Bulk change specific permissions for users

A friend of mine recently had problems regarding uploading certificates to GAL. As a matter of fact the users were unable to upload certificates when they choose "Publish To GAL". In this case the most errors you get is "Microsoft office Outlook was unable to publish your certificates. The server may be offline or your certificates may be invalid". 

He was pretty much sure that the server is available, so we decided to re-check the security permissions for user objects and we found the problem.

In order to allow the users to successfully upload the certificates to GAL, you need to add SELF permission to the user objects. To be more precise these SELF permissions are needed for a successful upload:

  • Read Personal Information
  • Write Personal Information
  • Read Phone and Mail Options
  • Write Phone and Mail Options
  • Read Web Information
  • Write Web Information

So we decided to change the permissions on all the users (approximately 500) and re-check the problem. The script below will add the required permissions in order to have a successful upload of certificates to GAL.


Get-ADUser -Filter * -SearchBase "ou=Users,dc=Contoso,dc=Com" | % {Invoke-Expression -Command:('dsacls "{0}" /G SELF:GRGE' -f $_.Distinguishedname)}

Running the commands above in PowerShell with Active Directory module installed, the problem was gone. Smile


About Mahdi

Post Archive

Sticky RIS settings in 'Default Domain Policies'?

Written By Mahdi Tehrani on Friday, 19 January 2018 08:56

Limit Active Directory user login to 1 session

Written By Mahdi Tehrani on Wednesday, 02 August 2017 10:21

The auditor of auditors: 'LepideAuditor Suite'

Written By Mahdi Tehrani on Tuesday, 23 May 2017 10:56

Protect your domain against WannaCry malware

Written By Mahdi Tehrani on Sunday, 14 May 2017 09:42

‘List Object Mode’ in Active Directory, a myth or future settings?

Written By Mahdi Tehrani on Thursday, 13 April 2017 08:47