Normally to set permissions on attributes I have to use ADSIedit to navigate to that object, and then go through all the security tabs scroll down a long list, and put a checkmark next to read/write. This can take a few minutes and is cumbersome.
Here is how to set these permissions using PowerShell.
Add Quest’s module:
Add-PSSnapin Quest.ActiveRoles.ADManagement;
Use Add-QADPermission (there is no Set-QADPermission).
An example for one user:
Get-QADUser domain\username | Add-QADPermission -Account 'SELF' -Rights 'ReadProperty,WriteProperty' -Property 'extensionAttributeExample' -ApplyTo 'ThisObjectOnly'
If you want that to run against all users, just remove the username.
Or if you want to set this permission on child objects (recursive) of type user in an OU:
Get-QADObject Employees -Type organizationalUnit | Add-QADPermission -Account 'SELF' -Rights 'ReadProperty,WriteProperty' -Property 'extensionAttributeExample' -ApplyToType 'user' -ApplyTo 'ChildObjects'
