I am designing a Powershell GUI to set AD delegations on various OUs. For the most part it works but I found when trying to remove an ACL on modifying users objects the permission would not be removed (see else statement):
function set-Users-ModifyFullAccess ($s, $acl, $oupath, $act)
{
# userAccountControl - bf967a68-0de6-11d0-a285-00aa003049e2
# ObjectType: bf967aba-0de6-11d0-a285-00aa003049e2
# InheritedObjectType: 00000000-0000-0000-0000-000000000000
if ($act -eq "add")
{
$acl.AddAccessRule((New-Object
System.DirectoryServices.ActiveDirectoryAccessRule
$s,"GenericAll","Allow",([GUID]("00000000-0000-0000-0000-000000000000")).guid,"Descendents",([GUID]("bf967aba-0de6-11d0-a285-00aa003049e2")).guid))
}
else
{
$acl.RemoveAccessRule((New-Object
System.DirectoryServices.ActiveDirectoryAccessRule
$s,"GenericAll","Allow",([GUID]("00000000-0000-0000-0000-000000000000")).guid,"Descendents",([GUID]("bf967aba-0de6-11d0-a285-00aa003049e2")).guid))
}
}The permission looks like so:
ActiveDirectoryRights : GenericAllInheritanceType : Descendents
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
ObjectFlags : InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : domain\Helpdesk
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ObjectFlags : InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : domain\Helpdesk
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
I think the issue might be related to ObjectFlags being set to InheritedObjectAceTypePresent as this is the only thing different from other permissions that do get removed successfully.
Note: wasn't sure if I should post in 'Domain Services' or 'Powershell' forum so apologies if I posted in the wrong place.