replacing dsacls (and forloop) with PS; 2008 DJ article

Tagged: 

This topic contains 7 replies, has 5 voices, and was last updated by Profile photo of Dan Potter Dan Potter 2 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #47865
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    I am trying to set permissions for a service principle (User object) on about 100 newly introduced Exhange 2013 schema class objects with this command:

    dsacls "DC=company,DC=dev" /I:S /G "company.dev\s-account:RPWP;ms-Exch-Archive-GUID;user"

    but want to run this against about 100 more classes...

    I was reading a 2008 article by Don Jones here: Don Jones article on PS and setting permissions

    So I don't have files or folder to set, but schema classes. Is it worth it to try PS to do this or if not, how could I use a forloop to set them with DSACLs (which does work just fine).

    thanks

    #47868
    Profile photo of thom schumacher
    thom schumacher
    Participant

    There is a provider that is available for active directory that you could use:

    https://technet.microsoft.com/en-us/library/hh852274(v=wps.630).aspx

    To use a for loop if you get all the items into an object you can iterate thorugh the object using foreach

    here is a small demo of the foreach

    $object = get-process
    foreach($o in $object){write-output $o}
    #48210
    Profile photo of Vince Skahan
    Vince Skahan
    Participant

    Not seeing an answer there.

    I'm trying to do the same kind of thing, and find it fascinating that all the examples I can find eventually wind up calling a .exe like dsacls rather than going pure powershell so to speak.

    Consider the following code which works fine:

    $ComputerName = "HOST1234"
    
    $computerDN = (Get-ADComputer -Identity $ComputerName).DistinguishedName
    dsacls $computerDN /g “MYDOMAIN\user123:ca;allowed to authenticate"

    Questions:

    • should we even bother replacing 'dsacls' with a powershell equivalent ?
    • does anybody have a 'complete' working example of this that's better than just pointing us to set-acl and expecting us to try (again) to decipher the non-examples there ?

    Coming at this with 30 years of unix experience, it's pretty tough finding the right terminology to ask the question, so apologies in advance there...

    #48218
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    I just copied all my dsacls statements in a .bat file and ran against the schema objects I was trying to ACL on behalf of the service account.

    was quick 'n easy.

    #48220
    Profile photo of Dan Potter
    Dan Potter
    Participant

    you'll find that some tools are hard to beat in PS for one off situations. Dsacls and robocopy are two. No issues using them as they'll execute fine within the shell. The only issue is the output if you needed it isn't ideal.

    #48222
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    duly noted, and thanks.

    #48364
    Profile photo of Missy Januszko
    Missy Januszko
    Participant

    Here's a simple, working example of set-ACL:

    $WebServersGroup = get-adgroup -Identity "Web Servers" | Select-Object SID
    $ACL = get-acl "AD:OU=Servers,DC=domain,DC=com"
    $ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $WebServersGroup.SID,'GenericRead','Allow'))
    set-ACL "AD:OU=Servers,DC=domain,DC=com" -AclObject $ACL
    

    For what it's worth I prefer DSACLS 🙂

    #48389
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Here is a way to copy acls from one object to another. I did this just for the heck of it..and yes I use write-host in my oneoff scripts:D

    $forestdns = @(#bunchofforestonlyzones)
    
    $zones = Get-DnsServerZone 
    
    $sourceacl = get-acl 'ad:\dc=my.zone.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=com' | select -ExpandProperty access | ? { $_.identityreference -eq 'mycompany\dnsadmins' }
    
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $sourceacl.IdentityReference,
    $sourceacl.ActiveDirectoryRights,
    $sourceacl.AccessControlType,
    $sourceacl.ObjectType,
    "All",
    $sourceacl.InheritedObjectType
    )
    
    foreach ($zone in $zones) {
    	
    	$i = $zone.zonename
    	
    	if ($i -in $forestdns) {
    		
    		$path = 'ad:\dc=' + $i + ',cn=MicrosoftDNS,DC=ForestDnsZones,DC=myforest,DC=LOCAL'
    		$newacl = [ADSI]"LDAP://dc=$i,cn=MicrosoftDNS,DC=ForestDnsZones,DC=myforest,DC=LOCAL"
    		
    	} else {
    		
    		$path = 'ad:\dc=' + $i + ',cn=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=com'
    		$newacl = [ADSI]"LDAP://dc=$i,cn=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=com"
    		
    	}
    	
    	
    	$acl = get-acl $path -erroraction 'silentlycontinue' | select -ExpandProperty access | ? { $_.identityreference -eq 'mycompany\dnsadmins' }
    	
    	if ($acl) {
    		
    		
    		$return = $false
    		
    		write-host "reset perms for $i"
    		
    		$newacl.objectsecurity.ModifyAccessRule("Reset", $rule, [ref]$return)
    		if ($return) {
    			$newacl.CommitChanges()
    		}
    		
    	} else {
    		
    		
    		$return = $false
    		
    		write-host "add perms for $i"
    		
    		$newacl.objectsecurity.ModifyAccessRule("Add", $rule, [ref]$return)
    		if ($return) {
    			$newacl.CommitChanges()
    		}
    		
    		
    	}
    	
    }
    
    
    
Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.