Skip to content

Add permission to SCCM Domain Join Account

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Global Variables
$SCCMDomainJoin = 'svcConfigMgrDJ'

# Get local environment variables
$ComputerInfo = Get-WmiObject Win32_ComputerSystem
$hostname = $ComputerInfo.Name
Import-Module activedirectory
$rootDSE = Get-ADRootDSE
$domain = Get-ADDomain

##############################################
# Delegate the rights to the SCCM Domain Join account on the "Computers" container

cd ad:
# Create a hashtable to the the GUID value of each schema class attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootDSE.schemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

# Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootDSE.configurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

# Get the target objects on which we need to grand access, namely the default "Computers" container and the project related Organizational Unit.
# The example here is the "Computers" container, but the object can be any Organizational Unit as well
$container = Get-ADObject -Identity ("CN=Computers," + $domain.DistinguishedName)

# Get the SID values of the Domain Join account
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $SCCMDomainJoin).SID

# Get the current DACL on the target AD Objects
$acl1 = Get-ACL -Path ($container.DistinguishedName)

# Grant the rights on the "Computers" container
$acl1.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,"CreateChild","Allow",$guidmap["computer"],"All"))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,"DeleteChild","Allow",$guidmap["computer"],"All"))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,"ReadProperty","Allow","Descendents",$guidmap["computer"]))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,"WriteProperty","Allow","Descendents",$guidmap["computer"]))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,"ReadControl","Allow","Descendents",$guidmap["computer"]))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,"WriteDacl","Allow","Descendents",$guidmap["computer"]))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ExtendedRightAccessRule $user,"Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"]))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ExtendedRightAccessRule $user,"Allow",$extendedrightsmap["Change Password"],"Descendents",$guidmap["computer"]))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,"Self","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"]))
$acl1.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $user,"Self","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"]))

# Re-apply the modified DACL to the target objects
Set-ACL -AclObject $acl1 -Path ("AD:\"+($container.DistinguishedName))