Bulk change specific permissions for users

He was pretty much sure that the server is available, so we decided to re-check the security permissions for user objects and we found the problem.

In order to allow the users to successfully upload the certificates to GAL, you need to add SELF permission to the user objects. To be more precise these SELF permissions are needed for a successful upload:

  • Read Personal Information
  • Write Personal Information
  • Read Phone and Mail Options
  • Write Phone and Mail Options
  • Read Web Information
  • Write Web Information

So we decided to change the permissions on all the users (approximately 500) and re-check the problem. The script below will add the required permissions in order to have a successful upload of certificates to GAL.

Get-ADUser -Filter * -SearchBase "ou=Users,dc=Contoso,dc=Com" | % {Invoke-Expression -Command:('dsacls "{0}" /G SELF:GRGE' -f $_.Distinguishedname)}

Running the commands above in PowerShell with Active Directory module installed, the problem was gone.