none
Active Diretory permissions fail with Set-Acl

    Question

  • I have to run a script as an account  NOT being member of the Domain Admins group. (runs on member server W2k8 R2 being local admin - powershell runs as administrator). Everthing is working perfect accept setting ACL on OUs stopping with “Access Denied”.

    If I do run the script as Domain Admin it does work perfectly => so an account’s permission problem, but:

    The user account I use is able to create the OU Structure (having Full Control permission on the parent) and does show up as Owner of the newly created OUs with Full Control permissions (the OU where I have to change the ACL).

    If I use the AD U&C, started as the mentioned account, it is possible to set the required permissions on that OU.

    Now – what could be the reason why powershell script returns Access Denied while ADU&C doesn’t?

    A similar behaviour is blogged at

    http://www.bilalaslam.com/2010/12/14/powershell-workaround-for-the-security-identifier-is-not-allowed-to-be-the-owner-of-this-object-with-set-acl/ dealing with folder permissions but I can't use "(Get-Item AD:$path).GetAccessControl("Access")" as it does not work against AD.

    (using Add-QADPermission is not an option)

    Below the used steps out of my function and it errors at Set-ACL line

    $GUID = New-Object GUID bf967a86-0de6-11d0-a285-00aa003049e2
    $ID = "AD-company-team"
    
    $Path = "OU=Computers,OU=TEST,DC=company,DC=net"
    $Right = "GenericAll"
    $Inherit = "Descendents"
    $Type = "Allow"
    
    $acl = (Get-Acl -Path AD:$Path -WarningAction:Stop -ErrorAction:Stop)
    $sID = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "", $ID
    $acr = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $sID, $Right, $Type, $GUID, $Inherit
    $acl.AddAccessRule($acr)
    
    Set-Acl -AclObject $acl -Path AD:$Path -WarningAction:Stop -ErrorAction:Stop

    Set-Acl : Access is denied

    At line:1 char:8

    + Set-Acl <<<<  -AclObject $acl -Path AD:$Path

        + CategoryInfo          : PermissionDenied: (OU=Computers,OU...DC=company,DC=net:String) [Set-Acl], UnauthorizedAccessException

        + FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:AccessDenied,Microsoft.PowerShell.Commands.SetAclCommand

    Tuesday, June 05, 2012 5:55 AM

Answers

  • Hi,

    Try do it in other way:

    $ID = "AD-company-team"
    $Path = "OU=Computers,OU=test,DC=contoso,DC=com"
    $ADSI = [ADSI]"LDAP://$Path"
    $NTAccount = New-Object System.Security.Principal.NTAccount($ID)
    $IdentityReference = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier])
    
    $ActiveDirectoryRights = "GenericAll"
    $AccessControlType = "Allow"
    $Inherit = "Descendents"
    
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,$ActiveDirectoryRights,$AccessControlType,$Inherit)
    $ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
    $ADSI.psbase.commitchanges()

    • Marked as answer by tiZ.A Tuesday, June 05, 2012 12:20 PM
    Tuesday, June 05, 2012 10:07 AM

All replies

  • Hi,

    Try do it in other way:

    $ID = "AD-company-team"
    $Path = "OU=Computers,OU=test,DC=contoso,DC=com"
    $ADSI = [ADSI]"LDAP://$Path"
    $NTAccount = New-Object System.Security.Principal.NTAccount($ID)
    $IdentityReference = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier])
    
    $ActiveDirectoryRights = "GenericAll"
    $AccessControlType = "Allow"
    $Inherit = "Descendents"
    
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,$ActiveDirectoryRights,$AccessControlType,$Inherit)
    $ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
    $ADSI.psbase.commitchanges()

    • Marked as answer by tiZ.A Tuesday, June 05, 2012 12:20 PM
    Tuesday, June 05, 2012 10:07 AM
  • That did work - thank you but how could I combine now rights for the same account, f.i. group should get permissions "Delete Computer Accounts","Create Computer Accounts" for "This object and all descendat objects" AND "Full Control" on "Descendant Computer Objects" ?

    Or for example group should get permissions "Write manager" AND "Write job Title" for "Descendant user objects" ?

    Running commands twice, f.i. 1st to set write manager and 2nd to set write job title, will always set just the last one :(

    Tuesday, June 05, 2012 12:29 PM
  • Found it instead of SetAccessRule I should use AddAccessRule
    Tuesday, June 05, 2012 12:41 PM
  • I' ve a similar problem:

    My script looks like this:

    import-module activedirectory
    set-location AD:
    $objUser = New-Object System.Security.Principal.NTAccount("sampledomain\user1")
    $sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
    $acl=Get-ACL "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"
    $objectguid = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
    $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"WriteProperty","Allow",$objectguid
    $acl.AddAccessRule($ace1)
    set-acl -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"
    

    Error:

    Set-Acl : This security ID may not be assigned as the owner of this object
    At line:1 char:8
    + set-acl <<<<  -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC
    =network,DC=com"
        + CategoryInfo          : NotSpecified: (CN=TESTGROUP...network,DC=com:String) [Set-Acl], ADException
        + FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommand

    It is not a permission problem, because this command works:
    dsacls CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com /G sampledomain\user1:WP;member;

    It looks like this problem http://support.microsoft.com/default.aspx?scid=kb;en-us;323749

    I modified the VB script http://codeidol.com/active-directory/active-directory/Groups/Delegating-Control-for-Managing-Membership-of-a-Group/ with the information from MS and added the following lines to the script

        const ADS_OPTION_SECURITY_MASK = 3
        const ADS_SECURITY_INFO_DACL = 4
        objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL

    So this way it works with VBS, but how to do it with powershell?

    Thursday, June 21, 2012 12:37 PM
  • Awesome, this works! Thank you!

    I tried updating some DNS records of an AD integrated zone with the powershell command set-acl

    This got me "Access Denied" errors, despite the user clearly having the rights to write to the records. Your method of commitChanges() worked for me, so I won't have to use the domain admin for the script batch job. Thanks!

    Tuesday, August 13, 2013 11:24 AM