Granting Access to Specops Authentication Enrollment Data In Active Directory
Enrollment data in AD is locked down with a default permission set that should be sufficient for all Specops Authentication products to function. Use the instructions provided here only on guidance from Specops Support staff.
The following PowerShell commands can be used to grant a group full access to all SpecopsAuthentication leaf objects in Active Directory. Please note the ActiveDirectory PowerShell module provided by Microsoft is required:
get-adobject -filter { name -eq "SpecopsAuthentication" -and objectClass -eq "ClassStore" } | % { write-host $_.distinguishedname; dsacls $_.distinguishedname /G "<DOMAIN>\<GROUP_NAME>:GA" }
For example, to grant the Specops Authentication Gatekeepers group access to all leaf objects in the domain:
get-adobject -filter { name -eq "SpecopsAuthentication" -and objectClass -eq "ClassStore" } | % { write-host $_.distinguishedname; dsacls $_.distinguishedname /G "DEMO\Specops Authentication Gatekeepers:GA" }