1. Service account creation:
New-ADUser -Name "svc-YLEU-domain" -Accountpassword (ConvertTo-SecureString -String `
"Passsword" -Force -AsPlainText) -Enabled $true -PasswordNeverExpires:$true `
-Path "OU=Service Accounts,OU=Users,DC=contoso,DC=local" `
-Description `
"Service Account for automatic join of new machines to domain using terraform or other automation languages" `
-UserPrincipalName "svc-YLEU-domain@contoso.local" `
-Manager "vagrant" -CannotChangePassword:$true
2. Assign proper permissions to OU:
$guidComputerObject = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$RawGuid = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$Path = [ADSI]"LDAP://CN=Computers,DC=contoso,DC=local"
$ntaccount = New-Object System.Security.Principal.NTAccount("contoso\svc-YLEU-domain")
$IdentityReference = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"CreateChild","Allow",$RawGuid,"All",$([GUID]::Empty))
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"DeleteChild","Allow",$RawGuid,"All",$([GUID]::Empty))
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$ObjectType = ([guid]'4c164200-20c0-11d0-a768-00aa006e0529').toByteArray();
$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$PropagationFlags = [System.Security.AccessControl.PropagationFlags] "InheritOnly"
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ReadProperty","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"WriteProperty","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$ObjectType = ([guid]'f3a64788-5306-11d1-a9c5-0000f80367c1').toByteArray();
$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"Self","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$ObjectType = ([guid]'72e39547-7b18-11d1-adef-00c04fd8d5cd').toByteArray();
$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"Self","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$ObjectType = ([guid]'00299570-246d-11d0-a768-00aa006e0529').toByteArray();
$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ExtendedRight","Allow",$ObjectType,"Descendents",$InheritedObjectType)
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$Path.psbase.commitchanges()
#/* Check the results */
(Get-Acl "ad:\CN=Computers,DC=contoso,DC=local").Access | where-object { $_.IdentityReference -eq 'contoso\svc-YLEU-domain' }
#/* Check the returned ObjectType GUID is Computer */
#$RawGuid = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
##Get-ADObject -Filter {schemaIDGUID -eq $rawGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID | Select-Object Name,@{Name='schemaIDGUID';Expression={[guid]$_.schemaIDGUID}}
