It has been a while since my last post. So this is my first for 2016 J.
I will show you how you can change the advanced security settings in Active Directory with PowerShell. Off course you can do everything the default GUI. But if you have to do it more than once, this is one way to do it! So let’s start.
There is one requirement, you need to install the active role management from Dell.
The download includes also a detailed pdf about all the commands. You can find them here: http://software.dell.com/products/active-roles/powershell.aspx
So what we want to change is this:
And in PowerShell it looks like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
Get-QADPermission -Inherited 'OU=TestOU,DC=sub,DC=root,DC=lab' Permissions for: sub.root.lab/TestOU Ctrl Account Rights Source AppliesTo ---- ------- ------ ------ --------- Deny Everyone Special Not inherited This object only BUILTIN\Pre-Windows 2000 Compatible A... Read Account Restrictions Inherited Child inetOrgPe... BUILTIN\Pre-Windows 2000 Compatible A... Read Account Restrictions Inherited Child user objects BUILTIN\Pre-Windows 2000 Compatible A... Read Logon Information Inherited Child inetOrgPe... BUILTIN\Pre-Windows 2000 Compatible A... Read Logon Information Inherited Child user objects BUILTIN\Pre-Windows 2000 Compatible A... Read Group Membership Inherited Child inetOrgPe... BUILTIN\Pre-Windows 2000 Compatible A... Read Group Membership Inherited Child user objects BUILTIN\Pre-Windows 2000 Compatible A... Read General Information Inherited Child inetOrgPe... BUILTIN\Pre-Windows 2000 Compatible A... Read General Information Inherited Child user objects BUILTIN\Pre-Windows 2000 Compatible A... Read Remote Access Information Inherited Child inetOrgPe... BUILTIN\Pre-Windows 2000 Compatible A... Read Remote Access Information Inherited Child user objects NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups Inherited Child computer ... NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups Inherited Child group obj... NT AUTHORITY\ENTERPRISE DOMAIN CONTRO... Read tokenGroups Inherited Child user objects BUILTIN\Pre-Windows 2000 Compatible A... Special Inherited Child inetOrgPe... BUILTIN\Pre-Windows 2000 Compatible A... Special Inherited Child group obj... BUILTIN\Pre-Windows 2000 Compatible A... Special Inherited Child user objects NT AUTHORITY\SELF Special Inherited This object and... ROOT\Enterprise Admins Full control Inherited This object and... BUILTIN\Pre-Windows 2000 Compatible A... List Contents Inherited This object and... BUILTIN\Administrators Special Inherited This object and... |
Here is our first obstacle, lots of the sources are inherited. And yes we want to change one of the inherited rights…
So to disabled inheritance but keep the rights, you need to do the following:
SetAccessRuleProtection: https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity.setaccessruleprotection(v=vs.110).aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
1 2 3 4 5 6 |
#define the OU $ou = [adsi]'LDAP://OU=TestOU,Dc=sub,DC=root,DC=lab' #Disabled inheritance $ou.ObjectSecurity.SetAccessRuleProtection($true, $true) $ou.CommitChanges() |
Use the Get-QADPermission again to see the result, you will see that the Source Inherited is changed to Not Inherited.
Once the inheritance is disabled we can delete everything we want. We use the Get-QADpermission en Remove-QADPermission
1 2 3 |
#remove rights # xxxx stands for the Account you want to remove. Get-QADPermission 'OU=TestOU,DC=sub,DC=root,DC=lab' | ? {$_.account -match 'xxxx'} | Remove-QADPermission |
So now you have the settings you want. If you made a mistake and want to restore the inherited permissions, you can run the next command:
1 2 3 |
#inherit from parent $ou.ObjectSecurity.SetAccessRuleProtection($false, $true) $ou.CommitChanges() |
It is also possible to add instead of delete permissions, here is an example how you can do that.
1 |
Add-QADPermission -Account 'Authenticated Users' -Rights 'ReadControl' -ApplyTo 'All' -Identity 'OU=TestOU,DC=sub,DC=root,DC=lab' |
I hope this post will help you to manage you Active Directory even better.
See you next time.