How to Clone Active Directory OU Permissions for a Specific Group Using PowerShell

Ilya Fedotov

1/16/20241 min read

This script is a PowerShell script designed to copy permissions from a specified group in a source Organizational Unit (OU) within Active Directory to multiple target OUs. Here's an overview of its functionality:

  1. Define Source and Target OUs: It sets the source OU from which permissions will be copied, specifies the group name whose permissions are to be copied, and lists the target OUs where these permissions will be applied.

  2. Logging Setup: The script creates a log file named with the current date to record the actions performed. A function Write-Log is defined for logging purposes.

  3. Get ACL from Source OU: Access Control List (ACL) of the source OU is retrieved, filtering Access Control Entries (ACEs) specific to the specified group.

  4. Process Each Target OU: For each target OU, the script performs the following steps:

    • Backup Current ACL: Backs up the current ACL of the target OU to an XML file.

    • Get and Modify ACL: Retrieves the current ACL of the target OU, adds each ACE from the source OU's group, and applies the modified ACL back to the target OU.

    • Logging: Each step (backup creation, ACE addition, ACL update) is logged.

    • Optional Verification: Optionally, the script can verify if the ACL has been applied correctly by checking the updated ACL of the target OU.

  5. Final Log Entry: Marks the completion of the script execution.

This script is useful for administrators who need to replicate specific group permissions across multiple OUs in Active Directory, ensuring consistency and saving time compared to manually setting permissions for each OU. The use of logging and backup ensures traceability and safety, allowing for rollback in case of errors.