• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Stephanos Constantinou Blog

PowerShell Scripting

  • Home
  • Blogs
    • PowerShell Tutorials
    • PowerShell Scripts
    • PowerShell Modules
      • Modules Cmdlets
    • Software Reviews
  • About
  • Contact
You are here: Home / PowerShell Scripts / Powershell Active Directory Delegation – Part-2

Powershell Active Directory Delegation – Part-2

20/03/2018 by Stephanos 3 Comments

PowerShell Active Directory Delegation – Part 2

Scenario:

PowerShell Active Directory Delegation – Part 2

In Part 1 of this series we have discussed about getting the information from Active Directory. We have created our arrays to keep the information that we will need. We created We have also seen sample of the lists, that we can create, to process them later and apply delegation on each Organizational Unit. In this part we will go though the Access Control List in Active Directory and how we will perform our changes to accomplish the delegation in Active Directory. Also, we will see a sample of the attributes that we will provide to local IT administrators.

Active Directory Access Control List

In order to be able to modify the access control list, we need first to retrieve the current list so we will be able to add our delegated access and not to disturb and lose the current setup that we already have. So we need to use the below command to get the current access control list of a specific organizational unit.

$acl = get-acl $currentuserou

The above command will get all access control entries in the current access control list of an organizational unit and will save them in a variable so we will be able to modify it.

Modify the Access Control List

Now we want to modify the access control list that we have saved in the variable. In order to modify it we will have to create and add access control entries in the access control list. Then after the list has been edited with our changes. To create the new access control entries we need to create the objects accordingly. In the access control entries that we will create, we have to define a few variables. These variables will include all the information that we need to provide delegated access to our local IT administrators. As you are able to see below, there are different permissions that we can apply. In general, we have to first provide the group of local IT administrators that we get those permissions. Then we define the right that we want to apply to the group. After that we apply the action and then the objects that will be applied to.

Create the Access Control Entries

Below are some examples of access control entries. Let’s explain them a bit to understand better how you will be able to create you own. On $ace1service, we first define the group that will get the permissions ($servicegroup). Then we define the access, which in this case Read all properties of the organizational unit that will be applied. After that we have to define the access permission which is “Allow” for this one. We apply this, not only to the specific organizational unit but also to any objects under that, which are user objects. As you can see, to define the correct object, we need to define the correct GUID. We have already created in part 1 of the series our GUID hash table and we use it at this point to provide the permissions accordingly. In this specific access control entry we use $guidmap[user] in order to provide these permissions for user objects.

There are different types of rights that you can provide to local IT administrators, depending on what you are trying to achieve. On $ace3service we have ExtendedRight and we user the other hash table that we have created in part 1 of the series ($extendedrightsmap). Hash tables allow us to use the display names instead of the GUID values for the permissions that we will provide.

In $ace1user we allow our local IT administrators to create child objects under the specific organizational unit. The objects that we allow them to create are users. In $ace2user we allow our local It administrators to write and modify “company” attribute for all user objects under the specific organizational unit.

$ace1service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"ReadProperty","Allow","Descendents",$guidmap["user"]
$ace3service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]
$ace1user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"CreateChild","Allow",$guidmap["user"]
$ace2user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"]
$ace3user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"]
$ace4user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"]
$ace5user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"]

The above commands will create access control entries that we need to add in the access control list that we have retrieved before. In order to apply the new access control entries in the access control list, we have to use the below command. After the list is ready with all access control entries in it, we have to set the access control list back to our organizational unit by using the below command.

$acl.AddAccessRule($ace1user)
set-acl -aclobject $acl -Path $currentuserou
Permissions to our Local IT Administrators

Below are lists with permissions that we will provide to our local IT administrators for user objects, computer objects, group objects. Each group of local IT administrators will get the permissions accordingly based on the groups that we have discussed in Part 1 of this series.

User Objects
  • Read
  • Read All Properties
  • Reset Password
  • Write Company (Company under Organization Tab)
  • Write Department (Department under Organization Tab)
  • Write Description (Description under General Tab)
  • Write Display Name (Display Name under General Tab)
  • Write Fax Number (Fax under Telephones Tab)
  • Write Fax Number (Others) (Enable Additions of others for Fax)
  • Write First Name (First Name under General Tab)
  • Write Home Drive (Home Drive under Profile Tab)
  • Write Home Folder (Home Folder under Profile Tab)
  • Write Home Phone (Home under Telephones Tab)
  • Write Home Phone (Others) (Enable Additions of others for Home)
  • Write Initials (Initials under General Tab)
  • Write Job Title (Job Title under Organization Tab)
  • Write lockoutTime (Unlock Account under Account Tab)
  • Write Logon Name (User Logon Name under Account Tab)
  • Write Logon Name (pre-Windows 2000) (under Account Tab)
  • Write Manager (Manager under Organization Tab)
  • Write Mobile Number (Mobile under Telephones Tab)
  • Write Mobile Number (Others) (Enable Additions of other on Mobile)
  • Write Name
  • Write name
  • Write Notes (Notes under Telephones Tab)
  • Write Phone Number (Others) (Enable Additions of other on Telephone Number)
  • Write Post Office Box (P. O. Box under Address Tab)
  • Write pwdLastSet ((User must change password at next logon under Account Tab)
  • Write Street Address (Street under Address Tab)
  • Write Telephone Number (Telephone Number under General Tab)
  • Write thumbnailPhoto (change Users Photo)
  • Write userAccountControl (Enable/Disable Account and other Account options under Account Tab)
  • Write Web Page Address (Web Page under General Tab)
  • Write ZIP/Postal Code (ZIP/Postal Code under Address Tab)
  • sn – attribute (Last Name)
  • st – attribute (State)
  • c – attribute (Country/Region)
  • l – attribute (City)
  • physicalDeliveryOfficeName – attribute (Office)
Group Objects
  • Read
  • Read All Properties
  • Write Description
  • Write Group name (pre-Windows 2000)
  • Write group Type
  • Write Members
  • Write Name
  • Write name
  • Write Notes
Computer Objects
  • Read
  • Read All Properties
  • Write All Properties
  • Reset Password
  • Read and Write account restrictions
  • Validated write to DNs host name
  • Validated write to service principal name
Applying Our knowledge in the script

The below script is a sample and needs to be review and edited accordingly so you will be able to use it. You may give permissions, or remove permissions that you do not want and create issues with your systems. The main point of the above, is that we have to retrieve the access control lists from the organizational units. Then, we create our new access control entries and add them to the current access control list. After we have everything ready will need to apply the access control list to the organizational unit, so the delegated permissions will be applied.

