Setting "Write member attribute" in ACL on Active Directory object with powershell
Asked Answered
M

1

5

I would like to programatically allow a given security principal (user or group) in AD to have write permission to the member attribute on an AD group.

I'm assuming it would be of the form:

$GroupObject = Get-ADGroup $group
$ACL = Get-ACL AD:$GroupObject
$ACE = New-Object System.Security.AccessControl.ActiveDirectoryAccessRule (
    $manager,
    ...
)
$ACL.AddAccessRule($ACE)
Set-ACL -Path AD:$GroupObject -AclObject $ACL

What I'm unable to find is documentation on what else needs to go in the ... to make this work. Even diving doing it manually and inspecting the resultant ACL Objects is proving difficult!

Michele answered 24/5, 2018 at 12:43 Comment(0)
H
6

You'd use this constructor for ActiveDirectoryAccessRule: https://msdn.microsoft.com/en-us/library/cawwkf0x(v=vs.110).aspx

It should look something like this:

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $manager.SID,
    [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
    [System.Security.AccessControl.AccessControlType]::Allow,
    "bf9679c0-0de6-11d0-a285-00aa003049e2",
    [DirectoryServices.ActiveDirectorySecurityInheritance]::All
)

Note that you need to pass the SID of the user ($manager.SID).

The mysterious GUID is the GUID of the member attribute. You can find that by looking at the Microsoft documentation for the attributes. This is the page for member, where you can find the "System-Id-Guid": https://msdn.microsoft.com/en-us/library/ms677097(v=vs.85).aspx

Homoiousian answered 24/5, 2018 at 13:20 Comment(3)
As a bit of an aside, while I have the ActiveDirectory module loaded in PowerShell, it's now complaining: New-Object : Cannot find type [System.Security.AccessControl.ActiveDirectoryAccessRule]: verify that the assembly containing this type is loaded. I have tried add-type -AssemblyName System.DirectoryServices to no avail.Michele
Oh, I didn't even notice the differences in the types, but I see now that I used System.DirectoryServices.ActiveDirectoryAccessRule, which is different than what you used. Try that. I tested my code with a group in our domain and it worked.Homoiousian
Thanks - that's got itMichele

© 2022 - 2024 — McMap. All rights reserved.