Security group to computer object?

This topic contains 4 replies, has 2 voices, and was last updated by  Jason McMahan 3 years, 6 months ago.

  • Author
    Posts
  • #13762

    Jason McMahan
    Participant

    Good day,
    I was attempting to take a domain local group, add them to the security of a computer object and provide them read access. This will be for every computer object in an ou.

    For instance
    Object class = Organizational unit
    Canonical name of object corporate.yyy.com/special/device

    Inside this Ou there is approximately 700 plus computer objects.
    The group corp.yyy.com needs read access security on ever object.

    First draft i was thinking

    Set-location AD:
    $ou = Get-ADOrganizationalUnit -Filter { name -like "device"}
    cd $ou
    $acl = get-childitem | foreach-object {get-acl}

    THen i got stuck about there and my brain fried.

    Any help suggestions would be greatly appreciated.

    Thank you

  • #13773

    Dave Wyatt
    Moderator

    Is there a particular reason you want to set the permissions directly on each computer object, instead of setting it at the OU level and letting the permissions inherit to the computers? It's a better practice to set permissions on containers, in general (and in this case, it might even be faster to just do it with the AD Users and Computers GUI rather than writing a script.)

  • #13779

    Jason McMahan
    Participant

    We had thought of that also, however two things that were against that is this group may or may not be added to future objects placed into this container, and we will most like do some restructuring.
    Also there are other groups that may be applied to specific groups of objects within this ou, that i could modify the script to work with.

    Thank you

  • #13790

    Dave Wyatt
    Moderator

    It's still a bad idea, but if that's the design you want to run with, it can be done. (Personally, I would add a new child OU to hold just the subset of computers that require this delegation, and set the permissions there.)

    Here are a couple of examples of using PowerShell to get at the security descriptors of AD objects:

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx
    http://blogs.msdn.com/b/muaddib/archive/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects.aspx

    They're not exactly what you asked for, but it's a start. The code to modify the ACLs themselves is fairly generic, but you'll be working with ActiveDirectorySecurity, ActiveDirectoryAccessRule and ActiveDirectoryRights types, instead of the FileSystem versions of those classes that you'd see in most example code.

  • #13853

    Jason McMahan
    Participant

    After futher discussion we decided to simply place the group on the ou and allow permissions to filter down.
    This wasnt ideal as in this scenario it is applying read permissions for this to the computer objects for integrated lights out utilities on servers.
    Ultimately the HP tool should have applied the permissions correctly but i was hoping to use powershell to correct easily although everything i read it seems acl is not quick and or easy.

    THank you for you help.

You must be logged in to reply to this topic.