├── .gitignore ├── .vscode ├── launch.json ├── settings.json └── tasks.json ├── DSACL.build.ps1 ├── Readme.md ├── Source ├── Classes │ └── DefaultContainerConfig.ps1 ├── DSACL.format.ps1xml ├── DSACL.psd1 ├── DSACL.psm1 ├── Private │ ├── ConvertTo-LDAPGuidFilter.ps1 │ ├── Find-LDAPObject.ps1 │ ├── Get-LDAPObject.ps1 │ ├── Get-SID.ps1 │ ├── Set-DSACLAccessRule.ps1 │ ├── Set-DSACLObject.ps1 │ └── Set-Owner.ps1 ├── Public │ ├── Add-DSACLCreateChild.ps1 │ ├── Add-DSACLCustom.ps1 │ ├── Add-DSACLDeleteChild.ps1 │ ├── Add-DSACLFullControl.ps1 │ ├── Add-DSACLJoinDomain.ps1 │ ├── Add-DSACLLinkGPO.ps1 │ ├── Add-DSACLManageGroupMember.ps1 │ ├── Add-DSACLManagerCanUpdateGroupMember.ps1 │ ├── Add-DSACLMoveObjectFrom.ps1 │ ├── Add-DSACLRenameObject.ps1 │ ├── Add-DSACLReplicatingDirectoryChanges.ps1 │ ├── Add-DSACLResetPassword.ps1 │ ├── Add-DSACLWriteAccountRestrictions.ps1 │ ├── Add-DSACLWriteDNSHostName.ps1 │ ├── Add-DSACLWriteServicePrincipalName.ps1 │ ├── ConvertFrom-DSACLInheritedObjectTypeGuid.ps1 │ ├── ConvertFrom-DSACLObjectTypeGuid.ps1 │ ├── Get-DSACLDefaultContainer.ps1 │ ├── Get-DSACLMachineAccountQuota.ps1 │ ├── New-DSACLAccessRule.ps1 │ ├── New-DSACLAuditRule.ps1 │ ├── Register-DSACLRightsMapVariable.ps1 │ ├── Resolve-DSACLGuid.ps1 │ ├── Resolve-DSACLObjectName.ps1 │ ├── Set-DSACLDefaultContainer.ps1 │ ├── Set-DSACLMachineAccountQuota.ps1 │ └── Set-DSACLOwner.ps1 ├── _ModuleVariables.ps1 ├── build.psd1 └── en-US │ └── DSACL-help.xml ├── appveyor.yml ├── docs ├── Add-DSACLCreateChild.md ├── Add-DSACLCustom.md ├── Add-DSACLDeleteChild.md ├── Add-DSACLFullControl.md ├── Add-DSACLJoinDomain.md ├── Add-DSACLLinkGPO.md ├── Add-DSACLManageGroupMember.md ├── Add-DSACLManagerCanUpdateGroupMember.md ├── Add-DSACLMoveObjectFrom.md ├── Add-DSACLRenameObject.md ├── Add-DSACLReplicatingDirectoryChanges.md ├── Add-DSACLResetPassword.md ├── Add-DSACLWriteAccountRestrictions.md ├── Add-DSACLWriteDNSHostName.md ├── Add-DSACLWriteServicePrincipalName.md ├── ConvertFrom-DSACLInheritedObjectTypeGuid.md ├── ConvertFrom-DSACLObjectTypeGuid.md ├── Get-DSACLDefaultContainer.md ├── Get-DSACLMachineAccountQuota.md ├── New-DSACLAccessRule.md ├── New-DSACLAuditRule.md ├── README.md ├── Register-DSACLRightsMapVariable.md ├── Resolve-DSACLGuid.md ├── Resolve-DSACLObjectName.md ├── Set-DSACLDefaultContainer.md ├── Set-DSACLMachineAccountQuota.md └── Set-DSACLOwner.md ├── license.txt └── test ├── Integration └── IntegrationTests.ps1 └── Unit └── DSAcl.Tests.ps1 /.gitignore: -------------------------------------------------------------------------------- 1 | /bin 2 | /TMP 3 | -------------------------------------------------------------------------------- /.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // Use IntelliSense to learn about possible attributes. 3 | // Hover to view descriptions of existing attributes. 