none
Powershell - OU permission delegation using powershell

    Question

  • Hi Experts,

    I want to apply Deny permission for a group on an OU like below screenshot using powershell


    Now i found below blog is helpful. but i'm not getting correct ActiveDirectoryAccessRule to apply.
    http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx#pi142453=2

    ----

    Using below code i can apply Deny the group to write all properties of descendant user objects. 
    But i want to Deny the group "write all properties" & "Modify permissions" of This object only

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain
    
    
    $guidmap = @{ }
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter '0(schemaidguid=*)' -Properties lDAPDisplayName, schemaIDGUID |
    	ForEach-Object{
    		$guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID
    	}
    
    $extendedrightsmap = @{ }
    Get-ADObject -SearchBase $rootdse.ConfigurationNamingContext -LDAPFilter '(&(objectclass=controlAccessRight)(rightsguid=*))' -Properties displayName, rightsGuid |
    ForEach-Object{
    	$extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid
    }
    
    
    $ou = Get-ADOrganizationalUnit -Identity 'OU=Users,DC=AMERICAS,DC=TEST'
    $sid=(Get-ADGroup "Nidhin-Test-Group").SID
    $p = New-Object System.Security.Principal.SecurityIdentifier($sid)
    $acl = Get-ACL -Path $ou.DistinguishedName
    
    $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule($p, 'WriteProperty', 'Deny', 'Descendents', $guidmap['user'])
    $acl.AddAccessRule($ace)
    Set-ACL "LDAP://$($ou.DistinguishedName)"

    Regards, Nidhin.CK


    Thursday, October 15, 2015 10:36 PM

Answers

    • Marked as answer by Nidhin CK Friday, October 16, 2015 2:36 AM
    Friday, October 16, 2015 2:36 AM
  • Sorry - I forgot to put in the WriteDACL.

    This works.

    $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule($p, 'WriteProperty,WriteDacl', 'Deny', 'Descendents', $guidmap['user'])

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain
    
    $guidmap = @{ }
    Get-ADOject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter '0(schemaidguid=*)' -Properties lDAPDisplayName, schemaIDGUID |
    	ForEach-Object{
    		$guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID
    	}
    
    $ou = Get-ADOrganizationalUnit -Identity 'OU=Users,DC=AMERICAS,DC=TEST' -Server t_amsac001.americas.ad.flextronics.test
    $oupath="AD:\$($ou.DistinguishedName)"
    $sid=(Get-ADGroup "Nidhin-Test-Group").SID
    $p = New-Object System.Security.Principal.SecurityIdentifier($sid)
    $acl = Get-ACL $oupath
    $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule($p, 'WriteProperty,WriteDacl', 'Deny', 'Descendents', $guidmap['user'])
    $acl.AddAccessRule($ace)
    $acl|Set-ACL $oupath
    


    \_(ツ)_/


    • Proposed as answer by jrvModerator Friday, October 16, 2015 2:42 AM
    • Marked as answer by Nidhin CK Friday, October 16, 2015 2:44 AM
    • Edited by jrvModerator Friday, October 16, 2015 2:57 AM
    Friday, October 16, 2015 2:42 AM
    Moderator

All replies

  • Why do you think you have to do this with PowerShell? Its a one-time thing. Use ADUC as it is easier.


    \_(ツ)_/

    Friday, October 16, 2015 1:34 AM
    Moderator
  • in production i have 500+ OU's ..

    btw from other forum one of the powershell expert helped me with this line and now I'm able to deny "WriteProperty" on an OU.

    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"WriteProperty","Deny","None",$guidmap["user"]))

    https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110)

    Need to deny "Modify Permission" also. Do you know what property name i need to mention for this


    Regards, Nidhin.CK


    • Edited by Nidhin CK Friday, October 16, 2015 2:14 AM Proper Code format
    Friday, October 16, 2015 1:41 AM
  • You failed to say what error or issue you are seeing. 

    Start by formatting your code correctly so it I readable.

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE 
    $domain = Get-ADDomain $guidmap = @{ } Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter '0(schemaidguid=*)' -Properties lDAPDisplayName, schemaIDGUID | ForEach-Object{ $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID } $extendedrightsmap = @{ } Get-ADObject -SearchBase $rootdse.ConfigurationNamingContext -LDAPFilter '(&(objectclass=controlAccessRight)(rightsguid=*))' -Properties displayName, rightsGuid | ForEach-Object{ $extendedrightsmap[$_.displayName] = [System.GUID]$_.rightsGuid } $ou = Get-ADOrganizationalUnit -Identity 'OU=Users,DC=AMERICAS,DC=TEST' -Server t_amsac001.americas.ad.flextronics.test $sid=(Get-ADGroup "Nidhin-Test-Group").SID $p = New-Object System.Security.Principal.SecurityIdentifier($sid) $acl = Get-ACL "AD:\$($ou.DistinguishedName)" $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule($p, 'WriteProperty', 'Deny', 'Descendents', $guidmap['user']) $acl.AddAccessRule($ace) Set-ACL "AD:\$($ou.DistinguishedName)"


    \_(ツ)_/





    Friday, October 16, 2015 2:01 AM
    Moderator
  • Given the above what is your question or what error are you getting.

