Asked by:
Powershell Active Directory OU Deligation Access Rules

Question
-
Hi Guys,
I'm searching for a way to create kind of Access Rule templates via powershell.
Anyone known if its possible with powershell to export ACL of certain security group on OU.
So I can apply it on any OU I want it to be applied?
Thanks!
- Moved by Bill_Stewart Wednesday, September 4, 2019 6:33 PM This is not "scripts on demand"
Tuesday, March 12, 2019 4:47 PM
All replies
-
Just extract the SDDL of any object. It can be applied by using the SDDL to create an ACL and then applied to a target object.
\_(ツ)_/
Tuesday, March 12, 2019 6:26 PM -
With bellow script I get complete security of TestOU_01, I want only to export the security that has been set with security group: it-admin .
Can this be filtered out with powershell to export and add this group on any other ou?
Import-Module activedirectory $rootDSE = Get-ADRootDSE $domain = Get-ADDomain $container = Get-ADObject -Identity ("OU=TestOU_01,OU=Testing," + $domain.DistinguishedName) $acl1 = Get-ACL -Path ($container.DistinguishedName) $acl1.Sddl
Output--------------------------------
PSPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=TestOU_01,OU=Testing,DC=cochlear,DC=com
PSParentPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=Testing,DC=cochlear,DC=com
PSChildName : OU=TestOU_01
PSDrive : AD
PSProvider : Microsoft.ActiveDirectory.Management\ActiveDirectory
CentralAccessPolicyId :
CentralAccessPolicyName :
Path : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/OU=TestOU_01,OU=Testing,DC=cochlear,DC=com
Owner : COCHLEAR\Domain Admins
Group : COCHLEAR\Domain Users
Access : {System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule, System.DirectoryServices.ActiveDirectoryAccessRule...}
Sddl : O:DAG:DUD:PAI(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;C....83-79217)
AccessToString : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
NT AUTHORITY\Authenticated Users Allow
NT AUTHORITY\SYSTEM Allow
COCHLEAR\Domain Admins Allow
COCHLEAR\it-admin Allow
AuditToString :
AccessRightType : System.DirectoryServices.ActiveDirectoryRights
AccessRuleType : System.DirectoryServices.ActiveDirectoryAccessRule
AuditRuleType : System.DirectoryServices.ActiveDirectoryAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical : True- Edited by DavidRdx Wednesday, March 13, 2019 8:15 AM using code block
Wednesday, March 13, 2019 7:00 AM -
Please do no t post colorized code. Use the code posting tool provided on the edit bar. Edit your post and fix it please.
\_(ツ)_/
Wednesday, March 13, 2019 7:51 AM -
Use the SDDL string to copy the security.
\_(ツ)_/
Wednesday, March 13, 2019 7:52 AM -
How do I get the SDDL string for only 1 security group instead of the complete collection?
Example group: it-admin
Wednesday, March 13, 2019 8:16 AM -
You just returned the security for one object. I am not sure what you are looking for. Get-Acl returns one ACL object. You can see the SDDL.
\_(ツ)_/
Wednesday, March 13, 2019 8:19 AM -
$dn = (Get-AdGroup testgrp2).Distinguishedname Get-Acl "AD:\$dn" | Select sddl
$dn = (Get-AdGroup testgrp2).Distinguishedname (Get-Acl "AD:\$dn").GetSecurityDescriptorSddlForm('Access')
Warning: Copying SDDL can have unintended consequences.
\_(ツ)_/
- Edited by jrv Wednesday, March 13, 2019 8:25 AM
Wednesday, March 13, 2019 8:24 AM -
I understand what you are trying to tell, but this will only set default security I guess?
Not the deligation access properties like for computer objects --> delete computer object
Wednesday, March 13, 2019 8:58 AM -
To add a specific delegation you need to create the security ACE and add it to the target.
You can also just get the Access Aces and copy the one you want.
Get-Acl "AD:\$dn" | select -expand access
\_(ツ)_/
- Edited by jrv Wednesday, March 13, 2019 9:18 AM
Wednesday, March 13, 2019 9:17 AM -
If you are trying to save a particular ACE then this is how:
# get ACEs for ACL $aces = Get-Acl "AD:\$dn" | Select-Object -ExpandProperty access # select specific ACE to save $aces[0] | Export-CliXml ace.xml # import saved ACE $ace = Import-CliXml ace.xml
\_(ツ)_/
Wednesday, March 13, 2019 9:25 AM -
That's not what I'm looking for.
You are pointing to ACL on Security group.
I need to have export of the security that is set on certain OU with certain security group.
As example I gave:
OU= TestOU_01
Security group = it-admin
Wednesday, March 13, 2019 10:00 AM -
It works the same for an OU.
Before pursuing his you should take some time to learn how AD works and an API level as well as how to use PowerShell.
To access an OU just use this command
$dn = 'OU=YourOuName, … path to OU ...'
\_(ツ)_/
Wednesday, March 13, 2019 2:45 PM -
Import-Module activedirectory $rootDSE = Get-ADRootDSE $domain = Get-ADDomain Set-Location AD:\ # Vars $SecurityGroupToApply = "it-admin" $Destination_OU = "OU=TestOU_03,OU=Testing,$domain" $Source_OU = "OU=TestOU_01,OU=Testing,$domain" $Current_ACL = Get-ACL -Path $Destination_OU $Source_ACL = Get-ACL -Path $Source_OU # get ACEs for ACL $ACEs = $Source_ACL.Access | Where-Object{$_.IdentityReference -eq $SecurityGroupToApply} #Add Access Rules $Current_ACL.AddAccessRule($ACEs[0]) $Current_ACL.AddAccessRule($ACEs[1]) set-acl -aclobject $Current_ACL $Destination_OU -WhatIf -Verbose
I think that will somehow do it. I could export it to clixml.
Wednesday, March 13, 2019 7:47 PM