Run the Script

As you are able to see below in the script a few loops are used in order to remove some input errors. Another main loop is used so that you will be able to run the script again either for different object or different country without the need to exit the script and run it from the beginning. When the application of the modified access control list is completed, then we receive a green output, that delegation for the specific organizational unit has been applied.

Set-ADDelegation - Object Option

When you run the script will will ask you first to select on which option you want to apply delegation. After you select the object type, the script will ask you to select on which country you want to apply the delegated permissions. At this stage the script will start processing based on your input and will give you the results accordingly. After the script has completed providing the delegated permissions to the specific organizational units it will ask you if you would like to run the script again for another object or country. It accepts only “y” or “n”. If your input is yes then the script will start from the beginning and will ask you again to give the options. If your input is no, the script will exit. In order to run the script, you will need to run PowerShell as an administrator with domain admin permissions. 

Set-ADDelegation - Country Option

You can download the script here or copy it from below.

Hope you like it.

If you have any questions or anything else please let me know in the comments below.

Set-ADDelegation - Options

Related Links:

  • PowerShell Active Directory Delegation – Part 1
  • PowerShell Active Directory Delegation – Part 3
  • Access-Control Lists (ACLs) – MSDN – Microsoft
  • Access Control Entries – TechNet – Microsoft
  • Import-Module – Microsoft Docs
  • Get-ADRootDSE – Microsoft Docs
  • Get-ADDomain – Microsoft Docs
  • Get-ADObject – Microsoft Docs
  • Get-ADOrganizationalUnit – Microsoft Docs
  • Write-Host – Microsoft Docs
  • Read-Host – Microsoft Docs
  • New-Object – Microsoft Docs
  • Get-Acl – Microsoft Docs
  • Set-Acl – Microsoft Docs

Solution Script:

