Tuesday, June 05, 2012 5:55 AM
I have to run a script as an account NOT being member of the Domain Admins group. (runs on member server W2k8 R2 being local admin - powershell runs as administrator). Everthing is working perfect accept setting ACL on OUs stopping with “Access Denied”.
If I do run the script as Domain Admin it does work perfectly => so an account’s permission problem, but:
The user account I use is able to create the OU Structure (having Full Control permission on the parent) and does show up as Owner of the newly created OUs with Full Control permissions (the OU where I have to change the ACL).
If I use the AD U&C, started as the mentioned account, it is possible to set the required permissions on that OU.
Now – what could be the reason why powershell script returns Access Denied while ADU&C doesn’t?
A similar behaviour is blogged at
http://www.bilalaslam.com/2010/12/14/powershell-workaround-for-the-security-identifier-is-not-allowed-to-be-the-owner-of-this-object-with-set-acl/ dealing with folder permissions but I can't use "(Get-Item AD:$path).GetAccessControl("Access")" as it does not work against AD.
(using Add-QADPermission is not an option)
Below the used steps out of my function and it errors at Set-ACL line
$GUID = New-Object GUID bf967a86-0de6-11d0-a285-00aa003049e2 $ID = "AD-company-team" $Path = "OU=Computers,OU=TEST,DC=company,DC=net" $Right = "GenericAll" $Inherit = "Descendents" $Type = "Allow" $acl = (Get-Acl -Path AD:$Path -WarningAction:Stop -ErrorAction:Stop) $sID = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "", $ID $acr = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $sID, $Right, $Type, $GUID, $Inherit $acl.AddAccessRule($acr) Set-Acl -AclObject $acl -Path AD:$Path -WarningAction:Stop -ErrorAction:Stop
Set-Acl : Access is denied
At line:1 char:8
+ Set-Acl <<<< -AclObject $acl -Path AD:$Path
+ CategoryInfo : PermissionDenied: (OU=Computers,OU...DC=company,DC=net:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:AccessDenied,Microsoft.PowerShell.Commands.SetAclCommand
Tuesday, June 05, 2012 10:07 AM
Try do it in other way:
$ID = "AD-company-team" $Path = "OU=Computers,OU=test,DC=contoso,DC=com" $ADSI = [ADSI]"LDAP://$Path" $NTAccount = New-Object System.Security.Principal.NTAccount($ID) $IdentityReference = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier]) $ActiveDirectoryRights = "GenericAll" $AccessControlType = "Allow" $Inherit = "Descendents" $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,$ActiveDirectoryRights,$AccessControlType,$Inherit) $ADSI.psbase.ObjectSecurity.SetAccessRule($ACE) $ADSI.psbase.commitchanges()
- Marked As Answer by tiZ.A Tuesday, June 05, 2012 12:20 PM
Tuesday, June 05, 2012 12:29 PM
That did work - thank you but how could I combine now rights for the same account, f.i. group should get permissions "Delete Computer Accounts","Create Computer Accounts" for "This object and all descendat objects" AND "Full Control" on "Descendant Computer Objects" ?
Or for example group should get permissions "Write manager" AND "Write job Title" for "Descendant user objects" ?
Running commands twice, f.i. 1st to set write manager and 2nd to set write job title, will always set just the last one :(
Tuesday, June 05, 2012 12:41 PMFound it instead of SetAccessRule I should use AddAccessRule
Thursday, June 21, 2012 12:37 PM
I' ve a similar problem:
My script looks like this:
import-module activedirectory set-location AD: $objUser = New-Object System.Security.Principal.NTAccount("sampledomain\user1") $sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $acl=Get-ACL "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com" $objectguid = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2 $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"WriteProperty","Allow",$objectguid $acl.AddAccessRule($ace1) set-acl -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"
Set-Acl : This security ID may not be assigned as the owner of this object
At line:1 char:8
+ set-acl <<<< -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC
+ CategoryInfo : NotSpecified: (CN=TESTGROUP...network,DC=com:String) [Set-Acl], ADException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommand
It is not a permission problem, because this command works:
dsacls CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com /G sampledomain\user1:WP;member;
It looks like this problem http://support.microsoft.com/default.aspx?scid=kb;en-us;323749
I modified the VB script http://codeidol.com/active-directory/active-directory/Groups/Delegating-Control-for-Managing-Membership-of-a-Group/ with the information from MS and added the following lines to the script
const ADS_OPTION_SECURITY_MASK = 3
const ADS_SECURITY_INFO_DACL = 4
objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL
So this way it works with VBS, but how to do it with powershell?