4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "type": "PowerShell", 9 | "request": "launch", 10 | "name": "PowerShell Launch Debug.ps1", 11 | "script": "${workspaceFolder}/TMP/Debug.ps1", 12 | "args": [], 13 | "cwd": "${workspaceFolder}", 14 | "createTemporaryIntegratedConsole": true 15 | }, 16 | { 17 | "type": "PowerShell", 18 | "request": "launch", 19 | "name": "PowerShell Launch Current File", 20 | "script": "${file}", 21 | "args": [], 22 | "cwd": "${file}" 23 | }, 24 | { 25 | "type": "PowerShell", 26 | "request": "launch", 27 | "name": "PowerShell Launch Current File in Temporary Console", 28 | "script": "${file}", 29 | "args": [], 30 | "cwd": "${file}", 31 | "createTemporaryIntegratedConsole": true 32 | }, 33 | { 34 | "type": "PowerShell", 35 | "request": "launch", 36 | "name": "PowerShell Launch Current File w/Args Prompt", 37 | "script": "${file}", 38 | "args": [ 39 | "${command:SpecifyScriptArgs}" 40 | ], 41 | "cwd": "${file}" 42 | }, 43 | { 44 | "type": "PowerShell", 45 | "request": "attach", 46 | "name": "PowerShell Attach to Host Process", 47 | "processId": "${command:PickPSHostProcess}", 48 | "runspaceId": 1 49 | }, 50 | { 51 | "type": "PowerShell", 52 | "request": "launch", 53 | "name": "PowerShell Interactive Session", 54 | "cwd": "" 55 | } 56 | ] 57 | } 58 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | // When enabled, will trim trailing whitespace when you save a file. 3 | "files.trimTrailingWhitespace": true 4 | } 5 | -------------------------------------------------------------------------------- /.vscode/tasks.json: -------------------------------------------------------------------------------- 1 | { 2 | // See https://go.microsoft.com/fwlink/?LinkId=733558 3 | // for the documentation about the tasks.json format 4 | "version": "2.0.0", 5 | "tasks": [ 6 | { 7 | "label": "startvm", 8 | "type": "shell", 9 | "command": "echo Hello" 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /DSACL.build.ps1: -------------------------------------------------------------------------------- 1 | #Requires -Modules @{ModuleName='InvokeBuild';ModuleVersion='3.2.1'} 2 | #Requires -Modules @{ModuleName='PowerShellGet';ModuleVersion='1.6.0'} 3 | #Requires -Modules @{ModuleName='Pester';ModuleVersion='4.1.1'} 4 | #Requires -Modules @{ModuleName='ModuleBuilder';ModuleVersion='1.0.0'} 5 | 6 | $Script:IsAppveyor = $null -ne $env:APPVEYOR 7 | $Script:ModuleName = Get-Item -Path $BuildRoot | Select-Object -ExpandProperty Name 8 | Get-Module -Name $ModuleName | Remove-Module -Force 9 | 10 | task Clean { 11 | Remove-Item -Path ".\Bin" -Recurse -Force -ErrorAction SilentlyContinue 12 | } 13 | 14 | task TestCode { 15 | Write-Build Yellow "`n`n`nTesting dev code before build" 16 | $TestResult = Invoke-Pester -Script "$PSScriptRoot\Test\Unit" -Tag Unit -Show 'Header','Summary' -PassThru 17 | if($TestResult.FailedCount -gt 0) {throw 'Tests failed'} 18 | } 19 | 20 | task CompilePSM { 21 | Write-Build Yellow "`n`n`nCompiling all code into single psm1" 22 | try { 23 | $BuildParams = @{} 24 | if((Get-Command -ErrorAction stop -Name gitversion)) { 25 | $GitVersion = gitversion | ConvertFrom-Json | Select-Object -Expand FullSemVer 26 | $GitVersion = gitversion | ConvertFrom-Json | Select-Object -Expand InformationalVersion 27 | $BuildParams['SemVer'] = $GitVersion 28 | } 29 | } 30 | catch{ 31 | Write-Warning -Message 'gitversion not found, keeping current version' 32 | } 33 | Push-Location -Path "$BuildRoot\Source" -StackName 'InvokeBuildTask' 34 | $Script:CompileResult = Build-Module @BuildParams -Passthru 35 | Get-ChildItem -Path "$BuildRoot\license*" | Copy-Item -Destination $Script:CompileResult.ModuleBase 36 | Pop-Location -StackName 'InvokeBuildTask' 37 | } 38 | 39 | task MakeHelp -if (Test-Path -Path "$PSScriptRoot\Docs") { 40 | 41 | } 42 | 43 | task TestBuild { 44 | Write-Build Yellow "`n`n`nTesting compiled module" 45 | $Script = @{Path="$PSScriptRoot\test\Unit"; Parameters=@{ModulePath=$Script:CompileResult.ModuleBase}} 46 | $CodeCoverage = (Get-ChildItem -Path $Script:CompileResult.ModuleBase -Filter *.psm1).FullName 47 | $TestResult = Invoke-Pester -Script $Script -CodeCoverage $CodeCoverage -Show None -PassThru 48 | 49 | if($TestResult.FailedCount -gt 0) { 50 | Write-Warning -Message "Failing Tests:" 51 | $TestResult.TestResult.Where{$_.Result -eq 'Failed'} | ForEach-Object -Process { 52 | Write-Warning -Message $_.Name 53 | Write-Verbose -Message $_.FailureMessage -Verbose 54 | } 55 | throw 'Tests failed' 56 | } 57 | 58 | $CodeCoverageResult = $TestResult | Convert-CodeCoverage -SourceRoot "$PSScriptRoot\Source" -Relative 59 | $CodeCoveragePercent = $TestResult.CodeCoverage.NumberOfCommandsExecuted/$TestResult.CodeCoverage.NumberOfCommandsAnalyzed*100 -as [int] 60 | Write-Verbose -Message "CodeCoverage is $CodeCoveragePercent%" -Verbose 61 | $CodeCoverageResult | Group-Object -Property SourceFile | Sort-Object -Property Count | Select-Object -Property Count, Name -Last 10 62 | } 63 | 64 | task . Clean, TestCode, Build 65 | 66 | task Build CompilePSM, MakeHelp, TestBuild 67 | 68 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | # DSACL - Delegation Made Easy 2 | 3 | | Master Branch | Current Branch | 4 | |---------------------------------|---------------------------------| 5 | | [![av-master-image][]][av-site] | [![av-dev-image][]][av-site] | 6 | 7 | [av-master-image]: https://ci.appveyor.com/api/projects/status/8xnk88yywn3jsk5l/branch/master?svg=true 8 | [av-dev-image]: https://ci.appveyor.com/api/projects/status/8xnk88yywn3jsk5l/branch/dev?svg=true 9 | [av-site]: https://ci.appveyor.com/project/SimonWahlin/dsacl 10 | 11 | DSACL is a PowerShell module for creating ACLs in Active Directory. 12 | 13 | Tired of using dsacls.exe but still thinks manually creating access rules in AD is a hassle? 14 | 15 | Then this is for you! 16 | 17 | ## Install 18 | 19 | The latest released version is best installed from PowerShell Gallery using the command: 20 | 21 | ```powershell 22 | Install-Module -Name DSACL -Scope CurrentUser 23 | ``` 24 | 25 | ## Build Instructions 26 | 27 | This module can be loaded as-is by importing DSAcl.psd1. This is mainly intended for development purposes or for testing the latest build. 28 | 29 | To speed up module load time and minimize the amount of files that needs to be signed, distributed and installed, this module contains a build script that will package up the module into four files: 30 | 31 | - DSACL.format.ps1xml 32 | - DSAcl.psd1 33 | - DSACL.psm1 34 | - license.txt 35 | 36 | To build the module, make sure you have the following pre-req modules: 37 | 38 | - ModuleBuilder (Required Version 1.0.0) 39 | - Pester (Required Version 4.1.1) 40 | - InvokeBuild (Required Version 3.2.1) 41 | - PowerShellGet (Required Version 1.6.0) 42 | 43 | Start the build by running the following command from the project root: 44 | 45 | ```powershell 46 | Invoke-Build 47 | ``` 48 | 49 | This will package all code into files located in .