RSS All Posts

RSS PowerShell Posts

Tags

2142 Active Directory Administrativia Announcements Battlefield Blogging Cricket Deployment Deployment4 Get-PSUGUK Group Policy HowTo Linux MDT MDT 2010 Microsoft Deployment Toolkit MSDN Music Permissions Personal PowerGui Power Lines PowerShell PowerShell Groups PowerShell Support PowerShell Tools PowerShell V2 Presentations PSUGAU Quick Tips Scripting SDDL Security Tech Talk Ubuntu User Groups Virtualisation VMware Infrastructure Client WAIK Weekly Poll Windows 7 Windows Automation Installation Kit Windows Server 2003 Windows Server 2008 XML

Archives

Meta


« | Main | »

Inheritance and Propagation in Active Directory permissions

By Adam Bell | March 22, 2007

Disclaimer:
As mentioned before I’m not a programmer, so the information in the next few posts may not be 100%. What I will pass on is what I have found in my experience, and any external links to valid sources that may help provide more detail. With this in mind if you find any inaccuracies, or just have more information to add please feel free to let me know …. :)

There are three types of permissions in regards to Active Directory security: Standard Rights, Extended Rights, and Control Access Rights. We’ve covered Standard Rights in a recent post, and in building up to the remaining two we’ll take a look at Inheritance and Propagation.

Now if we’re dealing with NTFs permissions, we use the System.Security.AccessControl namespace and the Inheritance and Propagation flags.

In AD we use a different method, but the concept is the same. There is only one flag used, and this is ActiveDirectorySecurityInheritance.

For example in NTFS you may have used:


$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"InheritOnly"

In Active Directory the same result would be achieved by:


$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"descendents"

An article that explains this subject well can be found on MSDN here. In particular the paragraph on inheritance and figure 5.

If we want to stop permissions being inherited from the parent Organizational Unit or container, you can use the SetAccessRuleprotection method. The syntax for which is available here
And a simple example:
BlockInheritance.ps1


$root = [adsi]""
$test = [adsi]("LDAP://ou=Test ou,"+$root.distinguishedName)
 
# [bool]IsProtected, [bool]PreserveInheritance
# The second option decides whether the inherited ACE's are copied, or dropped.
$test.psbase.get_objectsecurity().SetAccessRuleProtection($true, $false)
 
$test.psbase.CommitChanges()

In the next post we’ll build a couple of useful functions for retrieving data needed for Extended and Access Control Rights.

Topics: Active Directory, PowerShell | No Comments »

Comments