I would like to create a user on Win Server 2022, without admin rights, who can modify the content of administrator groups. I have added this user a full control over these groups with a PS script, but after a while, Windows automatically removes my user from there. Is threre a way to stay there permanently?
$PWord = ConvertTo-SecureString -String "# ... #" -AsPlainText -Force
New-ADUser -Name "creator" -SamAccountName "creator" -UserPrincipalName "creator" -DisplayName "creator" -Enabled $true -AccountPassword $PWord -ChangePasswordAtLogon $false -PasswordNeverExpires $true
Add-AdGroupMember -Identity "S-1-5-32-548" -Members "creator"
Add-AdGroupMember -Identity "S-1-5-32-580" -Members "creator"
New-ADOrganizationalUnit -Name "MyDomain"
enable-psremoting -Force
$sid = (Get-ADDomain -Server 127.0.0.1 | Select DomainSID | ft -HideTableHeaders | out-string).Trim()
$groups = @("S-1-5-32-544",$($sid+"-512"),$($sid+"-518"),$($sid+"-519"),$($sid+"-520"))
$colRights = [System.DirectoryServices.ActiveDirectoryRights]"GenericAll"
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("creator")
$objACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($objUser, $colRights, $objType)
foreach($group in $groups)
{
$objACL=Get-ACL "AD:$((get-adgroup $group).DistinguishedName)"
$objACL.AddAccessRule($objACE)
Set-ACL "AD:$((get-adgroup $group).DistinguishedName)" $objACL
}
$OU = (Get-ADOrganizationalUnit -Filter {Name -eq 'MyDomain'}).DistinguishedName
$ouACL=Get-ACL "AD:$OU"
$ouACL.AddAccessRule($objACE)
Set-ACL "AD:$OU" $ouACL
