none
Error while removing access RRS feed

  • Question

  • I am trying to remove access for a group from an OU, however I am getting error:

    Cannot convert argument "rule" with value:"System.Object[]", for RemoveAccessRule to type "System.DirectoryServices.ActiveDirectoryAccessRule

    There is an error on line 4.

    I am running the below:

    $ou='OU=testou,DC=lab,dc=local'
    $a= Get-ACL ("AD:\"+($ou))
    $r=$a.Access | Where { $_.IdentityReference -eq 'lab\group1'}
    $a.RemoveAccessRule($r)
    $a | Set-ACL

    I also tried to loop through each ACE found for group1, however it returns false for some ACE's. Like below:

    foreach($i in $r) 
    {
    $a.RemoveAccessRule($i)
    }



    • Edited by Admin66 Tuesday, November 19, 2019 1:23 PM
    Tuesday, November 19, 2019 12:29 PM

Answers

  • You can also do it like this:

    $ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New(
    	$acct.SID,
    	'CreateChild,DeleteChild',
    	[System.Security.AccessControl.AccessControlType]::Allow,
    	[DirectoryServices.ActiveDirectorySecurityInheritance]::All
    )
    Using explicit types forces the selection of the correct constructor.


    \_(ツ)_/


    • Edited by jrvModerator Wednesday, November 20, 2019 11:20 AM
    • Marked as answer by Admin66 Wednesday, November 20, 2019 1:43 PM
    Wednesday, November 20, 2019 11:19 AM
    Moderator

All replies

  • You cannot use an array of rules with the "remove" method.  You cannot remove inherited rules.


    \_(ツ)_/

    Tuesday, November 19, 2019 3:56 PM
    Moderator
  • When I loop through the ACE to remove them one by one, then few of them are removed and return True and few are not removed and return false. The ACE's are not inherited, however they are inherited for the sub-ous under the testou. How can I remove all the ACE for this group?

    • Edited by Admin66 Tuesday, November 19, 2019 10:52 PM
    Tuesday, November 19, 2019 10:51 PM
  • When I loop through the ACE to remove them one by one, then few of them are removed and return True and few are not removed and return false. The ACE's are not inherited, however they are inherited for the sub-ous under the testou. How can I remove all the ACE for this group?

    Then you have to break the propagation and understand that no lower objects will have those ACEs.


    \_(ツ)_/

    Tuesday, November 19, 2019 11:15 PM
    Moderator
  • Any example of how to do that?
    Tuesday, November 19, 2019 11:25 PM
  • When I loop through the ACE to remove them one by one, then few of them are removed and return True and few are not removed and return false. The ACE's are not inherited, however they are inherited for the sub-ous under the testou. How can I remove all the ACE for this group?

    Then you have to break the propagation and understand that no lower objects will have those ACEs.


    \_(ツ)_/

    Just wanted to make it clear that I am removing the permissions on the parent OU. So some permissions were removed and some were not removed. The permissions which were removed were also propagated to the child OU's. However I did not have to break propagation to remove those permissions?
    Wednesday, November 20, 2019 12:11 AM
  • Then you have other issues such as a corrupted DACL. Without more diagnostic info there is no way to know what your issue is or what is causing it.


    \_(ツ)_/

    Wednesday, November 20, 2019 1:15 AM
    Moderator
  • When I manually create the ACE like below, I am able to remove the ACE. However it does not let me combine the rights eg. CreateChild,DeleteChild in one ACE object? How can I combine multiple adrights in one ACE?
    $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    	$grp,
    	[System.DirectoryServices.ActiveDirectoryRights]::CreateChild,
    	[System.Security.AccessControl.AccessControlType]::Allow,
    	[DirectoryServices.ActiveDirectorySecurityInheritance]::All
    )


    • Edited by Admin66 Wednesday, November 20, 2019 11:09 AM
    Wednesday, November 20, 2019 11:00 AM
  • This is how to add multiple rights to a new ACE.

    $acct = Get-AdGroup testgrp2
    [System.DirectoryServices.ActiveDirectoryAccessRule]::New($acct.SID,'CreateChild,DeleteChild','Allow')

    Note that the rights area added as a string with comma delimited elements.

    You can also do this:

    $rights = [System.DirectoryServices.ActiveDirectoryRights]'CreateChild,DeleteChild'


    \_(ツ)_/


    • Edited by jrvModerator Wednesday, November 20, 2019 11:15 AM
    Wednesday, November 20, 2019 11:13 AM
    Moderator
  • You can also do it like this:

    $ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New(
    	$acct.SID,
    	'CreateChild,DeleteChild',
    	[System.Security.AccessControl.AccessControlType]::Allow,
    	[DirectoryServices.ActiveDirectorySecurityInheritance]::All
    )
    Using explicit types forces the selection of the correct constructor.


    \_(ツ)_/


    • Edited by jrvModerator Wednesday, November 20, 2019 11:20 AM
    • Marked as answer by Admin66 Wednesday, November 20, 2019 1:43 PM
    Wednesday, November 20, 2019 11:19 AM
    Moderator
  • Thanks jrv. I will try it out.
    Wednesday, November 20, 2019 1:43 PM