Assiging proper permissions to service account to join to domain with Powershell

1. Service account creation:

New-ADUser -Name "svc-YLEU-domain" -Accountpassword (ConvertTo-SecureString -String `

"Passsword" -Force -AsPlainText) -Enabled $true -PasswordNeverExpires:$true `

-Path "OU=Service Accounts,OU=Users,DC=contoso,DC=local" `

-Description `

"Service Account for automatic join of new machines to domain using terraform or other automation languages" `

-UserPrincipalName "svc-YLEU-domain@contoso.local" `

-Manager "vagrant" -CannotChangePassword:$true

2.  Assign proper permissions to OU:

$guidComputerObject      = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2

$RawGuid = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();

$Path = [ADSI]"LDAP://CN=Computers,DC=contoso,DC=local"

$ntaccount = New-Object System.Security.Principal.NTAccount("contoso\svc-YLEU-domain")

$IdentityReference = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])

$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"CreateChild","Allow",$RawGuid,"All",$([GUID]::Empty))

$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"DeleteChild","Allow",$RawGuid,"All",$([GUID]::Empty))

$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$ObjectType = ([guid]'4c164200-20c0-11d0-a768-00aa006e0529').toByteArray();

$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();

$PropagationFlags = [System.Security.AccessControl.PropagationFlags] "InheritOnly"

$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ReadProperty","Allow",$ObjectType,"Descendents",$InheritedObjectType)

$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"WriteProperty","Allow",$ObjectType,"Descendents",$InheritedObjectType)

$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$ObjectType = ([guid]'f3a64788-5306-11d1-a9c5-0000f80367c1').toByteArray();

$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();

$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"Self","Allow",$ObjectType,"Descendents",$InheritedObjectType)

$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$ObjectType = ([guid]'72e39547-7b18-11d1-adef-00c04fd8d5cd').toByteArray();

$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();

$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"Self","Allow",$ObjectType,"Descendents",$InheritedObjectType)

$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$ObjectType = ([guid]'00299570-246d-11d0-a768-00aa006e0529').toByteArray();

$InheritedObjectType = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();

$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ExtendedRight","Allow",$ObjectType,"Descendents",$InheritedObjectType)

$Path.psbase.ObjectSecurity.AddAccessRule($Perms)

$Path.psbase.commitchanges()

#/* Check the results */

(Get-Acl "ad:\CN=Computers,DC=contoso,DC=local").Access | where-object { $_.IdentityReference -eq 'contoso\svc-YLEU-domain' }

#/* Check the returned ObjectType GUID is Computer */

#$RawGuid = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();

##Get-ADObject -Filter {schemaIDGUID -eq $rawGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID | Select-Object Name,@{Name='schemaIDGUID';Expression={[guid]$_.schemaIDGUID}}