\bin\DSACL. That folder is now ready to be installed, copy to any path listed in you PSModulePath environment variable and you are good to ACL! 50 | 51 | ## Release Notes 52 | 53 | ### Unreleased 54 | 55 | - Added command *Add-DSACLManageGroupMember* 56 | - Added command *Set-DSACLOwner* 57 | - BugFix: *Add-DSACLCustom* Parameter Self will no longer be passed to New-DSAclAccessRule 58 | 59 | ## Contributing 60 | 61 | Any feedback is welcome, don't hesitate to submit an issue and/or pull request. 62 | 63 | --- 64 | Maintained by [Simon Wahlin](https://www.github.com/SimonWahlin) 65 | -------------------------------------------------------------------------------- /Source/Classes/DefaultContainerConfig.ps1: -------------------------------------------------------------------------------- 1 | class DSACLDefaultContainerConfig { 2 | [string] $Name 3 | [string] $DistinguishedName 4 | hidden [string] $Prefix 5 | hidden [int] $Index 6 | hidden [string] $DomainDN 7 | 8 | DSACLDefaultContainerConfig($Name,$DistinguishedName,$Prefix,$Index,$DomainDN) { 9 | $this.Name = $Name 10 | $this.DistinguishedName = $DistinguishedName 11 | $this.Prefix = $Prefix 12 | $this.Index = $Index 13 | $this.DomainDN = $DomainDN 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /Source/DSACL.format.ps1xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ActiveDirectoryAccessRule 6 | 7 | System.DirectoryServices.ActiveDirectoryAccessRule 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 26 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 4 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | AccessControlType 40 | 41 | 42 | 43 | $Width = 26 44 | $S = ($_.ActiveDirectoryRights | % ToString) -join ',' 45 | $S = $S -replace '(?-i)[a-z\s]' 46 | if ($S.length -gt $Width) { 47 | $S='{0}...'-f $S.SubString(0,$Width-3) 48 | }; 49 | return $S; 50 | 51 | 52 | 53 | ConvertFrom-DSACLObjectTypeGuid -Access $_ 54 | 55 | 56 | ConvertFrom-DSACLInheritedObjectTypeGuid -Access $_ 57 | 58 | 59 | InheritanceType 60 | 61 | 62 | IdentityReference 63 | 64 | 65 | IsInherited 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | ActiveDirectoryAuditRule 75 | 76 | System.DirectoryServices.ActiveDirectoryAuditRule 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 26 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | AuditFlags 105 | 106 | 107 | 108 | $Width = 26 109 | $S = ($_.ActiveDirectoryRights | % ToString) -join ',' 110 | $S = $S -replace '(?-i)[a-z\s]' 111 | if ($S.length -gt $Width) { 112 | $S='{0}...'-f $S.SubString(0,$Width-3) 113 | }; 114 | return $S; 115 | 116 | 117 | 118 | ConvertFrom-DSACLObjectTypeGuid -Audit $_ 119 | 120 | 121 | ConvertFrom-DSACLInheritedObjectTypeGuid -Audit $_ 122 | 123 | 124 | InheritanceType 125 | 126 | 127 | IdentityReference 128 | 129 | 130 | IsInherited 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | -------------------------------------------------------------------------------- /Source/DSACL.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | RootModule = 'DSACL.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '0.3.0' 8 | 9 | # Supported PSEditions 10 | # CompatiblePSEditions = @() 11 | 12 | # ID used to uniquely identify this module 13 | GUID = '8417f19e-0335-4a56-b0fc-9c71224603b9' 14 | 15 | # Author of this module 16 | Author = 'Simon Wahlin' 17 | 18 | # Company or vendor of this module 19 | CompanyName = 'simonw.se' 20 | 21 | # Copyright statement for this module 22 | Copyright = '(c) 2018 Simon Wahlin. All rights reserved.' 