-
Notifications
You must be signed in to change notification settings - Fork 6
/
Grant-ADPermission.ps1
176 lines (149 loc) · 8.97 KB
/
Grant-ADPermission.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
Function Grant-ADPermission{
<#
.SYNOPSIS
Add Access Control Entry on Active Directory Organizational Unit.
.DESCRIPTION
This function will create ACE and add them to the specified AD OU's.
.EXAMPLE
Grant-ADPermission -GroupDistinguishedName 'CN=Applications2,OU=Groups,DC=D2K12R2,DC=local' -AdRights WriteProperty -AccessControlType Allow -Inheritance Children -ObjectType user -InheritedObjectType user -OrgUnitDN 'OU=Test,DC=D2K12R2,DC=local'
.EXAMPLE
Grant-ADPermission -GroupDistinguishedName 'CN=StarWars-Computers_CreateDelete,OU=Groups,OU=Admins,DC=D2K8R2,DC=itfordummies,DC=net' -AdRights CreateChild,DeleteChild -AccessControlType Allow -Inheritance Children -OrgUnitDN 'OU=Computers,OU=Star Wars,OU=Production,DC=D2K8R2,DC=itfordummies,DC=net' -ObjectType computer -InheritedObjectType null -Verbose
.EXAMPLE
'OU=lvl2,OU=Test,DC=D2K12R2,DC=local','OU=Trash,OU=Test,DC=D2K12R2,DC=local' | Grant-ADPermission -GroupDistinguishedName 'CN=Applications2,OU=Groups,DC=D2K12R2,DC=local' -AdRights WriteProperty -AccessControlType Allow -Inheritance Children -ObjectType user -InheritedObjectType user
.PARAMETER GroupDistinguishedName
DistinguishedName of the group to give permission to.
.PARAMETER AdRights
System.DirectoryServices.ActiveDirectoryRights, autocompletion should work from PS3+.
.PARAMETER AccessControlType
System.Security.AccessControl.AccessControlType, autocompletion should work from PS3+.
.PARAMETER Inheritance
System.DirectoryServices.ActiveDirectorySecurityInheritance, autocompletion should work from PS3+.
.PARAMETER OrgUnitDN
String[] containing the list of OU to delegate. You can specify more than one, and use pipeline input.
.PARAMETER InheritedObjectType
Dynamic param containing LDAPName of all schema objects. The function will use the associated GUID.
.PARAMETER ObjectType
Dynamic param containing LDAPName of all schema objects. The function will use the associated GUID.
.INPUTS
.OUTPUTS
.NOTES
Uses Dynamic Parameters.
.LINK
http://ItForDummies.net
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory = $true)]
[String]$GroupDistinguishedName,
[Parameter(Mandatory = $true)]
[System.DirectoryServices.ActiveDirectoryRights[]]$AdRights,
[Parameter(Mandatory = $true)]
[System.Security.AccessControl.AccessControlType]$AccessControlType,
[Parameter(Mandatory = $true)]
[System.DirectoryServices.ActiveDirectorySecurityInheritance]$Inheritance,
[Parameter(Mandatory = $true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true)]
[String[]]$OrgUnitDN,
[Switch]$PassThru
)
DynamicParam{
#region ObjectType
# Set the dynamic parameters' name
$ParameterName = 'ObjectType'
# Create the dictionary
$RuntimeParameterDictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary
# Create the collection of attributes
$AttributeCollection = New-Object System.Collections.ObjectModel.Collection[System.Attribute]
# Create and set the parameters' attributes
$ParameterAttribute = New-Object System.Management.Automation.ParameterAttribute
$ParameterAttribute.Mandatory = $true
$ParameterAttribute.Position = 1
# Add the attributes to the attributes collection
$AttributeCollection.Add($ParameterAttribute)
# Generate and set the ValidateSet
$DomainName = [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
$MasterGuidMap = @{}
$SchemaGuidMapSearcher = [ADSISearcher]'(schemaidguid=*)'
$SchemaGuidMapSearcher.SearchRoot = [ADSI]"LDAP://CN=Schema,$(([ADSI]"LDAP://$DomainName/RootDSE").configurationNamingContext)"
$null = $SchemaGuidMapSearcher.PropertiesToLoad.AddRange(('ldapdisplayname','schemaidguid'))
$SchemaGuidMapSearcher.PageSize = 10000
$SchemaGuidMapSearcher.FindAll() | Foreach-Object -Process {
#$MasterGuidMap[(New-Object -TypeName Guid -ArgumentList (,$_.properties.schemaidguid[0])).Guid] = "$($_.properties.ldapdisplayname)"