<#
.SYNOPSIS
  Name: Set-ADDelegation.ps1
  The purpose of this script is to provide delegated access to administrator
  in Active Directory.
.DESCRIPTION
  The script will provide the predefined permissions to IT administrators by
  modifying the ACLs of Organizational Units so they will be able to perform
  their jobs with the least possible permissions.
.RELATED LINKS
  Home
.NOTES
  Version: 1.0
  Release Date: 16-03-2018
  Author: Stephanos Constantinou
.EXAMPLE
  Set-ADDelegation.ps1
#>
Import-module ActiveDirectory
cd ad:
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
foreach {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&;(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
foreach {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
$objectinfo = @"
List of the objects that you can delegate control:
1. User
2. Computer
3. Group
4. Service Accounts
5. Servers
"@
$countryinfo = @"
List of the countries that you want to apply the delegation for:
1. Cyprus
2. Greece
3. Germany
4. India
5. United Kingdom
"@
$AllOUs = Get-ADOrganizationalUnit -Properties DistinguishedName -SearchBase ("OU=Offices,"+$domain.DistinguishedName) -Filter *
$ServersOUs = Get-ADOrganizationalUnit -Properties DistinguishedName -SearchBase ("OU=Servers,"+$domain.DistinguishedName) -Filter *
$again = "y"
$userinput = "wrong"
while ($again -eq "y"){
   do {
      Write-Host $objectinfo
      $objectoption = Read-Host -Prompt 'Please select the number of the object'
      } until (($objectoption -eq "1") -or
              ($objectoption -eq "2") -or
              ($objectoption -eq "3") -or
              ($objectoption -eq "4") -or
              ($objectoption -eq "5"))
   do {
      Write-Host $countryinfo
      $countryoption = Read-Host -Prompt 'Please select the number of the country'
      } until (($countryoption -eq "1") -or
              ($countryoption -eq "2") -or
              ($countryoption -eq "3") -or
              ($countryoption -eq "4") -or
              ($countryoption -eq "5"))
   switch ($countryoption){
      1 {$CyprusEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and
                                                 ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName
         $CyprusComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and
                                                 ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName
         $CyprusGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and
                                              ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName
         $CyprusServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and
                                               ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName
         $CyprusServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and
                                                   ($_.DistinguishedName -like "*2012*") -and
                                                   ($_.DistinguishedName -like "*2016*") -and
                                                   ($_.DistinguishedName -like "*Linux*") -and
                                                   ($_.DistinguishedName -like "*Cyprus*")}).DistinguishedName
         $servicedesk = "cy-ServiceDesk"
         $computeradmin = "cy-DesktopAdmin"
         $useradmin = "cy-UserAdmin"
         $adadmin = "cy-ADAdmin"
         $activeuserou = $CyprusEmployeesOUs
         $activedesktopou = $CyprusComputersOUs
         $activegroupou = $CyprusGroupsOUs
         $activeserviceou = $CyprusServiceOUs
         $activeserverou = $CyprusServersOUs
         $country = "Cyprus"}
      2 {$GreeceEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and
                                                 ($_.DistinguishedName -like "*Greece*")}).DistinguishedName
         $GreeceComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and
                                                 ($_.DistinguishedName -like "*Greece*")}).DistinguishedName
         $GreeceGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and
                                              ($_.DistinguishedName -like "*Greece*")}).DistinguishedName
         $GreeceServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and
                                               ($_.DistinguishedName -like "*Greece*")}).DistinguishedName
         $GreeceServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and
                                                   ($_.DistinguishedName -like "*2012*") -and
                                                   ($_.DistinguishedName -like "*2016*") -and
                                                   ($_.DistinguishedName -like "*Linux*") -and
                                                   ($_.DistinguishedName -like "*Greece*")}).DistinguishedName
         $servicedesk = "gr-ServiceDesk"
         $computeradmin = "gr-DesktopAdmin"
         $useradmin = "gr-UserAdmin"
         $adadmin = "gr-ADAdmin"
         $activeuserou = $GreeceEmployeesOUs
         $activedesktopou = $GreeceComputersOUs
         $activegroupou = $GreeceGroupsOUs
         $activeserviceou = $GreeceServiceOUs
         $activeserverou = $GreeceServersOUs
         $country = "Greece"}
      3 {$GermanyEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and
                                                  ($_.DistinguishedName -like "*Germany*")}).DistinguishedName
         $GermanyComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and
                                                  ($_.DistinguishedName -like "*Germany*")}).DistinguishedName
         $GermanyGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and
                                               ($_.DistinguishedName -like "*Germany*")}).DistinguishedName
         $GermanyServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and
                                                ($_.DistinguishedName -like "*Germany*")}).DistinguishedName
         $GermanyServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and
                                                    ($_.DistinguishedName -like "*2012*") -and
                                                    ($_.DistinguishedName -like "*2016*") -and
                                                    ($_.DistinguishedName -like "*Linux*") -and
                                                    ($_.DistinguishedName -like "*Germany*")}).DistinguishedName
         $servicedesk = "de-ServiceDesk"
         $computeradmin = "de-DesktopAdmin"
         $useradmin = "de-UserAdmin"
         $adadmin = "de-ADAdmin"
         $activeuserou = $GermanyEmployeesOUs
         $activedesktopou = $GermanyComputersOUs
         $activegroupou = $GermanyGroupsOUs
         $activeserviceou = $GermanyServiceOUs
         $activeserverou = $GermanyServersOUs
         $country = "Germany"}
      4 {$IndiaEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and
                                                ($_.DistinguishedName -like "*India*")}).DistinguishedName
         $IndiaComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and
                                                ($_.DistinguishedName -like "*India*")}).DistinguishedName
         $IndiaGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and
                                             ($_.DistinguishedName -like "*India*")}).DistinguishedName
         $IndiaServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and
                                              ($_.DistinguishedName -like "*India*")}).DistinguishedName
         $IndiaServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and
                                                  ($_.DistinguishedName -like "*2012*") -and
                                                  ($_.DistinguishedName -like "*2016*") -and
                                                  ($_.DistinguishedName -like "*Linux*") -and
                                                  ($_.DistinguishedName -like "*India*")}).DistinguishedName
         $servicedesk = "in-ServiceDesk"
         $computeradmin = "in-DesktopAdmin"
         $useradmin = "in-UserAdmin"
         $adadmin = "in-ADAdmin"
         $activeuserou = $IndiaEmployeesOUs
         $activedesktopou = $IndiaComputersOUs
         $activegroupou = $IndiaGroupsOUs
         $activeserviceou = $IndiaServiceOUs
         $activeserverou = $IndiaServersOUs
         $country = "India"}
      5 {$UnitedKingdomEmployeesOUs = ($AllOUs | where {($_.DistinguishedName -like "*Employees*") -and
                                                        ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName
         $UnitedKingdomComputersOUs = ($AllOUs | where {($_.DistinguishedName -like "*Computers*") -and
                                                        ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName
         $UnitedKingdomGroupsOUs = ($AllOUs | where {($_.DistinguishedName -like "*Groups*") -and
                                                     ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName
         $UnitedKingdomServiceOUs = ($AllOUs | where {($_.DistinguishedName -like "*ServiceAccounts*") -and
                                                      ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName
         $UnitedKingdomServersOUs = ($ServersOUs | where {($_.DistinguishedName -like "*2008*") -and
                                                          ($_.DistinguishedName -like "*2012*") -and
                                                          ($_.DistinguishedName -like "*2016*") -and
                                                          ($_.DistinguishedName -like "*Linux*") -and
                                                          ($_.DistinguishedName -like "*UnitedKingdom*")}).DistinguishedName
         $servicedesk = "uk-ServiceDesk"
         $computeradmin = "uk-DesktopAdmin"
         $useradmin = "uk-UserAdmin"
         $adadmin = "uk-ADAdmin"
         $activeuserou = $UnitedKingdomEmployeesOUs
