl.InheritanceFlags;
  'PropagationFlags' = $acl.PropagationFlags;
  $obj = New-Object -TypeName PSObject -Property $info
  $output+=$obj}
  $output
  In the figure below, you can see the results of running the script above:
  Figure 1．
  2. Assign a computer object with Full Control permission on an OU
  We can use the script below to delegate Full Control permission to the computer objects within an OU:
  $SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
  $computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
  $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
  $SysManObj.psbase.commitchanges()
  After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
  Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
  You can use the script below to get and assign Full Control permission to a computer object on an OU:
  $acl = get-acl "ad:OU=xxx,DC=com"
  $acl.access #to get access right of the OU
  $computer = get-adcomputer "COMPUTERNAME"
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  # Create a new access control entry to allow access to the OU
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
  # Add the ACE to the ACL, then set the ACL to save the changes
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  Method 3: Using GUID setting
  The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
  that.
  The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
  setting ObjectType field in an object specific ACE to the
  rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
  InheritedObjectType field to the schemaIDGuid of the class.
  We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
  You can use the script below to
  assign the group object with the permission to change user password on all user objects within an OU.
  $acl = get-acl "ad:OU=xxx,DC=com"
  $group = Get-ADgroup xxx
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
  $objectguid = new-object Guid 
  00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) 
  class
  $inheritedobjectguid = new-object Guid 
  bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
  $type = [System.Security.AccessControl.AccessControlType]
  "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  The figure below shows the result of running the script above:
  Figure 2．
  In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
  $guidChangePassword     
  = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
  $guidLockoutTime        
  = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
  $guidPwdLastSet         
  = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
  $guidComputerObject     
  = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
  $guidUserObject         
  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
  $guidLinkGroupPolicy    
  = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
  $guidGroupPolicyOptions 
  = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
  $guidResetPassword      
  = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
  $guidGroupObject        
  = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2                                          
  $guidContactObject      
  = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
  $guidOUObject           
  = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
  $guidPrinterObject      
  = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
  $guidWriteMembers   
      = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
  $guidNull               
  = new-object Guid 00000000-0000-0000-0000-000000000000
  $guidPublicInformation  
  = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
  $guidGeneralInformation 
  = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
  $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
  $guidGroupMembership    
  = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
  More information:
  Add Object Specific ACEs using Active Directory Powershell
  http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
  Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
  Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
  If you've got time, check out
  this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
  Sample version 3.0:
  # This is going to be kind of slow, and it will take a few seconds the first time
  # you run it because it has to build the list of GUID <--> Property/Class/etc objects
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
  # Same as the previous command, except limit it to access granted to GroupX
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
  Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
  Get-ADGroup GroupY |
  Get-AccessControlEntry
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
  # You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
  That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
  New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
   

• How to create sharepoint Group with read only permissions using powershell for entire site ?

  How to create sharepoint Group with read only permissions using powershell for entire site (including subsites and top level site)

  Hi
  using (SPSite site = new SPSite(url))
  using (SPWeb web = site.OpenWeb())
  SPUserCollection users = Web.AllUsers;
  SPUser owner = users[string.Format("{0}{1}", "Domain", "Owner Username")];
  SPMember member = users[string.Format("{0}{1}", "Domain", "Default Member Username")];
  SPGroupCollection groups = Web.SiteGroups;
  string GroupName = “Super Exclusive”;//your group name
  string GroupDescription = “Super exclusive group description.”;
  groups.Add(GroupName, owner, member, GroupDescription);
  SPGroup NewSPGroup = groups[GroupName];
  SPRoleDefinition role = Web.RoleDefinitions["Read"];
  SPRoleAssignment roleAssignment = new SPRoleAssignment(NewSPGroup);
  roleAssignment.RoleDefinitionBindings.Add(role);
  Web.RoleAssignments.Add(roleAssignment);
  Web.Update();
  Please 'propose
  as answer' if it helped you, also 'vote
  helpful' if you like this reply.