I have some OU’s and some groups. I want to delegate permissions to some groups on those OU’s to manage computer objects, I also want to deny permissions on some other groups on those OU’s and I want to remove some groups which are already added from those OU’s. How can I accomplish this using powershell?
We’re used to be better when we get something to tweak. What do you have so far? Please show you code. Powershell.org is not a free code writing service – you know that, right? We expect you to do your own research before and at least try to solve your problem by yourself.
I tried with the below code:
Import-Module ActiveDirectory
$per=Get-ACL “AD:OU=Test,DC=lab,DC=local”
$r = $per.Access | Where-Object { $_.IdentityReference -like “*mygroup1” }
$per.RemoveAccessRule($r)
$per | Set-Acl
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup “mygroup2”).SID
$per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,“FULL”,“Deny”,“ALL”))
Till line 5, it seems to be working fine to remove the access for a group. However when I try to set deny permissions for a group it gives an error. Also I want to know how to set custom permissions using powershell.
Don’t you think it would have been helpful to know the error message? A lot of times the error message tells you the solution.
Error is as follows:
New-Object : Multiple ambiguous overloads found for
“ActiveDirectoryAccessRule” and the argument count: “4”.
At line:2 char:21
- … AccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccess …
-
- CategoryInfo : InvalidOperation: (
[New-Object], MethodExcept
ion - FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.Power
Shell.Commands.NewObjectCommand
deleted
Any suggestions on this?
Anyone can suggest on this?
The constructor can’t figure out what one of the parameters you’re passing to it are, so it doesn’t know which signature to use. I see 3 or 4 different options… Could it be that your SID is $null or that you need to specify something other than strings for the other parameters?
Hello Tech Savy,
Try the following and let me know if it works. I added the value to the end of (Get-ADGroup “MyGroup2”).Sid.Value
Import-Module ActiveDirectory$per=Get-ACL “AD:OU=Test,DC=lab,DC=local”
$r = $per.Access | Where-Object { $_.IdentityReference -like “*mygroup1” }
$per.RemoveAccessRule($r)
$per | Set-Acl
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup “mygroup2”).SID.Value
$per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $p,“FULL”,“Deny”,“ALL”))
Does not work. Same error.
TechSavy,
Reviewed the error again and looks like we have a syntax error as well where we didn’t add encapsulation around the 4 values.
Import-Module ActiveDirectory
$per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
$r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
$per.RemoveAccessRule($r)
$per | Set-Acl
$p = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "mygroup2").SID.Value
$per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"FULL","Deny","ALL")))
Tried, does not work either.
Jason, any other way to achieve this?
TechSavy,
Sorry for delay, for some reason I glossed over this one. Okay what is the error code you are getting now? I don’t have an on-premise AD I can spin up at the moment to test this. What I get for hosting everything in the cloud.
Well typed all this out and had the post disappear yay!!!
If you run the following this is the output this is not the desired as we only want the SID value, by creating the Security Identifier object this causes us to redo the work we just did by findingin the AD Group and calling the SID value.
New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Group1").SID.Value | FL BinaryLength : 28 AccountDomainSid : S-1-5-21-3817738000-0660151139-8432712656 Value : S-1-5-21-3817738000-0660151139-8432712656-8745
Now if we check the following its shows what we want.
(Get-ADGroup "Group1").SID.Value | FL BinaryLength : 28 AccountDomainSid : S-1-5-21-3817738000-0660151139-8432712656 Value : S-1-5-21-3817738000-0660151139-8432712656-8745
Try this updated code:
Import-Module ActiveDirectory
$per=Get-ACL “AD:OU=Test,DC=lab,DC=local”
$r = $per.Access | Where-Object { $_.IdentityReference -like “*mygroup1” }
$per.RemoveAccessRule($r)
$per | Set-Acl
$p = (Get-ADGroup “mygroup2”).SID.Value
$per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,“FULL”,“Deny”,“ALL”)))
Well this is the third time I’m trying to post this, and not making it all nice and neat. Essentially the new-Object is what is shooting us in the foot. Remove it and only use the Get-ADGroup
Import-Module ActiveDirectory
$per=Get-ACL "AD:OU=Test,DC=lab,DC=local"
$r = $per.Access | Where-Object { $_.IdentityReference -like "*mygroup1" }
$per.RemoveAccessRule($r)
$per | Set-Acl
$p = (Get-ADGroup "mygroup2").SID.Value
$per.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($p,"FULL","Deny","ALL")))
Thanks for the reply Jason, however still get the same error message as stated before in this forum.
Techsavy,
Okay did some more research, we were close, but not there. We have to assign the type for IdentityReference, ActiveDirectoryRights, AccessControlType and ActiveDirectorySecurityInheritance. For further reference and understanding below is a link to the article I used for the research.
$Identity = [System.Security.Principal.IdentityReference] (Get-ADGroup Group1).SID $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll" $AccessControl = [System.Security.AccessControl.AccessControlType] "Deny" $Inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All" $AccessRule = New-object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $AccessControl, $Inheritance $per.AddAccessRule($AccessRule)
Thanks Jason. It works. How about allowing specific permissions like : Create User Objects/Delete User Objects etc… to a group?