         $activedesktopou = $UnitedKingdomComputersOUs
         $activegroupou = $UnitedKingdomGroupsOUs
         $activeserviceou = $UnitedKingdomServiceOUs
         $activeserverou = $UnitedKingdomServersOUs
         $country = "United Kingdom"}
      default {"You have entered a wrong number. Run the script again"; Exit}}
   $servicegroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$servicedesk").SID
   $computergroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$computeradmin").SID
   $usergroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$useradmin").SID
   $adgroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "$adadmin").SID
   $engineergroup = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "group-ADEngineer").SID
   $ownerrights = New-Object System.Security.Principal.SecurityIdentifier 'S-1-3-4'
   switch ($objectoption){
      1 {foreach ($currentuserou in $activeuserou){
         $acl = get-acl $currentuserou
        $ace1service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"ReadProperty","Allow","Descendents",$guidmap["user"]
        $ace2service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"]
        $ace3service = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $servicegroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]
        $ace1user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"CreateChild","Allow",$guidmap["user"]
        $ace2user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"]
        $ace3user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"]
        $ace4user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"]
        $ace5user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"]
        $ace6user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["facsimileTelephoneNumber"],"Descendents",$guidmap["user"]
        $ace7user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["otherFacsimileTelephoneNumber"],"Descendents",$guidmap["user"]
        $ace8user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["givenName"],"Descendents",$guidmap["user"]
        $ace9user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["homeDrive"],"Descendents",$guidmap["user"]
        $ace10user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["homeDirectory"],"Descendents",$guidmap["user"]
        $ace11user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["homePhone"],"Descendents",$guidmap["user"]
        $ace12user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["otherHomePhone"],"Descendents",$guidmap["user"]
        $ace13user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["initials"],"Descendents",$guidmap["user"]
        $ace14user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["title"],"Descendents",$guidmap["user"]
        $ace15user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["userPrincipalName"],"Descendents",$guidmap["user"]
        $ace16user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["user"]
        $ace17user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["manager"],"Descendents",$guidmap["user"]
        $ace18user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["mobile"],"Descendents",$guidmap["user"]
        $ace19user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["otherMobile"],"Descendents",$guidmap["user"]
        $ace20user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["user"]
        $ace21user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["user"]
        $ace22user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["user"]
        $ace23user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["otherTelephone"],"Descendents",$guidmap["user"]
        $ace24user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["postOfficeBox"],"Descendents",$guidmap["user"]
        $ace25user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"]
        $ace26user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["streetAddress"],"Descendents",$guidmap["user"]
        $ace27user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["telephoneNumber"],"Descendents",$guidmap["user"]
        $ace28user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["thumbnailPhoto"],"Descendents",$guidmap["user"]
        $ace29user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["wWWHomePage"],"Descendents",$guidmap["user"]
        $ace30user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["postalCode"],"Descendents",$guidmap["user"]
        $ace31user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["sn"],"Descendents",$guidmap["user"]
        $ace32user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["st"],"Descendents",$guidmap["user"]
        $ace33user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["c"],"Descendents",$guidmap["user"]
        $ace34user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["l"],"Descendents",$guidmap["user"]
        $ace35user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["physicalDeliveryOfficeName"],"Descendents",$guidmap["user"]
        $ace36user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["userAccountControl"],"Descendents",$guidmap["user"]
        $ace37user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["extensionAttribute2"],"Descendents",$guidmap["user"]
        $ace38user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["userWorkstations"],"Descendents",$guidmap["user"]
        $ace39user = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $usergroup,"WriteProperty","Allow",$guidmap["logonHours"],"Descendents",$guidmap["user"]
        $ace1engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["user"]
        $ace2engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"]
        $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]
        $ace4engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["user"]
        $ace5engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["user"]
        $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"]
        $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"]
        $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"]
        $ace9engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"]
        $ace10engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["facsimileTelephoneNumber"],"Descendents",$guidmap["user"]
        $ace11engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherFacsimileTelephoneNumber"],"Descendents",$guidmap["user"]
        $ace12engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["givenName"],"Descendents",$guidmap["user"]
        $ace13engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homeDrive"],"Descendents",$guidmap["user"]
        $ace14engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homeDirectory"],"Descendents",$guidmap["user"]
        $ace15engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homePhone"],"Descendents",$guidmap["user"]
        $ace16engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherHomePhone"],"Descendents",$guidmap["user"]
        $ace17engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["initials"],"Descendents",$guidmap["user"]
        $ace18engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["title"],"Descendents",$guidmap["user"]
        $ace19engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userPrincipalName"],"Descendents",$guidmap["user"]
        $ace20engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["user"]
        $ace21engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["manager"],"Descendents",$guidmap["user"]
        $ace22engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["mobile"],"Descendents",$guidmap["user"]
        $ace23engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherMobile"],"Descendents",$guidmap["user"]
        $ace24engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["user"]
        $ace25engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["user"]
        $ace26engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["user"]
        $ace27engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherTelephone"],"Descendents",$guidmap["user"]
        $ace28engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["postOfficeBox"],"Descendents",$guidmap["user"]
        $ace29engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"]
        $ace30engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["streetAddress"],"Descendents",$guidmap["user"]
        $ace31engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["telephoneNumber"],"Descendents",$guidmap["user"]
        $ace32engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["thumbnailPhoto"],"Descendents",$guidmap["user"]
        $ace33engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["wWWHomePage"],"Descendents",$guidmap["user"]
        $ace34engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["postalCode"],"Descendents",$guidmap["user"]
        $ace35engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sn"],"Descendents",$guidmap["user"]
        $ace36engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["st"],"Descendents",$guidmap["user"]
        $ace37engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["c"],"Descendents",$guidmap["user"]
        $ace38engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["l"],"Descendents",$guidmap["user"]
        $ace39engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["physicalDeliveryOfficeName"],"Descendents",$guidmap["user"]
        $ace40engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userAccountControl"],"Descendents",$guidmap["user"]
        $ace41engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["extensionAttribute2"],"Descendents",$guidmap["user"]
        $ace42engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userWorkstations"],"Descendents",$guidmap["user"]
        $ace43engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["logonHours"],"Descendents",$guidmap["user"]
        $ace1owner = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ownerrights,"ReadProperty","Allow","Descendents",$guidmap["user"]
        
