Delegate permissions to Active Directory objects

Welcome Forums General PowerShell Q&A Delegate permissions to Active Directory objects

This topic contains 20 replies, has 4 voices, and was last updated by

 
Participant
2 days, 2 hours ago.

  • Author
    Posts
  • #173890

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    I have some OU's and some groups. I want to delegate permissions to some groups on those OU's to manage computer objects, I also want to deny permissions on some other groups on those OU's and I want to remove some groups which are already added from those OU's. How can I accomplish this using powershell?

  • #173962

    Participant
    Topics: 1
    Replies: 1530
    Points: 2,591
    Helping Hand
    Rank: Community Hero

    We're used to be better when we get something to tweak. What do you have so far? Please show you code. Powershell.org is not a free code writing service – you know that, right? We expect you to do your own research before and at least try to solve your problem by yourself.

  • #173980

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    I tried with the below code:

    Import-Module ActiveDirectory
    $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
    $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
    $per.RemoveAccessRule($r)
    $per | Set-Acl
    $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "mygroup2").SID
    $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"FULL","Deny","ALL"))

    Till line 5, it seems to be working fine to remove the access for a group. However when I try to set deny permissions for a group it gives an error. Also I want to know how to set custom permissions using powershell.

  • #174016

    Participant
    Topics: 1
    Replies: 1530
    Points: 2,591
    Helping Hand
    Rank: Community Hero

    ... However when I try to set deny permissions for a group it gives an error. ...

    Don't you think it would have been helpful to know the error message? A lot of times the error message tells you the solution.

  • #174022

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Error is as follows:

    New-Object : Multiple ambiguous overloads found for
    "ActiveDirectoryAccessRule" and the argument count: "4".
    At line:2 char:21
    + ... AccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccess ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [New-Object], MethodExcept
    ion
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.Power
    Shell.Commands.NewObjectCommand

  • #174076

    Participant
    Topics: 1
    Replies: 1530
    Points: 2,591
    Helping Hand
    Rank: Community Hero

    deleted

  • #174094

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Any suggestions on this?

  • #174286

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Anyone can suggest on this?

  • #174383

    Participant
    Topics: 6
    Replies: 78
    Points: 143
    Helping Hand
    Rank: Participant

    The constructor can't figure out what one of the parameters you're passing to it are, so it doesn't know which signature to use. I see 3 or 4 different options... Could it be that your SID is $null or that you need to specify something other than strings for the other parameters?

  • #174398

    Participant
    Topics: 0
    Replies: 100
    Points: 363
    Helping Hand
    Rank: Contributor

    Hello Tech Savy,

    Try the following and let me know if it works. I added the value to the end of (Get-ADGroup "MyGroup2").Sid.Value

     

    Import-Module ActiveDirectory
    
    $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
    
    $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
    
    $per.RemoveAccessRule($r)
    
    $per | Set-Acl
    
    $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "mygroup2").SID.Value
    
    $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,"FULL","Deny","ALL"))
  • #174763

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Does not work. Same error.

  • #174838

    Participant
    Topics: 0
    Replies: 100
    Points: 363
    Helping Hand
    Rank: Contributor

    TechSavy,

    Reviewed the error again and looks like we have a syntax error as well where we didn't add encapsulation around the 4 values.

     

    Import-Module ActiveDirectory
    $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
    $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
    $per.RemoveAccessRule($r)
    $per | Set-Acl
    $p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "mygroup2").SID.Value
    $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"FULL","Deny","ALL")))
  • #175186

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Tried, does not work either.

  • #175297

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Jason, any other way to achieve this?

  • #175603

    Participant
    Topics: 0
    Replies: 100
    Points: 363
    Helping Hand
    Rank: Contributor

    TechSavy,

    Sorry for delay, for some reason I glossed over this one. Okay what is the error code you are getting now? I don't have an on-premise AD I can spin up at the moment to test this. What I get for hosting everything in the cloud.

  • #175609

    Participant
    Topics: 0
    Replies: 100
    Points: 363
    Helping Hand
    Rank: Contributor

    Well typed all this out and had the post disappear yay!!!

    If you run the following this is the output this is not the desired as we only want the SID value, by creating the Security Identifier object this causes us to redo the work we just did by findingin the AD Group and calling the SID value.

    New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Group1").SID.Value | FL
    
    BinaryLength : 28
    AccountDomainSid : S-1-5-21-3817738000-0660151139-8432712656
    Value : S-1-5-21-3817738000-0660151139-8432712656-8745

    Now if we check the following its shows what we want.

    (Get-ADGroup "Group1").SID.Value | FL
    
    BinaryLength : 28
    AccountDomainSid : S-1-5-21-3817738000-0660151139-8432712656
    Value : S-1-5-21-3817738000-0660151139-8432712656-8745

    Try this updated code:

    Import-Module ActiveDirectory
    $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
    $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
    $per.RemoveAccessRule($r)
    $per | Set-Acl
    $p = (Get-ADGroup "mygroup2").SID.Value
    $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"FULL","Deny","ALL")))

  • #175612

    Participant
    Topics: 0
    Replies: 100
    Points: 363
    Helping Hand
    Rank: Contributor

    Well this is the third time I'm trying to post this, and not making it all nice and neat. Essentially the new-Object is what is shooting us in the foot. Remove it and only use the Get-ADGroup

    Import-Module ActiveDirectory
    $per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
    $r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
    $per.RemoveAccessRule($r)
    $per | Set-Acl
    $p = (Get-ADGroup "mygroup2").SID.Value
    $per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"FULL","Deny","ALL")))
  • #175627

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Thanks for the reply Jason, however still get the same error message as stated before in this forum.

  • #175729

    Participant
    Topics: 0
    Replies: 100
    Points: 363
    Helping Hand
    Rank: Contributor

    Techsavy,

    Okay did some more research, we were close, but not there. We have to assign the type for IdentityReference, ActiveDirectoryRights, AccessControlType and ActiveDirectorySecurityInheritance. For further reference and understanding below is a link to the article I used for the research.

    https://social.technet.microsoft.com/Forums/Lync/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell

    $Identity = [System.Security.Principal.IdentityReference] (Get-ADGroup Group1).SID
    $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
    $AccessControl = [System.Security.AccessControl.AccessControlType] "Deny"
    $Inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
    $AccessRule = New-object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $AccessControl, $Inheritance
    $per.AddAccessRule($AccessRule)
  • #176092

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Thanks Jason. It works. How about allowing specific permissions like : Create User Objects/Delete User Objects etc.. to a group?

  • #178293

    Participant
    Topics: 10
    Replies: 48
    Points: 200
    Rank: Participant

    Any suggestion on providing specific permissions?

You must be logged in to reply to this topic.