Delegate permissions to Active Directory objects

Welcome Forums General PowerShell Q&A Delegate permissions to Active Directory objects

Viewing 24 reply threads
  • Author
    Posts
    • #173890
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      I have some OU's and some groups. I want to delegate permissions to some groups on those OU's to manage computer objects, I also want to deny permissions on some other groups on those OU's and I want to remove some groups which are already added from those OU's. How can I accomplish this using powershell?

    • #173962
      Participant
      Topics: 1
      Replies: 1635
      Points: 3,089
      Helping Hand
      Rank: Community Hero

      We're used to be better when we get something to tweak. What do you have so far? Please show you code. Powershell.org is not a free code writing service – you know that, right? We expect you to do your own research before and at least try to solve your problem by yourself.

    • #173980
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      I tried with the below code:

      Import-Module ActiveDirectory
      $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
      $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
      $per.RemoveAccessRule($r)
      $per | Set-Acl
      $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "mygroup2").SID
      $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"FULL","Deny","ALL"))

      Till line 5, it seems to be working fine to remove the access for a group. However when I try to set deny permissions for a group it gives an error. Also I want to know how to set custom permissions using powershell.

    • #174016
      Participant
      Topics: 1
      Replies: 1635
      Points: 3,089
      Helping Hand
      Rank: Community Hero

      ... However when I try to set deny permissions for a group it gives an error. ...

      Don't you think it would have been helpful to know the error message? A lot of times the error message tells you the solution.

    • #174022
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Error is as follows:

      New-Object : Multiple ambiguous overloads found for
      "ActiveDirectoryAccessRule" and the argument count: "4".
      At line:2 char:21
      + ... AccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccess ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : InvalidOperation: (:) [New-Object], MethodExcept
      ion
      + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.Power
      Shell.Commands.NewObjectCommand

    • #174076
      Participant
      Topics: 1
      Replies: 1635
      Points: 3,089
      Helping Hand
      Rank: Community Hero

      deleted

    • #174094
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Any suggestions on this?

    • #174286
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Anyone can suggest on this?

    • #174383
      Participant
      Topics: 6
      Replies: 108
      Points: 302
      Helping Hand
      Rank: Contributor

      The constructor can't figure out what one of the parameters you're passing to it are, so it doesn't know which signature to use. I see 3 or 4 different options... Could it be that your SID is $null or that you need to specify something other than strings for the other parameters?

    • #174398
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      Hello Tech Savy,

      Try the following and let me know if it works. I added the value to the end of (Get-ADGroup "MyGroup2").Sid.Value

       

      Import-Module ActiveDirectory
      
      $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
      
      $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
      
      $per.RemoveAccessRule($r)
      
      $per | Set-Acl
      
      $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "mygroup2").SID.Value
      
      $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"FULL","Deny","ALL"))
    • #174763
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Does not work. Same error.

    • #174838
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      TechSavy,

      Reviewed the error again and looks like we have a syntax error as well where we didn't add encapsulation around the 4 values.

       

      Import-Module ActiveDirectory
      $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
      $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
      $per.RemoveAccessRule($r)
      $per | Set-Acl
      $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "mygroup2").SID.Value
      $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"FULL","Deny","ALL")))
    • #175186
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Tried, does not work either.

    • #175297
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Jason, any other way to achieve this?

    • #175603
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      TechSavy,

      Sorry for delay, for some reason I glossed over this one. Okay what is the error code you are getting now? I don't have an on-premise AD I can spin up at the moment to test this. What I get for hosting everything in the cloud.

    • #175609
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      Well typed all this out and had the post disappear yay!!!

      If you run the following this is the output this is not the desired as we only want the SID value, by creating the Security Identifier object this causes us to redo the work we just did by findingin the AD Group and calling the SID value.

      New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Group1").SID.Value | FL
      
      BinaryLength : 28
      AccountDomainSid : S-1-5-21-3817738000-0660151139-8432712656
      Value : S-1-5-21-3817738000-0660151139-8432712656-8745

      Now if we check the following its shows what we want.

