I want to export and identify the ACLs of a particular OU. (Currently can do this many ways) What I want to do is then take that exported file, identify the group/user which has the permissions which I want, then grant to another group and leave everything else in tact (the other groups and their permissions)

Basically this is to identify groups and permissions and then copy them (assign those ACLs to another group) while leaving the original group in tact.

Thanks,
Todd

I'd start with Quests AD cmdlets, and extract the ACL as sddl.  Once you're got that, you can split out the individual ACEs.  This should simplify the process of searching for a particular permission set, and adding permissions becomes a matter of string concatenation.

I tried that but still did not seem like an easy automated way (although I am new to Powershell). There is a nice a way to dump the ACLs and then import but making changes is more complicated. I'll continue working that path and see if I overlooked something.

Thanks for your response

I'm looking for a quick easy way to do exactly what you described above "export the ACLS of an OU" then re-import them in another environment. Do you have the code to complete this procedure? I'm a newb when it comes to PS. Thx.

Was anyone able to do this? I am trying to do exactly the same thing and am not able to figure this out. The Quest get-qadpermission and add-qadpermission does this, but for the same user. I would like to do it for a different user but apply the same permissions. Any help will be much appreciated.

I was able to do this by doing the following:
1: Do an export via Ldifde
ldifde –f C:\exportOUsec.ldf -d “OU=ouname,DC=domain,DC=local” –l ntsecuritydesciptor
2: Modify the exported Ldifde file
ChangeType from Add to Modify
Insert Blank Line ABOVE NTSecurity Descriptor AND ADD Replace:NTSecurityDescriptor
Paset the NTSecurityDescriptor:: to next line

Sample export Only showing modified lines
dn: OU=Admins,DC=test,DC=local
changetype: modify
Replace:nTSecurityDescriptor
nTSecurityDescriptor::
AQAUjKwNAADIDQAAFAAAAIwAAAAEAHgAAgAAAAdSOAAgAAAAAwAAAL47DvPwn9ERtgMAAPgDZ8Glepa/5g3QEaKFAKoAMEniAQEAAAAAAAEAAAAAB1I4ACAAAAADAAAAvzsO8/Cf0RG2AwAA+ANnwaV6lr/m ETC….
- Hyphen (enter key)
Space (enter Key)
Save the file

3: Import the Ldifde File
ldifde -i -f pathtofile\filename.ldf

4: use SidToObj Tool to dump sids from prior environment
5: Look at the output of SidToObj and take the sid and match it to the new environment

*** This seems complicated especially in a few lines that I outline but it works great. If you provide a way for me to contact you I would be glad to walk you through it.