Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Granting Access to Specops Authentication Enrollment Data In Active Directory

Enrollment data in AD is locked down with a default permission set that should be sufficient for all Specops Authentication products to function. Use the instructions provided here only on guidance from Specops Support staff.

The following PowerShell commands can be used to grant a group full access to all SpecopsAuthentication leaf objects in Active Directory. Please note the ActiveDirectory PowerShell module provided by Microsoft is required:

get-adobject -filter { name -eq "SpecopsAuthentication" -and objectClass -eq "ClassStore" }  | 
  % { write-host $_.distinguishedname; dsacls $_.distinguishedname /G "<DOMAIN>\<GROUP_NAME>:GA" }

For example, to grant the Specops Authentication Gatekeepers group access to all leaf objects in the domain:

get-adobject -filter { name -eq "SpecopsAuthentication" -and objectClass -eq "ClassStore" } |
   % { write-host $_.distinguishedname; dsacls $_.distinguishedname /G "DEMO\Specops Authentication Gatekeepers:GA" }

March 28, 2022

Was this article helpful?

Related Articles