        $acl.AddAccessRule($ace1service)
        $acl.AddAccessRule($ace2service)
        $acl.AddAccessRule($ace3service)
        $acl.AddAccessRule($ace1user)
        $acl.AddAccessRule($ace2user)
        $acl.AddAccessRule($ace3user)
        $acl.AddAccessRule($ace4user)
        $acl.AddAccessRule($ace5user)
        $acl.AddAccessRule($ace6user)
        $acl.AddAccessRule($ace7user)
        $acl.AddAccessRule($ace8user)
        $acl.AddAccessRule($ace9user)
        $acl.AddAccessRule($ace10user)
        $acl.AddAccessRule($ace11user)
        $acl.AddAccessRule($ace12user)
        $acl.AddAccessRule($ace13user)
        $acl.AddAccessRule($ace14user)
        $acl.AddAccessRule($ace15user)
        $acl.AddAccessRule($ace16user)
        $acl.AddAccessRule($ace17user)
        $acl.AddAccessRule($ace18user)
        $acl.AddAccessRule($ace19user)
        $acl.AddAccessRule($ace20user)
        $acl.AddAccessRule($ace21user)
        $acl.AddAccessRule($ace22user)
        $acl.AddAccessRule($ace23user)
        $acl.AddAccessRule($ace24user)
        $acl.AddAccessRule($ace25user)
        $acl.AddAccessRule($ace26user)
        $acl.AddAccessRule($ace27user)
        $acl.AddAccessRule($ace28user)
        $acl.AddAccessRule($ace29user)
        $acl.AddAccessRule($ace30user)
        $acl.AddAccessRule($ace31user)
        $acl.AddAccessRule($ace32user)
        $acl.AddAccessRule($ace33user)
        $acl.AddAccessRule($ace34user)
        $acl.AddAccessRule($ace35user)
        $acl.AddAccessRule($ace36user)
        $acl.AddAccessRule($ace37user)
        $acl.AddAccessRule($ace38user)
        $acl.AddAccessRule($ace39user)
        $acl.AddAccessRule($ace1engineer)
        $acl.AddAccessRule($ace2engineer)
        $acl.AddAccessRule($ace3engineer)
        $acl.AddAccessRule($ace4engineer)
        $acl.AddAccessRule($ace5engineer)
        $acl.AddAccessRule($ace6engineer)
        $acl.AddAccessRule($ace7engineer)
        $acl.AddAccessRule($ace8engineer)
        $acl.AddAccessRule($ace9engineer)
        $acl.AddAccessRule($ace10engineer)
        $acl.AddAccessRule($ace11engineer)
        $acl.AddAccessRule($ace12engineer)
        $acl.AddAccessRule($ace13engineer)
        $acl.AddAccessRule($ace14engineer)
        $acl.AddAccessRule($ace15engineer)
        $acl.AddAccessRule($ace16engineer)
        $acl.AddAccessRule($ace17engineer)
        $acl.AddAccessRule($ace18engineer)
        $acl.AddAccessRule($ace19engineer)
        $acl.AddAccessRule($ace20engineer)
        $acl.AddAccessRule($ace21engineer)
        $acl.AddAccessRule($ace22engineer)
        $acl.AddAccessRule($ace23engineer)
        $acl.AddAccessRule($ace24engineer)
        $acl.AddAccessRule($ace25engineer)
        $acl.AddAccessRule($ace26engineer)
        $acl.AddAccessRule($ace27engineer)
        $acl.AddAccessRule($ace28engineer)
        $acl.AddAccessRule($ace29engineer)
        $acl.AddAccessRule($ace30engineer)
        $acl.AddAccessRule($ace31engineer)
        $acl.AddAccessRule($ace32engineer)
        $acl.AddAccessRule($ace33engineer)
        $acl.AddAccessRule($ace34engineer)
        $acl.AddAccessRule($ace35engineer)
        $acl.AddAccessRule($ace36engineer)
        $acl.AddAccessRule($ace37engineer)
        $acl.AddAccessRule($ace38engineer)
        $acl.AddAccessRule($ace39engineer)
        $acl.AddAccessRule($ace40engineer)
        $acl.AddAccessRule($ace41engineer)
        $acl.AddAccessRule($ace42engineer)
        $acl.AddAccessRule($ace43engineer)
        $acl.AddAccessRule($ace1owner)
        set-acl -aclobject $acl -Path $currentuserou
        $Confirmation = "User objects delegation on $currentuserou for $country was successful."
        Write-Host $Confirmation -ForegroundColor Green}}
    2 {foreach ($currentdesktopou in $activedesktopou){
        $acl = get-acl $currentdesktopou
        $ace1desktop = new-object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"CreateChild","Allow",$guidmap["computer"]
        $ace2desktop = new-object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"DeleteChild","Allow",$guidmap["computer"]
        $ace3desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ReadProperty","Allow","Descendents",$guidmap["computer"]
        $ace4desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"WriteProperty","Allow","Descendents",$guidmap["computer"]
        $ace5desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"]
        $ace6desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ExtendedRight","Allow",$extendedrightsmap["Account Restrictions"],"Descendents",$guidmap["computer"]
        $ace7desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"]
        $ace8desktop = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $computergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"]
        $ace1engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["computer"]
        $ace2engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["computer"]
        $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["computer"]
        $ace4engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow","Descendents",$guidmap["computer"]
        $ace5engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"]
        $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Account Restrictions"],"Descendents",$guidmap["computer"]
        $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"]
        $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"]
        $acl.AddAccessRule($ace1desktop)
        $acl.AddAccessRule($ace2desktop)
        $acl.AddAccessRule($ace3desktop)
        $acl.AddAccessRule($ace4desktop)
        $acl.AddAccessRule($ace5desktop)
        $acl.AddAccessRule($ace6desktop)
        $acl.AddAccessRule($ace7desktop)
        $acl.AddAccessRule($ace8desktop)
        $acl.AddAccessRule($ace1engineer)
        $acl.AddAccessRule($ace2engineer)
        $acl.AddAccessRule($ace3engineer)
        $acl.AddAccessRule($ace4engineer)
        $acl.AddAccessRule($ace5engineer)
        $acl.AddAccessRule($ace6engineer)
        $acl.AddAccessRule($ace7engineer)
        $acl.AddAccessRule($ace8engineer)
        set-acl -aclobject $acl -Path $currentdesktopou
        $Confirmation = "Computer objects delegation on $currentdesktopou for $country was successful."
        Write-Host $Confirmation -ForegroundColor Green}}
    3 {foreach ($currentgroupou in $activegroupou){
        $acl = get-acl $currentgroupou
        $ace1ad = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"CreateChild","Allow",$guidmap["group"]
        $ace2ad = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"DeleteChild","Allow",$guidmap["group"]
        $ace3ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ReadProperty","Allow","Descendents",$guidmap["group"]
        $ace4ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["group"]
        $ace5ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["group"]
        $ace6ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["groupType"],"Descendents",$guidmap["group"]
        $ace7ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["member"],"Descendents",$guidmap["group"]
        $ace8ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["group"]
        $ace9ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["group"]
        $ace10ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["group"]
        $ace1engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["group"]
        $ace2engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["group"]
        $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["group"]
        $ace4engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["group"]
        $ace5engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["group"]
        $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["groupType"],"Descendents",$guidmap["group"]
        $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["member"],"Descendents",$guidmap["group"]
        $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["group"]
        $ace9engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["group"]
        $ace10engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["group"]
        $acl.AddAccessRule($ace1ad)