      (Get-ADGroup "Group1").SID.Value | FL
      
      BinaryLength : 28
      AccountDomainSid : S-1-5-21-3817738000-0660151139-8432712656
      Value : S-1-5-21-3817738000-0660151139-8432712656-8745

      Try this updated code:

      Import-Module ActiveDirectory
      $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
      $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
      $per.RemoveAccessRule($r)
      $per | Set-Acl
      $p = (Get-ADGroup "mygroup2").SID.Value
      $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"FULL","Deny","ALL")))

    • #175612
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      Well this is the third time I'm trying to post this, and not making it all nice and neat. Essentially the new-Object is what is shooting us in the foot. Remove it and only use the Get-ADGroup

      Import-Module ActiveDirectory
      $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
      $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
      $per.RemoveAccessRule($r)
      $per | Set-Acl
      $p = (Get-ADGroup "mygroup2").SID.Value
      $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"FULL","Deny","ALL")))
    • #175627
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Thanks for the reply Jason, however still get the same error message as stated before in this forum.

    • #175729
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      Techsavy,

      Okay did some more research, we were close, but not there. We have to assign the type for IdentityReference, ActiveDirectoryRights, AccessControlType and ActiveDirectorySecurityInheritance. For further reference and understanding below is a link to the article I used for the research.

      https://social.technet.microsoft.com/Forums/Lync/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell

      $Identity = [System.Security.Principal.IdentityReference] (Get-ADGroup Group1).SID
      $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
      $AccessControl = [System.Security.AccessControl.AccessControlType] "Deny"
      $Inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
      $AccessRule = New-object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $AccessControl, $Inheritance
      $per.AddAccessRule($AccessRule)
    • #176092
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Thanks Jason. It works. How about allowing specific permissions like : Create User Objects/Delete User Objects etc.. to a group?

    • #178293
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Any suggestion on providing specific permissions?

    • #178839
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Hi Jason,

      Any suggestions on allowing specific permissions like : Create User Objects/Delete User Objects etc.. to a group?

    • #178872
      Participant
      Topics: 4
      Replies: 97
      Points: 201
      Helping Hand
      Rank: Participant

      Play around with this. Look what you can find from $guidmap

      
      cd ad:
      
      $guidmap = @{}
      $extendedrightsmap = @{}
      $rootdse = Get-ADRootDSE
      Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | foreach {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
      Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | foreach {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
      
      $servicegroup = 'AG-AD-Admin-SD'
      
      $identity = New-Object System.Security.Principal.SecurityIdentifier (get-adgroup $servicegroup).SID
      $ace1user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,"CreateChild,DeleteChild","Allow",$guidmap["user"],"All"
      $ace2user = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,"WriteProperty","Allow","Descendents",$guidmap["user"]
      $AccountOUs = Get-ADOrganizationalUnit -SearchBase "OU=Accounts,DC=DaCrap,DC=com" -Filter * -SearchScope OneLevel | select -ExpandProperty DistinguishedName
      
      foreach ($AccountOU in $AccountOUs) {
      $acl = Get-Acl $AccountOU
      $acl.AddAccessRule($ace1user)
      $acl.AddAccessRule($ace2user)
      set-acl -aclobject $acl -Path $AccountOU -Verbose
      }
      
      
    • #179391
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      TechSavy,

      Sorry for the delay on my end. Completely swamped at work. Aapeli is correct in exploring what you are trying to do. I would also recommend researching ActiveDirectory Control Access Rights and Extended Rights to understand the scope of what is available. From what you are asking it almost sounds like you are attempting to setup a custom RBAC group for administrative purposes.

       

       

    • #179733
      Participant
      Topics: 13
      Replies: 58
      Points: 268
      Rank: Contributor

      Thanks Jason and Aapeli, I will explore more on the above.

Viewing 24 reply threads
  • You must be logged in to reply to this topic.