Bulk change specific permissions for users
A friend of mine recently had problems regarding uploading certificates to GAL. As a matter of fact the users were unable to upload certificates when they choose "Publish To GAL". In this case the most errors you get is "Microsoft office Outlook was unable to publish your certificates. The server may be offline or your certificates may be invalid".
He was pretty much sure that the server is available, so we decided to re-check the security permissions for user objects and we found the problem.
In order to allow the users to successfully upload the certificates to GAL, you need to add SELF permission to the user objects. To be more precise these SELF permissions are needed for a successful upload:
- Read Personal Information
- Write Personal Information
- Read Phone and Mail Options
- Write Phone and Mail Options
- Read Web Information
- Write Web Information
So we decided to change the permissions on all the users (approximately 500) and re-check the problem. The script below will add the required permissions in order to have a successful upload of certificates to GAL.
Get-ADUser -Filter * -SearchBase "ou=Users,dc=Contoso,dc=Com" | % {Invoke-Expression -Command:('dsacls "{0}" /G SELF:GRGE' -f $_.Distinguishedname)}
Running the commands above in PowerShell with Active Directory module installed, the problem was gone.