        $acl.AddAccessRule($ace2ad)
        $acl.AddAccessRule($ace3ad)
        $acl.AddAccessRule($ace4ad)
        $acl.AddAccessRule($ace5ad)
        $acl.AddAccessRule($ace6ad)
        $acl.AddAccessRule($ace7ad)
        $acl.AddAccessRule($ace8ad)
        $acl.AddAccessRule($ace9ad)
        $acl.AddAccessRule($ace10ad)
        $acl.AddAccessRule($ace1engineer)
        $acl.AddAccessRule($ace2engineer)
        $acl.AddAccessRule($ace3engineer)
        $acl.AddAccessRule($ace4engineer)
        $acl.AddAccessRule($ace5engineer)
        $acl.AddAccessRule($ace6engineer)
        $acl.AddAccessRule($ace7engineer)
        $acl.AddAccessRule($ace8engineer)
        $acl.AddAccessRule($ace9engineer)
        $acl.AddAccessRule($ace10engineer)
        set-acl -aclobject $acl -Path $currentgroupou
        $Confirmation = "Group objects delegation on $currentgroupou for $country was successful."
        Write-Host $Confirmation -ForegroundColor Green}}
    4 {foreach ($currentserviceou in $activeserviceou){
        $acl = get-acl $currentserviceou
        $ace1ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ReadProperty","Allow","Descendents",$guidmap["user"]
        $ace2ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"]
        $ace3ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]
        $ace4ad = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"CreateChild","Allow",$guidmap["user"]
        $ace5ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"]
        $ace6ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"]
        $ace7ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"]
        $ace8ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"]
        $ace9ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["facsimileTelephoneNumber"],"Descendents",$guidmap["user"]
        $ace10ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["otherFacsimileTelephoneNumber"],"Descendents",$guidmap["user"]
        $ace11ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["givenName"],"Descendents",$guidmap["user"]
        $ace12ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["homeDrive"],"Descendents",$guidmap["user"]
        $ace13ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["homeDirectory"],"Descendents",$guidmap["user"]
        $ace14ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["homePhone"],"Descendents",$guidmap["user"]
        $ace15ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["otherHomePhone"],"Descendents",$guidmap["user"]
        $ace16ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["initials"],"Descendents",$guidmap["user"]
        $ace17ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["title"],"Descendents",$guidmap["user"]
        $ace18ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["userPrincipalName"],"Descendents",$guidmap["user"]
        $ace19ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["user"]
        $ace20ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["manager"],"Descendents",$guidmap["user"]
        $ace21ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["mobile"],"Descendents",$guidmap["user"]
        $ace22ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["otherMobile"],"Descendents",$guidmap["user"]
        $ace23ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["user"]
        $ace24ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["user"]
        $ace25ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["user"]
        $ace26ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["otherTelephone"],"Descendents",$guidmap["user"]
        $ace27ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["postOfficeBox"],"Descendents",$guidmap["user"]
        $ace28ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"]
        $ace29ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["streetAddress"],"Descendents",$guidmap["user"]
        $ace30ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["telephoneNumber"],"Descendents",$guidmap["user"]
        $ace31ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["thumbnailPhoto"],"Descendents",$guidmap["user"]
        $ace32ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["wWWHomePage"],"Descendents",$guidmap["user"]
        $ace33ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["postalCode"],"Descendents",$guidmap["user"]
        $ace34ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["sn"],"Descendents",$guidmap["user"]
        $ace35ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["st"],"Descendents",$guidmap["user"]
        $ace36ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["c"],"Descendents",$guidmap["user"]
        $ace37ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["l"],"Descendents",$guidmap["user"]
        $ace38ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["physicalDeliveryOfficeName"],"Descendents",$guidmap["user"]
        $ace39ad = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow",$guidmap["userAccountControl"],"Descendents",$guidmap["user"]
        $ace1engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["user"]
        $ace2engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"]
        $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"]
        $ace4engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["user"]
        $ace5engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["user"]
        $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["company"],"Descendents",$guidmap["user"]
        $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["department"],"Descendents",$guidmap["user"]
        $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["description"],"Descendents",$guidmap["user"]
        $ace9engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["displayName"],"Descendents",$guidmap["user"]
        $ace10engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["facsimileTelephoneNumber"],"Descendents",$guidmap["user"]
        $ace11engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherFacsimileTelephoneNumber"],"Descendents",$guidmap["user"]
        $ace12engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["givenName"],"Descendents",$guidmap["user"]
        $ace13engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homeDrive"],"Descendents",$guidmap["user"]
        $ace14engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homeDirectory"],"Descendents",$guidmap["user"]
        $ace15engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["homePhone"],"Descendents",$guidmap["user"]
        $ace16engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherHomePhone"],"Descendents",$guidmap["user"]
        $ace17engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["initials"],"Descendents",$guidmap["user"]
        $ace18engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["title"],"Descendents",$guidmap["user"]
        $ace19engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userPrincipalName"],"Descendents",$guidmap["user"]
        $ace20engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sAMAccountName"],"Descendents",$guidmap["user"]
        $ace21engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["manager"],"Descendents",$guidmap["user"]
        $ace22engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["mobile"],"Descendents",$guidmap["user"]
        $ace23engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherMobile"],"Descendents",$guidmap["user"]
        $ace24engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["cn"],"Descendents",$guidmap["user"]
        $ace25engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["name"],"Descendents",$guidmap["user"]
        $ace26engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["info"],"Descendents",$guidmap["user"]
        $ace27engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["otherTelephone"],"Descendents",$guidmap["user"]
        $ace28engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["postOfficeBox"],"Descendents",$guidmap["user"]
        $ace29engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"]
        $ace30engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["streetAddress"],"Descendents",$guidmap["user"]