    \_(ツ)_/

    Friday, October 16, 2015 2:03 AM
    Moderator
  • Sorry for the confusion..

    I'm not getting any error.. below code just works fine for applying the deny permission for "Write all properties" on an OU. 

    $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $p,"WriteProperty","Deny","None",$guidmap["user"]))

    Same way i need to deny permission for "Modify Permissions" on an OU. So in the above code i have used "WritePropery" in ActiveDirectoryAccessRule to deny the settings. Same way what i need to type  to deny Modify Permissions


    Regards, Nidhin.CK

    Friday, October 16, 2015 2:19 AM
  • Here is a cleaner and tested version:

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain
    
    $guidmap = @{ }
    Get-ADOject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter '0(schemaidguid=*)' -Properties lDAPDisplayName, schemaIDGUID |
    	ForEach-Object{
    		$guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID
    	}
    
    $ou = Get-ADOrganizationalUnit -Identity 'OU=Users,DC=AMERICAS,DC=TEST'
    $oupath="AD:\$($ou.DistinguishedName)"
    $sid=(Get-ADGroup "Nidhin-Test-Group").SID
    $p = New-Object System.Security.Principal.SecurityIdentifier($sid)
    $acl = Get-ACL $oupath
    $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule($p, 'WriteProperty,WriteDAcl', 'Deny', 'Descendents', $guidmap['user'])
    $acl.AddAccessRule($ace)
    $acl|Set-ACL $oupath
    


    \_(ツ)_/


    Friday, October 16, 2015 2:23 AM
    Moderator
  • Thank you jrv.. In your code you have denied only one permission ie "Write all properties" . if you see the my first screenshot, i need to deny one more permission, ie "Modify Permission" 

    So what will the code to achieve this

    $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule($p, 'xxxxxxxxxxxx', 'Deny', 'None', $guidmap['user'])
    


    Regards, Nidhin.CK

    Friday, October 16, 2015 2:28 AM
    • Marked as answer by Nidhin CK Friday, October 16, 2015 2:36 AM
    Friday, October 16, 2015 2:36 AM
  • Sorry - I forgot to put in the WriteDACL.

    This works.

    $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule($p, 'WriteProperty,WriteDacl', 'Deny', 'Descendents', $guidmap['user'])

    Import-Module ActiveDirectory
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain
    
    $guidmap = @{ }
    Get-ADOject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter '0(schemaidguid=*)' -Properties lDAPDisplayName, schemaIDGUID |
    	ForEach-Object{
    		$guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID
    	}
    
    $ou = Get-ADOrganizationalUnit -Identity 'OU=Users,DC=AMERICAS,DC=TEST' -Server t_amsac001.americas.ad.flextronics.test
    $oupath="AD:\$($ou.DistinguishedName)"
    $sid=(Get-ADGroup "Nidhin-Test-Group").SID
    $p = New-Object System.Security.Principal.SecurityIdentifier($sid)
    $acl = Get-ACL $oupath
    $ace=New-Object System.DirectoryServices.ActiveDirectoryAccessRule($p, 'WriteProperty,WriteDacl', 'Deny', 'Descendents', $guidmap['user'])
    $acl.AddAccessRule($ace)
    $acl|Set-ACL $oupath
    


    \_(ツ)_/


    • Proposed as answer by jrvModerator Friday, October 16, 2015 2:42 AM
    • Marked as answer by Nidhin CK Friday, October 16, 2015 2:44 AM
    • Edited by jrvModerator Friday, October 16, 2015 2:57 AM
    Friday, October 16, 2015 2:42 AM
    Moderator
  • The Powershell org code is almost identical ti=o oyour code with some of the same erroors. It is the same sort of off code that has been floating for a long time.

    Permissons are additive.  "WriteProperties,WriteDacl"  - "Modify Permissions is actually "WriteDacl" in code..


    \_(ツ)_/

    Friday, October 16, 2015 2:45 AM
    Moderator
  • I added the missing into the original post.

    Have fun.


    \_(ツ)_/

    Friday, October 16, 2015 2:46 AM
    Moderator
  • Hi Jrv - pls remove the -server parameter details from your code block's

    $rootdse = Get-ADRootDSE -Server xxxx
    $domain = Get-ADDomain -Server xxxx


    Regards, Nidhin.CK

    Friday, October 16, 2015 2:48 AM
  • Hi Jrv - pls remove the -server parameter details from your code block's

    $rootdse = Get-ADRootDSE -Server xxxx
    $domain = Get-ADDomain -Server xxxx


    Regards, Nidhin.CK


    Done - you shouldn't use that anyway. The code you copied just used it as a demo.

    \_(ツ)_/

    Friday, October 16, 2015 2:58 AM
    Moderator