Change Active Directory advanced security with PowerShell

It has been a while since my last post. So this is my first for 2016 J.

I will show you how you can change the advanced security settings in Active Directory with PowerShell. Off course you can do everything the default GUI. But if you have to do it more than once, this is one way to do it! So let’s start.

There is one requirement, you need to install the active role management from Dell.
The download includes also a detailed pdf about all the commands. You can find them here: http://software.dell.com/products/active-roles/powershell.aspx

So what we want to change is this:

And in PowerShell it looks like this:

Get-QADPermission -Inherited 'OU=TestOU,DC=sub,DC=root,DC=lab'
Permissions for: sub.root.lab/TestOU

Ctrl    Account                     Rights                    Source        AppliesTo
----    -------                         ------                    ------        ---------
Deny    Everyone                     Special                    Not inherited    This object only

BUILTIN\Pre-Windows 2000 Compatible A...     Read Account Restrictions        Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A...      Read Account Restrictions        Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A...      Read Logon Information        Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A...      Read Logon Information        Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A...      Read Group Membership        Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A...      Read Group Membership        Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A...      Read General Information        Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A...      Read General Information        Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A...      Read Remote Access Information    Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A...      Read Remote Access Information    Inherited Child user objects

NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups             Inherited Child computer ...

NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups            Inherited Child group obj...

NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups            Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A...     Special                    Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A...     Special                    Inherited Child group obj...

BUILTIN\Pre-Windows 2000 Compatible A...     Special                    Inherited Child user objects

NT AUTHORITY\SELF                 Special                    Inherited This object and...

ROOT\Enterprise Admins              Full control                Inherited This object and...

BUILTIN\Pre-Windows 2000 Compatible A...     List Contents                Inherited This object and...

BUILTIN\Administrators                 Special                    Inherited This object and...

Get-QADPermission -Inherited 'OU=TestOU,DC=sub,DC=root,DC=lab'

Permissions for: sub.root.lab/TestOU

Ctrl Account Rights Source AppliesTo

---- ------- ------ ------ ---------

Deny Everyone Special Not inherited This object only

BUILTIN\Pre-Windows 2000 Compatible A... Read Account Restrictions Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A... Read Account Restrictions Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A... Read Logon Information Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A... Read Logon Information Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A... Read Group Membership Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A... Read Group Membership Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A... Read General Information Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A... Read General Information Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A... Read Remote Access Information Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A... Read Remote Access Information Inherited Child user objects

NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups Inherited Child computer ...

NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups Inherited Child group obj...

NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups Inherited Child user objects

BUILTIN\Pre-Windows 2000 Compatible A... Special Inherited Child inetOrgPe...

BUILTIN\Pre-Windows 2000 Compatible A... Special Inherited Child group obj...

BUILTIN\Pre-Windows 2000 Compatible A... Special Inherited Child user objects

NT AUTHORITY\SELF Special Inherited This object and...

ROOT\Enterprise Admins Full control Inherited This object and...

BUILTIN\Pre-Windows 2000 Compatible A... List Contents Inherited This object and...

BUILTIN\Administrators Special Inherited This object and...

Here is our first obstacle, lots of the sources are inherited. And yes we want to change one of the inherited rights…

So to disabled inheritance but keep the rights, you need to do the following:
SetAccessRuleProtection: https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity.setaccessruleprotection(v=vs.110).aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1

#define the OU
$ou = [adsi]'LDAP://OU=TestOU,Dc=sub,DC=root,DC=lab'

#Disabled inheritance
$ou.ObjectSecurity.SetAccessRuleProtection($true, $true)
$ou.CommitChanges()

#define the OU

$ou = [adsi]'LDAP://OU=TestOU,Dc=sub,DC=root,DC=lab'

#Disabled inheritance

$ou.ObjectSecurity.SetAccessRuleProtection($true, $true)

$ou.CommitChanges()

Use the Get-QADPermission again to see the result, you will see that the Source Inherited is changed to Not Inherited.

Once the inheritance is disabled we can delete everything we want. We use the Get-QADpermission en Remove-QADPermission

#remove rights
# xxxx stands for the Account you want to remove.
Get-QADPermission 'OU=TestOU,DC=sub,DC=root,DC=lab' | ? {$_.account -match 'xxxx'} | Remove-QADPermission

#remove rights

# xxxx stands for the Account you want to remove.

Get-QADPermission 'OU=TestOU,DC=sub,DC=root,DC=lab' | ? {$_.account -match 'xxxx'} | Remove-QADPermission

So now you have the settings you want. If you made a mistake and want to restore the inherited permissions, you can run the next command:

#inherit from parent
$ou.ObjectSecurity.SetAccessRuleProtection($false, $true)
$ou.CommitChanges()

#inherit from parent

$ou.ObjectSecurity.SetAccessRuleProtection($false, $true)

$ou.CommitChanges()

It is also possible to add instead of delete permissions, here is an example how you can do that.

Add-QADPermission -Account 'Authenticated Users' -Rights 'ReadControl' -ApplyTo 'All' -Identity 'OU=TestOU,DC=sub,DC=root,DC=lab'

1	Add-QADPermission -Account 'Authenticated Users' -Rights 'ReadControl' -ApplyTo 'All' -Identity 'OU=TestOU,DC=sub,DC=root,DC=lab'

I hope this post will help you to manage you Active Directory even better.
See you next time.

About the Author

Sander

No Comments

Comments are closed.