        $ace31engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["telephoneNumber"],"Descendents",$guidmap["user"]
        $ace32engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["thumbnailPhoto"],"Descendents",$guidmap["user"]
        $ace33engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["wWWHomePage"],"Descendents",$guidmap["user"]
        $ace34engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["postalCode"],"Descendents",$guidmap["user"]
        $ace35engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["sn"],"Descendents",$guidmap["user"]
        $ace36engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["st"],"Descendents",$guidmap["user"]
        $ace37engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["c"],"Descendents",$guidmap["user"]
        $ace38engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["l"],"Descendents",$guidmap["user"]
        $ace39engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["physicalDeliveryOfficeName"],"Descendents",$guidmap["user"]
        $ace40engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"WriteProperty","Allow",$guidmap["userAccountControl"],"Descendents",$guidmap["user"]
        $acl.AddAccessRule($ace1ad)
        $acl.AddAccessRule($ace2ad)
        $acl.AddAccessRule($ace3ad)
        $acl.AddAccessRule($ace4ad)
        $acl.AddAccessRule($ace5ad)
        $acl.AddAccessRule($ace6ad)
        $acl.AddAccessRule($ace7ad)
        $acl.AddAccessRule($ace8ad)
        $acl.AddAccessRule($ace9ad)
        $acl.AddAccessRule($ace10ad)
        $acl.AddAccessRule($ace11ad)
        $acl.AddAccessRule($ace12ad)
        $acl.AddAccessRule($ace13ad)
        $acl.AddAccessRule($ace14ad)
        $acl.AddAccessRule($ace15ad)
        $acl.AddAccessRule($ace16ad)
        $acl.AddAccessRule($ace17ad)
        $acl.AddAccessRule($ace18ad)
        $acl.AddAccessRule($ace19ad)
        $acl.AddAccessRule($ace20ad)
        $acl.AddAccessRule($ace21ad)
        $acl.AddAccessRule($ace22ad)
        $acl.AddAccessRule($ace23ad)
        $acl.AddAccessRule($ace24ad)
        $acl.AddAccessRule($ace25ad)
        $acl.AddAccessRule($ace26ad)
        $acl.AddAccessRule($ace27ad)
        $acl.AddAccessRule($ace28ad)
        $acl.AddAccessRule($ace29ad)
        $acl.AddAccessRule($ace30ad)
        $acl.AddAccessRule($ace31ad)
        $acl.AddAccessRule($ace32ad)
        $acl.AddAccessRule($ace33ad)
        $acl.AddAccessRule($ace34ad)
        $acl.AddAccessRule($ace35ad)
        $acl.AddAccessRule($ace36ad)
        $acl.AddAccessRule($ace37ad)
        $acl.AddAccessRule($ace38ad)
        $acl.AddAccessRule($ace39ad)
        $acl.AddAccessRule($ace1engineer)
        $acl.AddAccessRule($ace2engineer)
        $acl.AddAccessRule($ace3engineer)
        $acl.AddAccessRule($ace4engineer)
        $acl.AddAccessRule($ace5engineer)
        $acl.AddAccessRule($ace6engineer)
        $acl.AddAccessRule($ace7engineer)
        $acl.AddAccessRule($ace8engineer)
        $acl.AddAccessRule($ace9engineer)
        $acl.AddAccessRule($ace10engineer)
        $acl.AddAccessRule($ace11engineer)
        $acl.AddAccessRule($ace12engineer)
        $acl.AddAccessRule($ace13engineer)
        $acl.AddAccessRule($ace14engineer)
        $acl.AddAccessRule($ace15engineer)
        $acl.AddAccessRule($ace16engineer)
        $acl.AddAccessRule($ace17engineer)
        $acl.AddAccessRule($ace18engineer)
        $acl.AddAccessRule($ace19engineer)
        $acl.AddAccessRule($ace20engineer)
        $acl.AddAccessRule($ace21engineer)
        $acl.AddAccessRule($ace22engineer)
        $acl.AddAccessRule($ace23engineer)
        $acl.AddAccessRule($ace24engineer)
        $acl.AddAccessRule($ace25engineer)
        $acl.AddAccessRule($ace26engineer)
        $acl.AddAccessRule($ace27engineer)
        $acl.AddAccessRule($ace28engineer)
        $acl.AddAccessRule($ace29engineer)
        $acl.AddAccessRule($ace30engineer)
        $acl.AddAccessRule($ace31engineer)
        $acl.AddAccessRule($ace32engineer)
        $acl.AddAccessRule($ace33engineer)
        $acl.AddAccessRule($ace34engineer)
        $acl.AddAccessRule($ace35engineer)
        $acl.AddAccessRule($ace36engineer)
        $acl.AddAccessRule($ace37engineer)
        $acl.AddAccessRule($ace38engineer)
        $acl.AddAccessRule($ace39engineer)
        $acl.AddAccessRule($ace40engineer)
        set-acl -aclobject $acl -Path $currentserviceou
        $Confirmation = "User objects (Services Accounts) delegation on $currentserviceou for $country was successful."
        Write-Host $Confirmation -ForegroundColor Green}}
    5 {foreach ($currentserversou in $activeserverou){
        $acl = get-acl $currentserversou
        $ace1server = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"CreateChild","Allow",$guidmap["computer"]
        $ace2server = new-object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"DeleteChild","Allow",$guidmap["computer"]
        $ace3server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ReadProperty","Allow","Descendents",$guidmap["computer"]
        $ace4server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"WriteProperty","Allow","Descendents",$guidmap["computer"]
        $ace5server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"]
        $ace6server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Account Restrictions"],"Descendents",$guidmap["computer"]
        $ace7server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"]
        $ace8server = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adgroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"]
        $ace1engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"CreateChild","Allow",$guidmap["computer"]
        $ace2engineer = new-object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"DeleteChild","Allow",$guidmap["computer"]
        $ace3engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["computer"]
        $ace4engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ReadProperty","Allow","Descendents",$guidmap["computer"]
        $ace5engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["computer"]
        $ace6engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Account Restrictions"],"Descendents",$guidmap["computer"]
        $ace7engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"]
        $ace8engineer = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $engineergroup,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"]
        $acl.AddAccessRule($ace1server)
        $acl.AddAccessRule($ace2server)
        $acl.AddAccessRule($ace3server)
        $acl.AddAccessRule($ace4server)
        $acl.AddAccessRule($ace5server)
        $acl.AddAccessRule($ace6server)
        $acl.AddAccessRule($ace7server)
        $acl.AddAccessRule($ace8server)
        $acl.AddAccessRule($ace1engineer)
        $acl.AddAccessRule($ace2engineer)
        $acl.AddAccessRule($ace3engineer)
        $acl.AddAccessRule($ace4engineer)
        $acl.AddAccessRule($ace5engineer)
        $acl.AddAccessRule($ace6engineer)
        $acl.AddAccessRule($ace7engineer)
        $acl.AddAccessRule($ace8engineer)
    set-acl -aclobject $acl -Path $currentserversou
    $Confirmation = "Computer objects (Servers) delegation on $currentserversou for $country was successful."
    Write-Host $Confirmation -ForegroundColor Green}}
    default {"You have entered a wrong number. Run the script again"; Exit}}
    do{$answer = Read-Host -Prompt 'Do you want to run delegation script again for another object or country? (y or n)'
        If (($answer -eq "n") -or ($answer -eq "y")){
            $userinput = "correct"}
        else{
            $userinput = "wrong"
            Write-Host @"
You have entered a wrong answer.
Please enter y [YES] or n [NO]
"@
            }
    } while ($userinput -eq "wrong")
$again = $answer}
Summary
PowerShell Active Directory Delegation � Part 2
Article Name
PowerShell Active Directory Delegation � Part 2
Description
PowerShell Active Directory Delegation - Part 2. This series of posts will help you out perform custom Active Directory delegation. Stephanos Constantinou Blog - PowerShell Scripting
Author
Stephanos
Publisher Name
Stephanos Constantinou Blog
Publisher Logo
Stephanos Constantinou Blog

