As we all know, theActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
System.DirectoryServices.ActiveDirectoryAccessRule class:
System.DirectoryServices.ActiveDirectoryRightsclass:
System.Security.AccessControl.AccessControlType class:
http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
System.DirectoryServices.ActiveDirectorySecurityInheritance class:
In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,we use Active Directory Service Interfaces (ADSI) orActive Directory module cmdletswith the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute more complex permission settings.
Method 1: Using ADSI
1. Get current permissions of an organization unit (OU)
We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
$Name = "OU=xxx,DC=com"
$ADObject = [ADSI]"LDAP://$Name"
$aclObject = $ADObject.psbase.ObjectSecurity
$aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$output=@()
foreach($acl in $aclList)
{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
$info = @{
'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
'InheritanceType' = $acl.InheritanceType;
'ObjectType' = $acl.ObjectType;
'InheritedObjectType' = $acl.InheritedObjectType;
'ObjectFlags' = $acl.ObjectFlags;
'AccessControlType' = $acl.AccessControlType;
'IdentityReference' = $acl.IdentityReference;
'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
'IsInherited' = $acl.IsInherited;
'InheritanceFlags' = $acl.InheritanceFlags;
'PropagationFlags' = $acl.PropagationFlags;
}
$obj = New-Object -TypeName PSObject -Property $info
$output+=$obj}
$output
In the figure below, you can see the results of running the script above:
Figure 1.
2. Assign a computer object with Full Control permission on an OU
We can use the script below to delegate Full Control permission to the computer objects within an OU:
$SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
$computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
$SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
$SysManObj.psbase.commitchanges()
After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
You can use the script below to get and assign Full Control permission to a computer object on an OU:
$acl = get-acl "ad:OU=xxx,DC=com"
$acl.access #to get access right of the OU
$computer = get-adcomputer "COMPUTERNAME"
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
Method 3: Using GUID setting
The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve that.
The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by setting ObjectType field in an object specific ACE to the rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting theInheritedObjectType field to the schemaIDGuid of the class.
We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
You can use the script below toassign the group object with the permission to change user password on all user objects within an OU.
$acl = get-acl "ad:OU=xxx,DC=com"
$group = Get-ADgroup xxx
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) class
$inheritedobjectguid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
The figure below shows the result of running the script above:
Figure 2.
In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
$guidChangePassword = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
$guidLockoutTime = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
$guidPwdLastSet = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
$guidComputerObject = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$guidUserObject = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidLinkGroupPolicy = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
$guidGroupPolicyOptions = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
$guidResetPassword = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
$guidGroupObject = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
$guidContactObject = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
$guidOUObject = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
$guidPrinterObject = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
$guidWriteMembers = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidPublicInformation = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
$guidGeneralInformation = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
$guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
$guidGroupMembership = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
More information:
Add Object Specific ACEs using Active Directory Powershell
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.