RSS All Posts

RSS PowerShell Posts

Tags

2142 Active Directory Administrativia Announcements Battlefield Blogging Cricket Deployment Deployment4 Get-PSUGUK Group Policy HowTo Linux MDT MDT 2010 Microsoft Deployment Toolkit MSDN Music Permissions Personal PowerGui Power Lines PowerShell PowerShell Groups PowerShell Support PowerShell Tools PowerShell V2 Presentations PSUGAU Quick Tips Scripting SDDL Security Tech Talk Ubuntu User Groups Virtualisation VMware Infrastructure Client WAIK Weekly Poll Windows 7 Windows Automation Installation Kit Windows Server 2003 Windows Server 2008 XML

Archives

Meta


« | Main | »

Removing ACE’s from Active Directory with PowerShell

By Adam Bell | March 20, 2007

Soon we’ll be looking into some pretty low level permission schemes that can be applied to Active Directory. For now however, following on from yesterdays post, we’ll take a look at how to remove Acccess Control Entries from the Security Descriptor in AD.

Below is our function:
remove-DSace.ps1


$root = [adsi]""
 
#----------------------------------------------------------------------------------------------------------
function remove-DSace
#----------------------------------------------------------------------------------------------------------
{
Param (
  $DSobject,
  $DSidentity
  )
  $sd = $DSobject.psbase.get_objectSecurity().getAccessRules($true, $false, [System.Security.Principal.NTAccount])
  $rar = $sd |? {$_.IdentityReference -eq $DSidentity}
  if ($rar -is [array])
  {
    foreach ($ace in $rar)
    {
      $DSobject.psbase.get_ObjectSecurity().RemoveAccessRule($ace)
      $DSobject.psbase.commitchanges()
    }
  }
  else
  {
    $DSobject.psbase.get_ObjectSecurity().RemoveAccessRule($rar)
    $DSobject.psbase.commitchanges()
  }
}
#----------------------------------------------------------------------------------------------------------
$ou = [adsi]("LDAP://ou="+$ARGS[0]+","+$root.distinguishedName)
remove-DSace $ou $ARGS[1]

Points of interest then:
Details on the parameters for GetAccessRules are here. We then filter our rules to those that match our Group/Account as defined by the IdentityReference attribute on the object, and store these in the $rar variable. By testing if this variable is an array or not we can determine if we have one ACE or several that need removing.

Using an If..Else code block we remove the ACE or ACEs as applicable and commit our changes back to the directory. If the ACE was configured to propagate down the directory this will have the effect of completely removing that permission from everywhere.

Tomorrow we really will look into Propagation and Inheritence ;)

Topics: Active Directory, PowerShell | 2 Comments »

2 Responses to “Removing ACE’s from Active Directory with PowerShell”

  1. PowerShell cmdlets for AD « Dmitry’s PowerBlog Says:
    March 22nd, 2007 at 6:09 am

    [...] Or .NET like for example in this script by Adam. [...]

  2. Windows 2003 DNS Server rights issue | Lead, Follow, or Move Says:
    February 27th, 2008 at 2:49 pm

    [...] close look at manipulating permissions in AD with PowerShell before, covering: Standard Rights Removing Rights in AD Inheritance and Propagation Extended Rights and Controlling Access Rights in [...]

Comments