none
[help] Converting DSACLS command... RRS feed

  • Question

  • I have some scripts that use various DS... commands (DSADD, DSMOD and DSACLS) to auto build an Active Directory server to company standards.
    I have converted them all the PowerShell except for the DSACLS ones. Can you help.? I have the following...

    cmd /c dsacls "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=acme,DC=abc" /G acme\Group-MgtADTransport:CC;siteLink /I:t
    cmd /c dsacls "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=acme,DC=abc" /G acme\Group-MgtADSiteLnkBridge:CC;siteLinkBridge /I:t
    cmd /c dsacls "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=acme,DC=abc" /G acme\Group-MgtADSiteLnkBridge:RPWP;options;interSiteTransport /I:s...


    That needs converting. This is what I have so far...

    Function Set-ACLS
    {
        Param (
            [string]$OU,
            [string]$Account,
            [System.DirectoryServices.ActiveDirectoryRights]$Rights,
            [System.DirectoryServices.ActiveDirectorySecurityInheritance]$Inheritance
        )
    
        $account = (Get-ADGroup -Identity "$Account").SID
        $addAR   = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($account, $Rights, [System.Security.AccessControl.AccessControlType]::Allow, $Inheritance)
        $currACL = Get-Acl -Path "AD:$OU"
        $currACL.AddAccessRule($addAR)
        Set-ACL -Path "AD:currACL" -AclObject $currACL
    }
    
    Set-ACLS -OU "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=acme,DC=abc" -Account 'acme\Group-MgtADTransport'     -Rights CreateChild -Inheritance SelfAndChildren
    Set-ACLS -OU "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=acme,DC=abc" -Account 'acme\Group-MgtADSiteLnkBridge' -Rights CreateChild -Inheritance SelfAndChildren
    Set-ACLS -OU "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=acme,DC=abc" -Account 'acme\Group-MgtADSiteLnkBridge' -Rights ReadProperty,WriteProperty -Inheritance Children
    

    Which mostly works, but I can't see a way of setting "siteLink", "siteLinkBridge", "options" or "interSiteTransport"


    Friday, February 19, 2016 11:08 AM

Answers

All replies

  • Why does it need to be converted? If it works, use it.

    -- Bill Stewart [Bill_Stewart]

    Friday, February 19, 2016 3:05 PM
    Moderator
  • I have about 100 commands like this (all in one script) and I would like to automate it and reduce down the number of lines and complexity if possible.

    It's also a good learning experience, and to move away from old commands that may or may not be supported in future versions of Windows. 

    Saturday, February 20, 2016 9:46 AM
  • You don't need to worry about DSACLS going away any time soon.  It will be around far into the future.

    If it is just for learning start by learning AD structures  here is how to get a good understanding.

    # the following demonstrates the hierarchy of the configuration/sites node of AD.
    cd ad:
    dir
    dir 'CN=Configuration,DC=TESTNET,DC=local'
    dir 'CN=Sites,CN=Configuration,DC=TESTNET,DC=local'
    dir 'CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=TESTNET,DC=local'
    dir 'CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=TESTNET,DC=local'
    # get the site link ACL
    Get-Acl 'CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=TESTNET,DC=local'
    # without navigation we preface the path with "AD:\"
    Get-Acl 'AD:\CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=TESTNET,DC=local'
    
    #Once you have the objects ACL you can update it with no issues.

    The same is true for all containers and objects in AD.

    Your confusion comes from thinking the siteLink and SiteLinkBridge are objects.  The are not objects they are objectClasses.  THey are schema attributes of an AD objects.  You need to know the path to the object only.  Use ADSS (Active Directory Sits & Services) to look at these objects to understand them.  A Site contains transports which contains site links.  These things are all specific objectClasses that have a parent-child relationship.  They also al have a name "CN=<some name>".  They are referred to by name.

    As with all of AD we can search if we specify the configuration container as the root.

    Get-AdObject -Filter "Name -eq 'IP'"  -SearchBase 'CN=Configuration,DC=TESTNET,DC=local'
    Get-AdObject -Filter "objectClass -eq 'siteLink'"  -SearchBase 'CN=Configuration,DC=TESTNET,DC=local'
    Get-AdObject -Filter "objectClass -eq 'interSiteTransport'"  -SearchBase 'CN=Configuration,DC=TESTNET,DC=local'

    So the key is to learn AD.  You can easily use the AD provider to browse AD and inspect the objects.

    Remember that "siteLink", "siteLinkBridge", "options" or "interSiteTransport" are "types" of objects.  You have get the object to change it.


    \_(ツ)_/


    • Edited by jrv Saturday, February 20, 2016 2:11 PM
    Saturday, February 20, 2016 2:10 PM