locked
Powershell - Modify OU ACL RRS feed

  • Question

  • Goal:
    Delegate a specific group the ability to create/delete specific child object and have Full Control (minus modify permission) rights over all descendent child objects. I have successfully written the code to add the create/delete and grant Full Control portions. What I'm stuck on is modifying the ACE entry of Full Control to remove the "Modify Permission" portion. I'd rather just create it that way from scratch, but figured it might be easier to remove that from the ACE explicitly rather than trying to assign it directly.

    $Group = "DOMAIN\Group"
    $base = "OU=BlahBlahBlah,DC=blah,DC=blah"
    $objectType = "user"
    
    Import-Module ActiveDirectory
    #Bring up an Active Directory command prompt so we can use this later on in the script
    cd ad:
    #Get a reference to the RootDSE of the current domain
    $rootdse = Get-ADRootDSE
    
    #Create a hashtable to store the GUID value of each schema class and attribute
    $guidmap = @{}
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
    
    #Create a hashtable to store the GUID value of each extended right in the forest
    $extendedrightsmap = @{}
    Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
    
    #Get a reference to the OU we want to delegate
    $ou = Get-ADOrganizationalUnit -Identity $base
    
    #Get the SID values of each group we wish to delegate access to
    $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup $group).SID
    
    #Get a copy of the current DACL on the OU
    $acl = Get-ACL -Path ($ou.DistinguishedName)
    
    #Allow the group to create and delete the selected objects in the OU and all sub-OUs that may get created
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"CreateChild,DeleteChild","Allow",$guidmap[$objectType],"All")
    $acl.AddAccessRule($ace)
    
    #Grant the group to Full Control of the selected objects in the OU and all sub-OUs that may get created
    $ace = New-object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"GenericAll","Allow","Descendents",$guidmap[$objectType])
    $acl.AddAccessRule($ace)
    
    #Re-apply the modified DACL to the OU
    $ACLOU = "AD:\$($ou.DistinguishedName)"
    Set-ACL -ACLObject $acl -Path ($ACLOU)
    
    #Get updated ACL in preparation to modify
    $acl = Get-ACL -Path ($ou.DistinguishedName)
    
    #Get ACE to modify
    $ACEMod=$acl.Access | Where {($_.IdentityReference -eq $Group) -and ($_.ActiveDirectoryRights -eq "GenericAll")}
    
    $Mod = New-Object System.DirectoryServices.ActiveDirectoryAccessRule
    $acl.ModifyAccessRule(????????????)

     But I can't figure out the syntax of $acl.ModifyAccessRule  portion (last few lines)...

    Any help would be appreciated and also, if it's easier to do in the original ACE creation instead of doing the Full Control, I'm open to any options.


    Thursday, January 5, 2017 5:54 PM