I'm trying to copy a list of permissions that are not being inherited applied to an OU to a different OU, located in the same domain as the first one.
>$perms=Get-ADPermission "ou=test,ou=global,dc=fabrikam,dc=com" | ? { -not $_.IsInherited }
>$perms | % { Add-ADPermission "ou=test2,ou=global,dc=fabrikam,dc=com" -user $_.User -accessrights $_.AccessRights -properties $_.Properties -extendedRights $_.ExtendedRights }
The following error is thrown for each permission entry:
Active Directory operation failed on DC.fabrikam.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : 8B2031D5,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
Now, this has been tackled before (http://social.technet.microsoft.com/Forums/en/exchange2010/thread/ff0f78c8-4518-4c3d-b67d-e1da10923bc9)
but it's rather complicated to do for each object whose permission might need to be copied - maybe querying USNs, but I'm not seeing this going too far.
Is there a way to copy the permissions in an automated fashion, using Powershell ?
