Author Posts

October 15, 2015 at 2:54 pm

We have few AD admin accounts added in to a group named "Nidhin-test-group" and I want to Deny the group write all properties & Modify permissions on an OU, this settings should apply to "This object only"

Now i found below blog helpfull. but i'm not getting correct ActiveDirectoryAccessRule to apply.
http://blogs.technet.com/b/joec/archive/2013/04/25/active-directory-delegation-via-powershell.aspx#pi142453=2

—-

Using below code i can apply Deny the group to write all properties of descendent user objects.
But i want to Deny the group "write all properties" & "Modify permission" on an OU and this settings should apply to "This object only"

Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
$domain = Get-ADDomain

$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

$ou = Get-ADOrganizationalUnit -Identity ("OU=Users,DC=TEST") 
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Nidhin-Test-Group").SID
$acl = Get-ACL -Path ($ou.DistinguishedName)

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"WriteProperty","Deny","Descendents",$guidmap["user"]))

Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))

October 15, 2015 at 4:48 pm

You would need to modify your access rule. Instead of Descendants use None

https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"WriteProperty","Deny","Descendents",$guidmap["user"]))

October 15, 2015 at 5:48 pm

Thank you Curtis Smith..! Now im able to deny the "Write all properties" on an OU. In order to deny "Modify Permissions" what is the exact property name i need to mention in below code? (need to replace xxxx)

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"XXXXXXXX","Deny","None",$guidmap["user"]))

October 15, 2015 at 6:27 pm

The ActiveDirectoryAccessRule Class
https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx

The ActiveDirectoryRights Enumeration
https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx

WriteDacl
The right to modify the DACL in the object security descriptor.

October 15, 2015 at 6:43 pm

Thanks a lot Curtis..!

Is there anyway i can mark this thread as closed ?

October 15, 2015 at 6:49 pm

Yes, you should have a thread status box right above the reply box. You can set it to resolved.