$MasterGuidMap["$($_.properties.ldapdisplayname)"] = (New-Object -TypeName Guid -ArgumentList (,$_.properties.schemaidguid[0])).Guid
} -End {$MasterGuidMap['null'] = [Guid]'00000000-0000-0000-0000-000000000000'}
$DynamicParamValue = $MasterGuidMap.Keys
#$DynamicParamValue
$ValidateSetAttribute = New-Object System.Management.Automation.ValidateSetAttribute($DynamicParamValue)
# Add the ValidateSet to the attributes collection
$AttributeCollection.Add($ValidateSetAttribute)
# Create and return the dynamic parameter
$RuntimeParameter = New-Object System.Management.Automation.RuntimeDefinedParameter($ParameterName, [string], $AttributeCollection)
$RuntimeParameterDictionary.Add($ParameterName, $RuntimeParameter) #ForEach DynamicParam
#endregion
#region InheritedObjectType
#Second DynParam
# Set the dynamic parameters' name
$ParameterName = 'InheritedObjectType'
# Create the dictionary
#$RuntimeParameterDictionary = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary #Already created
# Create the collection of attributes
$AttributeCollection = New-Object System.Collections.ObjectModel.Collection[System.Attribute]
# Create and set the parameters' attributes
$ParameterAttribute = New-Object System.Management.Automation.ParameterAttribute
$ParameterAttribute.Mandatory = $true
$ParameterAttribute.Position = 1
# Add the attributes to the attributes collection
$AttributeCollection.Add($ParameterAttribute)
# Generate and set the ValidateSet
#$DomainName = [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
#$MasterGuidMap = @{}
$RightsGuidMapSearcher = [ADSISearcher]'(&(objectclass=controlAccessRight)(rightsguid=*))'
$RightsGuidMapSearcher.SearchRoot = [ADSI]"LDAP://CN=Schema,$(([ADSI]"LDAP://$DomainName/RootDSE").configurationNamingContext)"
$null = $RightsGuidMapSearcher.PropertiesToLoad.AddRange(('displayname','rightsGuid'))
$RightsGuidMapSearcher.PageSize = 10000
$RightsGuidMapSearcher.FindAll() | Foreach-Object -Process {
#$MasterGuidMap[(New-Object -TypeName Guid -ArgumentList (,$_.properties.rightsguid[0])).Guid] = "$($_.properties.displayname)"
$MasterGuidMap["$($_.properties.displayname)"] = (New-Object -TypeName Guid -ArgumentList (,$_.properties.rightsguid[0])).Guid
} -End {$MasterGuidMap['null'] = [Guid]'00000000-0000-0000-0000-000000000000'}
$DynamicParamValue = $MasterGuidMap.Keys
#$DynamicParamValue
$ValidateSetAttribute = New-Object System.Management.Automation.ValidateSetAttribute($DynamicParamValue)
# Add the ValidateSet to the attributes collection
$AttributeCollection.Add($ValidateSetAttribute)
# Create and return the dynamic parameter
$RuntimeParameter = New-Object System.Management.Automation.RuntimeDefinedParameter($ParameterName, [string], $AttributeCollection)
$RuntimeParameterDictionary.Add($ParameterName, $RuntimeParameter) #ForEach DynamicParam
#endregion
#Output
$RuntimeParameterDictionary
}
Begin{
#Dynamic Param
$PsBoundParameters.GetEnumerator() | ForEach-Object -Process { New-Variable -Name $_.Key -Value $_.Value -ErrorAction 'SilentlyContinue' }
#Prepare the Access Control Entry, force the type for constructor binding
Write-Verbose -Message 'Preparing Access Control Entry attributes...'
[System.Security.Principal.SecurityIdentifier]$Identity = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $(([ADSI]"LDAP://$GroupDistinguishedName").ObjectSid), 0).value #Get nice SID format
[Guid]$InheritedObjectTypeValue = $MasterGuidMap[$InheritedObjectType]
[Guid]$ObjectTypeValue = $MasterGuidMap[$ObjectType]
#Create the Access Control Entry
Write-Verbose -Message 'Creating Access Control Entry...'
$NewAce = New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity,$AdRights,$AccessControlType,$ObjectTypeValue,$Inheritance,$InheritedObjectTypeValue
}
Process{
try{
Write-Verbose -Message "Connecting to $OrgUnitDN"
$ADObject = [ADSI]("LDAP://" + $OrgUnitDN)
$ADObject.ObjectSecurity.AddAccessRule($NewAce)
Write-Verbose -Message 'Applying Access Control Entry'
$ADObject.CommitChanges()
if($PassThru){
$ADObject.ObjectSecurity.Access
}
}
catch{
throw "$OrgUnitDN $_"
}
}
End{}
}