none
Set specific security permissions using Set Acl RRS feed

  • Question

  • Hello All,

    I am trying to apply permissions using ACL on an organizational unit. I can read the ACLs using Get-ACL command but I am unsure how to use Set-Acl to apply new permissions. Example, from image below, I see the AD group 'Group_Reset_Password' has few permissions on the organizational unit.

    In GUI, I can see the permissions, like Reset Password and if I scroll further below, then I also have Read pwdLastSet and Write pwdLastSet.

    My question is, how can I write this in PowerShell to apply the said settings on a security group or users. Not copy, but using Set-Acl, I want to grant these specific permissions without messing the permissions already there. How can this be achieved? 





    • Edited by strike3test Sunday, September 30, 2018 9:14 PM
    Saturday, September 29, 2018 7:17 AM

Answers

  • Here is a simple example:

    $rootdse = Get-ADRootDSE
    
    #Create a hashtable to store the GUID value of each extended right in the forest
    $extendedrightsmap = @{}
    Get-ADObject -SearchBase $rootdse.ConfigurationNamingContext -LDAPFilter '(&(objectclass=controlAccessRight)(rightsguid=*))' -Properties displayName,rightsGuid | 
        ForEach-Object{
            $extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid
        }
    
    #Create a hashtable to store the GUID value of each schema class and attribute
    $guidmap = @{}
    Get-ADObject -SearchBase $rootdse.SchemaNamingContext -LDAPFilter '(schemaidguid=*)' -Properties lDAPDisplayName,schemaIDGUID | 
        ForEach-Object{
            $guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID
    }
    
    # get account SID and target OU
    $SID = <NT account SID>
    $OUDN = 'distinguished name of ou'
    
    # get ACL and assign new rule
    $acl = Get-ACL -Path $OUDN
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($SID,'ExtendedRight','Allow',$extendedrightsmap['Reset Password'],'Descendents',$guidmap['user'])
    $acl.AddAccessRule($ace)
    Set-ACL -ACLObject $acl -Path $ADOU

    If you read the article carefully it will explain how this works.


    \_(ツ)_/

    • Marked as answer by strike3test Sunday, September 30, 2018 6:35 AM
    Saturday, September 29, 2018 8:27 AM

All replies

  • You have to read the whole article carefully to understand how to do this.  The exact answer you seek is given in the example.

    Without some understanding of the technical aspects of AD then this will be a big problem as it is not a task that is accessible to non techs.


    \_(ツ)_/

    Saturday, September 29, 2018 8:20 AM
  • Here is a simple example:

    $rootdse = Get-ADRootDSE
    
    #Create a hashtable to store the GUID value of each extended right in the forest
    $extendedrightsmap = @{}
    Get-ADObject -SearchBase $rootdse.ConfigurationNamingContext -LDAPFilter '(&(objectclass=controlAccessRight)(rightsguid=*))' -Properties displayName,rightsGuid | 
        ForEach-Object{
            $extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid
        }
    
    #Create a hashtable to store the GUID value of each schema class and attribute
    $guidmap = @{}
    Get-ADObject -SearchBase $rootdse.SchemaNamingContext -LDAPFilter '(schemaidguid=*)' -Properties lDAPDisplayName,schemaIDGUID | 
        ForEach-Object{
            $guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID
    }
    
    # get account SID and target OU
    $SID = <NT account SID>
    $OUDN = 'distinguished name of ou'
    
    # get ACL and assign new rule
    $acl = Get-ACL -Path $OUDN
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($SID,'ExtendedRight','Allow',$extendedrightsmap['Reset Password'],'Descendents',$guidmap['user'])
    $acl.AddAccessRule($ace)
    Set-ACL -ACLObject $acl -Path $ADOU

    If you read the article carefully it will explain how this works.


    \_(ツ)_/

    • Marked as answer by strike3test Sunday, September 30, 2018 6:35 AM
    Saturday, September 29, 2018 8:27 AM