« Security Identifiers (SIDs) and NT Account name | Main | Static Members and PowerShell obscurity »
Extended Rights in Active Directory
By Adam Bell | March 28, 2007
Extended Rights are one of the mechanisms behind Active Directory permissions that allow for such granular control over the delegation of tasks in your environment. There’s a Technet article that explains delegation and touches on Extended Rights (near the bottom).
Extended Rights exists in AD as objects stored within the Extended-Rights container, which is located in the Configuration partition.
If you’re not sure about the different partitions within AD there is an excellent primer on TechNet about AD Architecture.
So how do we set an Extended Right permission? It’s actually very similiar to applying a Standard Rights ACE. The difference comes in the parameters we pass, and hence the constructor we use in the ActiveDirectoryAccessRule method.
Void .ctor(
System.Security.Principal.IdentityReference,
System.DirectoryServices.ActiveDirectoryRights,
System.Security.AccessControl.AccessControlType,
System.Guid,
System.DirectoryServices.ActiveDirectorySecurityInheritance)
In this case the ActiveDirectoryRights value is the keyword “ExtendedRight“, and the system.Guid refers to an attribute of the Extended Rights object called the rightsGUID.
I’ve got a function that takes the CN of the right as input and returns the GUID.
Lookup Extended-Right GUID:
get-erGUID.ps1
$dse = [adsi]("LDAP://Rootdse")
#----------------------------------------------------------------------------------------------------------
function Get-RightsGUID
{
Param (
$ExtendedRight
)
$ER = [adsi]("LDAP://cn=Extended-Rights,"+$dse.configurationNamingContext)
$DSobject = [adsi]("LDAP://cn="+$ExtendedRight+","+$ER.distinguishedName)
$ERguid = $DSobject.rightsGUID
return $ERguid
}
#----------------------------------------------------------------------------------------------------------
Get-RightsGUID "Change-PDC"
If you don’t know the right you’re looking for you have a couple of options. TechNet have a reference that lists them, but we can also look them up.
RightsTbl.ps1
$dse = [adsi]("LDAP://Rootdse")
# Build a Hashtable to translate the displayName (used by DSACL) to the objects CN.
$ERtbl = @{}
$ext = [adsi]("LDAP://cn=Extended-rights,"+$dse.configurationNamingContext)
$ext.psbase.children |% { $ERtbl.Add($_.displayName.toString(), $_.cn.toString()) }
The function above enumerates through the Extended-Rights container and loads the values for the displayName and cn into an associative array (hash table). Now we can look them up by either typing
$ERtbl
Which will list our complete hash table, or we can lookup specific translations
$ERtbl["Change PDC"]
So far so good. So putting it all together then. A code block to add the Change PDC right on the domain:
ChangeFSMORight.ps1
$root = [adsi]""
$account = New-Object System.Security.Principal.NTAccount("bella")
$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"All"
$rights = "ExtendedRight"
$changepdc = "bae50096-4752-11d1-9052-00c04fc2d4cf"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($account, $rights, "Allow", $changpdc, $Inherit)
$root.psbase.get_objectSecurity().AddAccessRule($ace)
$root.psbase.CommitChanges()
Next time we’ll look at our last post in on the topic of Active Directory permissions when we look at Control Access Rights.
- Control Access Rights in Active Directory
- Active Directory Permissions – Standard Rights
- Inheritance and Propagation in Active Directory permissions
- Windows 2003 DNS Server rights issue
- Removing ACE’s from Active Directory with PowerShell
Topics: Active Directory, PowerShell | No Comments »