A PowerShell script to automate delegation of permissions in Active Directory β based on predefined templates.
This script helps administrators assign permissions in Active Directory in a consistent, transparent, and repeatable way.
Delegation is applied based on predefined templates for various object types such as users, groups, computers, organizational units, Group Policy Objects (GPOs), and more.
- PowerShell version 3.0 or higher
- ActiveDirectory PowerShell module (e.g., via RSAT or AD DS role)
Run this command to display a list of available delegation templates:
Invoke-ADDelegationTemplate -ShowTemplatesInvoke-ADDelegationTemplate -ShowUserTemplates -ShowGroupTemplatesUse this command to assign a delegation template to a specific organizational unit:
Invoke-ADDelegationTemplate `
-AdIdentity "Helpdesk-Team" `
-DelegationOuDN "OU=UsersBerlin,DC=contoso,DC=local" `
-TemplateID 102The script currently includes built-in templates for the following scenarios:
-
User objects
e.g., password reset, edit properties -
Group objects
e.g., manage membership, create/delete groups -
Computer objects
e.g., join domain, reset password -
Organizational Units (OUs)
e.g., manage, create, rename -
inetOrgPerson
Useful for LDAP or schema-based environments -
Group Policy Objects (GPOs)
e.g., link/unlink GPOs, read RSoP -
WMI Filters
Create, delete, assign filters
A helpdesk team should be able to reset user passwords in a specific OU:
Invoke-ADDelegationTemplate `
-AdIdentity "Contoso\Helpdesk-Berlin" `
-DelegationOuDN "OU=UsersBerlin,DC=contoso,DC=local" `
-TemplateID 102Set permission(s) to an Organizational Unit (OU)
Invoke-ADDelegationTemplate -AdIdentity "ThisIsMyAdGroup" -DelegationOuDN "OU=Users,OU=MyStartOU,DC=MyDomain,DC=de" `
-TemplateID 111Set permission(s) to an Organizational Unit (OU) AND Log changes
Invoke-ADDelegationTemplate -AdIdentity "ThisIsMyAdGroup" -DelegationOuDN "OU=Users,OU=MyStartOU,DC=MyDomain,DC=de" `
-TemplateID 111 -LogChanges -LogPath "$env:USERPROFILE\AdOuPermissionChanges.log"Show logged changes
Show-ADDelegationTemplateChanges -LogFilePath "$env:USERPROFILE\AdOuPermissionChanges.log"Show logged changes with format
Show-ADDelegationTemplateChanges -LogFilePath "$env:USERPROFILE\AdOuPermissionChanges.log" -FormatOutputRevert all changes
Show-ADDelegationTemplateChanges -LogFilePath "$env:USERPROFILE\AdOuPermissionChanges.log" | Revert-ADDelegationTemplateRevert specific template changes
$templateChanges = Show-ADDelegationTemplateChanges -LogFilePath "$env:USERPROFILE\AdOuPermissionChanges.log" | Where-Object {$_.TemplateID -eq "111"}
Revert-ADDelegationTemplate -InputObject $templateChangesSuggestions, bug reports, and contributions are welcome! Please open an issue or submit a pull request with a clear explanation of your changes or ideas.
Template source @Microsoft: Appendix O: Active Directory Delegation Wizard File