locked
Apply inheritance to "This object and all descendant objects" from powershell RRS feed

  • Question

  • Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain
    
    $guidmap = @{}
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
    "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
    % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
    
    $extendedrightsmap = @{}
    Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
    "(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
    % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
    
    $ou = "AD:\OU=DenyTest,OU=Groups,OU=Hmatics,DC=BC2,DC=local"
    $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local").SID
    $acl = Get-ACL $ou
    
    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,("CreateChild","DeleteChild"), "Deny",$guidmap["user"]))
    
    Set-ACL -ACLObject $acl -Path (($ou))

    Dear Team,

    I am trying to apply Deny permission on an organization unit for a security group through powershell.

    I was able to identify a script which does this however after the execution of the script the results only apply to "This object only"

    1) I want to explicit deny these 4 permissions for a group from this OU

    OU name: Denytest

    Security group name: My Admins

    Type: deny

    Applies to: This object and all descendant objects

    a. Create Group Objects

    b. Delete group Objects

    c. Create user Objects

    d. Delete user Objects

    2) Set read only access to OU for the a particular Securrty group.

    Any help on this would be appreciated.

    Regards,

    Farookh21

    

    Thursday, June 7, 2018 11:04 PM

Answers

  • Probably should be this:

    $sid = (Get-ADGroup 'CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local').SID
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                $sid,
                'CreateChild,DeleteChild',
                'Deny',
                $guidmap['user'],
                'SelfAndChildren'
            )
    $acl.AddAccessRule($ace)

    You can also use 'All'


    \_(ツ)_/


    • Edited by jrv Friday, June 8, 2018 7:33 PM
    • Marked as answer by Farookh21 Friday, June 8, 2018 7:56 PM
    Friday, June 8, 2018 7:32 PM

All replies

  • You have to add the propagation flags to the ACE.

    $sid = (Get-ADGroup 'CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local').SID
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                $sid,
                'CreateChild,DeleteChild',
                'Deny',
                $guidmap['user'],
                'Descendants'
            )
    $acl.AddAccessRule($ace)

    Note that a SID is an "IdentityReference".  No need for conversion.



    \_(ツ)_/


    • Edited by jrv Thursday, June 7, 2018 11:57 PM
    Thursday, June 7, 2018 11:53 PM
  • Still does not work, 

    It creates the ace for "Descendant objects" not "This Object and all descendant objects"

    This is what i am running, I am new to scripting, so please send me the entire script if am running something incorrectly.

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain

    $guidmap = @{}
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
    "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
    % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

    $extendedrightsmap = @{}
    Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
    "(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
    % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

    $ou = "AD:\OU=DenyTest,OU=Groups,OU=Hmatics,DC=BC2,DC=local"
    $sid = (Get-ADGroup "CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local").SID
    $acl = Get-ACL $ou
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                $sid,
                'CreateChild,DeleteChild',
                'Deny',
                $guidmap['user'],
                'Descendents'
            )
    $acl.AddAccessRule($ace)
    Set-ACL -ACLObject $acl -Path (($ou))


    Farookh21

    Friday, June 8, 2018 6:33 PM
  • Probably should be this:

    $sid = (Get-ADGroup 'CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local').SID
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                $sid,
                'CreateChild,DeleteChild',
                'Deny',
                $guidmap['user'],
                'SelfAndChildren'
            )
    $acl.AddAccessRule($ace)

    You can also use 'All'


    \_(ツ)_/


    • Edited by jrv Friday, June 8, 2018 7:33 PM
    • Marked as answer by Farookh21 Friday, June 8, 2018 7:56 PM
    Friday, June 8, 2018 7:32 PM
  • Worked like a charm.

    Thank you very much "jrv" much appreciated your help


    Farookh21

    Friday, June 8, 2018 7:57 PM
  • Friday, June 8, 2018 8:00 PM