locked
Apply inheritance to "This object and all descendant objects" from powershell RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote 
    Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain

$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

$ou = "AD:\OU=DenyTest,OU=Groups,OU=Hmatics,DC=BC2,DC=local"
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local").SID
$acl = Get-ACL $ou

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,("CreateChild","DeleteChild"), "Deny",$guidmap["user"]))

Set-ACL -ACLObject $acl -Path (($ou))

    Dear Team,

    I am trying to apply Deny permission on an organization unit for a security group through powershell.

    I was able to identify a script which does this however after the execution of the script the results only apply to "This object only"

    1) I want to explicit deny these 4 permissions for a group from this OU

    OU name: Denytest

    Security group name: My Admins

    Type: deny

    Applies to: This object and all descendant objects

    a. Create Group Objects

    b. Delete group Objects

    c. Create user Objects

    d. Delete user Objects

    2) Set read only access to OU for the a particular Securrty group.

    Any help on this would be appreciated.

    Regards,

    Farookh21

    

    Thursday, June 7, 2018 11:04 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Probably should be this:

    $sid = (Get-ADGroup 'CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local').SID
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
            $sid,
            'CreateChild,DeleteChild',
            'Deny',
            $guidmap['user'],
            'SelfAndChildren'
        )
$acl.AddAccessRule($ace)

    You can also use 'All'

    \_(ツ)_/


    • Edited by jrv Friday, June 8, 2018 7:33 PM
    • Marked as answer by Farookh21 Friday, June 8, 2018 7:56 PM
    Friday, June 8, 2018 7:32 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    You have to add the propagation flags to the ACE.

    $sid = (Get-ADGroup 'CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local').SID
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
            $sid,
            'CreateChild,DeleteChild',
            'Deny',
            $guidmap['user'],
            'Descendants'
        )
$acl.AddAccessRule($ace)

    Note that a SID is an "IdentityReference".  No need for conversion.


    \_(ツ)_/


    • Edited by jrv Thursday, June 7, 2018 11:57 PM
    Thursday, June 7, 2018 11:53 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Still does not work, 

    It creates the ace for "Descendant objects" not "This Object and all descendant objects"

    This is what i am running, I am new to scripting, so please send me the entire script if am running something incorrectly.

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain

    $guidmap = @{}
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
    "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
    % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

    $extendedrightsmap = @{}
    Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
    "(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
    % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

    $ou = "AD:\OU=DenyTest,OU=Groups,OU=Hmatics,DC=BC2,DC=local"
    $sid = (Get-ADGroup "CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local").SID
    $acl = Get-ACL $ou
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                $sid,
                'CreateChild,DeleteChild',
                'Deny',
                $guidmap['user'],
                'Descendents'
            )
    $acl.AddAccessRule($ace)
    Set-ACL -ACLObject $acl -Path (($ou))

    Farookh21

    Friday, June 8, 2018 6:33 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Probably should be this:

    $sid = (Get-ADGroup 'CN=MY Admins,OU=Admins,OU=Hmatics,DC=BC2,DC=local').SID
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
            $sid,
            'CreateChild,DeleteChild',
            'Deny',
            $guidmap['user'],
            'SelfAndChildren'
        )
$acl.AddAccessRule($ace)

    You can also use 'All'

    \_(ツ)_/


    • Edited by jrv Friday, June 8, 2018 7:33 PM
    • Marked as answer by Farookh21 Friday, June 8, 2018 7:56 PM
    Friday, June 8, 2018 7:32 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Worked like a charm.

    Thank you very much "jrv" much appreciated your help

    Farookh21

    Friday, June 8, 2018 7:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    If you look up the class on MSDN you would find info about the parameters.

    https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396

    \_(ツ)_/

    Friday, June 8, 2018 8:00 PM