Filed Under: PowerShell Scripts Tagged With: Get-Acl, Get-ADDomain, Get-ADObject, Get-ADOrganizationalUnit, Get-ADRootDSE, Import-Module, New-Object, Read-Host, Set-Acl, Write-Host

Reader Interactions

Trackbacks

  1. PowerShell Active Directory Delegation - Part 2 - How to Code .NET says:
    21/03/2018 at 03:02

    […] on March 19, 2018by admin submitted by /u/SConstantinou [link] [comments] No comments […]

    Reply
  2. PowerShell Active Directory Delegation - Part 1 - Stephanos Constantinou says:
    03/04/2018 at 10:01

    […] PowerShell Active Directory Delegation – Part 2 – Stephanos Constantinou says: 20/03/2018 at 16:36 […]

    Reply
  3. PowerShell Active Directory Delegation - Part 3 - Stephanos Constantinou says:
    12/04/2018 at 17:06

    […] PowerShell Active Directory Delegation – Part 2 […]

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Footer

Recent Posts

  • ICS Cube Product Review 26/04/2019
  • PowerShell Module SysInfo v1.2.0 15/03/2019
  • PowerShell Module SysInfo v1.1.2 13/11/2018
  • PowerShell Module SysInfo 24/10/2018
  • Get-VoltageProbe 24/10/2018
  • Get-VideoController 24/10/2018
  • Get-USBController 24/10/2018
  • Get-TrackPoint 24/10/2018
  • Get-TrackBall 24/10/2018
  • Get-TouchScreen 24/10/2018
Planet PowerShell

Categories

  • Modules Cmdlets (57)
  • PowerShell Modules (5)
  • PowerShell Scripts (38)
  • PowerShell Tutorials (35)
  • Software Reviews (2)

Archives

  • April 2019 (1)
  • March 2019 (1)
  • November 2018 (1)
  • October 2018 (56)
  • September 2018 (13)
  • August 2018 (9)
  • July 2018 (6)
  • June 2018 (8)
  • May 2018 (7)
  • April 2018 (9)
  • March 2018 (4)
  • February 2018 (6)
  • January 2018 (12)
  • December 2017 (4)
Top 10 PowerShell 2018

Blogroll

  • Planet PowerShell
  • Reddit – PowerShell
  • PowerShell Magazine
  • PowerShell.org
  • PowerShell Team Blog
  • Hey, Scripting Guy! Blog
  • Mike F Robbins
  • PowerShell Explained with Kevin Marquette
  • Mike Kanakos – Network Admin
  • The Lonely Administrator
  • AskME4Tech
PowerShell Blogs Sysadmin Blogs Banners for Top 20 Programming Blogs

© 2022 · Stephanos Constantinou Blog

  • Home
  • Blogs
  • About
  • Contact