23 | 24 | # Description of the functionality provided by this module 25 | Description = 'Active Directory ACLs - Delegation made easy' 26 | 27 | # Minimum version of the Windows PowerShell engine required by this module 28 | # PowerShellVersion = '' 29 | 30 | # Name of the Windows PowerShell host required by this module 31 | # PowerShellHostName = '' 32 | 33 | # Minimum version of the Windows PowerShell host required by this module 34 | # PowerShellHostVersion = '' 35 | 36 | # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. 37 | # DotNetFrameworkVersion = '' 38 | 39 | # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. 40 | # CLRVersion = '' 41 | 42 | # Processor architecture (None, X86, Amd64) required by this module 43 | # ProcessorArchitecture = '' 44 | 45 | # Modules that must be imported into the global environment prior to importing this module 46 | # RequiredModules = @() 47 | 48 | # Assemblies that must be loaded prior to importing this module 49 | # RequiredAssemblies = @() 50 | 51 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 52 | # ScriptsToProcess = @() 53 | 54 | # Type files (.ps1xml) to be loaded when importing this module 55 | # TypesToProcess = @() 56 | 57 | # Format files (.ps1xml) to be loaded when importing this module 58 | FormatsToProcess = @('DSACL.format.ps1xml') 59 | 60 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 61 | # NestedModules = @() 62 | 63 | # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. 64 | FunctionsToExport = @('*') 65 | 66 | # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. 67 | # CmdletsToExport = @() 68 | 69 | # Variables to export from this module 70 | # VariablesToExport = @() 71 | 72 | # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. 73 | AliasesToExport = @() 74 | 75 | # DSC resources to export from this module 76 | # DscResourcesToExport = @() 77 | 78 | # List of all modules packaged with this module 79 | # ModuleList = @() 80 | 81 | # List of all files packaged with this module 82 | # FileList = @() 83 | 84 | # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. 85 | PrivateData = @{ 86 | 87 | PSData = @{ 88 | 89 | # Tags applied to this module. These help with module discovery in online galleries. 90 | Tags = @('ActiveDirectory','ACL','AccessRights','DSACLS', 'PSEdition_Desktop', 'Windows') 91 | 92 | # A URL to the license for this module. 93 | LicenseUri = 'https://github.com/SimonWahlin/DSACL/blob/master/license.txt' 94 | 95 | # A URL to the main website for this project. 96 | ProjectUri = 'https://github.com/SimonWahlin/DSACL' 97 | 98 | # A URL to an icon representing this module. 99 | # IconUri = '' 100 | 101 | # ReleaseNotes of this module 102 | # ReleaseNotes = '' 103 | 104 | # Prerelease string of this module 105 | Prerelease = '' 106 | 107 | # Flag to indicate whether the module requires explicit user acceptance for install/update/save 108 | # RequireLicenseAcceptance = False 109 | 110 | # External dependent modules of this module 111 | # ExternalModuleDependencies = '' 112 | 113 | } # End of PSData hashtable 114 | 115 | } # End of PrivateData hashtable 116 | 117 | # HelpInfo URI of this module 118 | HelpInfoURI = 'https://github.com/ehmiiz/DSACL/blob/master/Source/en-US/DSACL-help.xml/' 119 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 120 | # DefaultCommandPrefix = '' 121 | 122 | } 123 | 124 | -------------------------------------------------------------------------------- /Source/DSACL.psm1: -------------------------------------------------------------------------------- 1 | $ModulePath = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent 2 | $BuildData = Import-LocalizedData -BaseDirectory $ModulePath -FileName build.psd1 3 | 4 | Push-Location -Path $ModulePath -StackName 'DevModuleLoader' 5 | $Scripts = Get-ChildItem -Path $BuildData.SourceDirectories -File -Filter *.ps1 | Select-Object -ExpandProperty FullName 6 | if(-not [string]::IsNullOrWhiteSpace($BuildData.Prefix) -and (Test-Path -Path $BuildData.Prefix)) { 7 | . $BuildData.Prefix 8 | } 9 | foreach($Script in $Scripts) { 10 | . $Script 11 | } 12 | if(-not [string]::IsNullOrWhiteSpace($BuildData.Suffix) -and (Test-Path -Path $BuildData.Suffix)) { 13 | . $BuildData.Suffix 14 | } 15 | $SearchRecursive = $true 16 | $SearchRootOnly = $false 17 | $PublicScriptBlock = [ScriptBlock]::Create('{0}' -f (Get-ChildItem -Path $BuildData.PublicFilter -ErrorAction SilentlyContinue | Get-Content -Raw | Out-String)) 18 | $PublicFunctions = $PublicScriptBlock.Ast.FindAll({ $args[0] -is [System.Management.Automation.Language.FunctionDefinitionAst]},$SearchRootOnly).Name 19 | $PublicAlias = $PublicScriptBlock.Ast.FindAll({ $args[0] -is [System.Management.Automation.Language.ParamBlockAst] },$SearchRecursive).Where{$_.TypeName.FullName -eq 'alias'}.PositionalArguments.Value 20 | 21 | $ExportParam = @{} 22 | if($PublicFunctions) { 23 | $ExportParam.Add('Function',$PublicFunctions) 24 | } 25 | if($PublicAlias) { 26 | $ExportParam.Add('Alias',$PublicAlias) 27 | } 28 | if($ExportParam.Keys.Count -gt 0) { 29 | Export-ModuleMember @ExportParam 30 | } 31 | 32 | Pop-Location -StackName 'DevModuleLoader' 33 | -------------------------------------------------------------------------------- /Source/Private/ConvertTo-LDAPGuidFilter.ps1: -------------------------------------------------------------------------------- 1 | function ConvertTo-LDAPGuidFilter { 2 | [CmdletBinding()] 3 | param ( 4 | [guid]$Guid 5 | ) 6 | process { 7 | '\{6}{7}\{4}{5}\{2}{3}\{0}{1}\{11}{12}\{9}{10}\{16}{17}\{14}{15}\{19}{20}\{21}{22}\{24}{25}\{26}{27}\{28}{29}\{30}{31}\{32}{33}\{34}{35}'-f([string[]]$Guid.ToString().ToCharArray()) 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /Source/Private/Find-LDAPObject.ps1: -------------------------------------------------------------------------------- 1 | function Find-LDAPObject { 2 | [CmdletBinding()] 3 | param ( 4 | [System.DirectoryServices.SearchScope] 5 | $SearchScope = [System.DirectoryServices.SearchScope]::Subtree, 6 | 7 | [string] 8 | $SearchBase, 9 | 10 | [string] 11 | $Server, 12 | 13 | [String[]] 14 | $Property, 15 | 16 | [Parameter(Mandatory)] 17 | [string] 18 | $LDAPFilter, 19 | 20 | [switch] 21 | $Raw 22 | ) 23 | process { 24 | try { 25 | if($Property.Count -gt 0) { 26 | $Properties = $Property 27 | } else { 28 | $Properties = $null 29 | } 30 | if(-not $PSBoundParameters.ContainsKey('SearchBase')) { 31 | $SearchBase = Get-LdapObject -DistinguishedName RootDse | Select-Object -ExpandProperty defaultNamingContext 32 | } 33 | if ([string]::IsNullOrWhiteSpace($Server)) { 34 | $SearchRoot = "LDAP://$SearchBase" 35 | } else { 36 | $SearchRoot = "LDAP://$Server/$SearchBase" 37 | } 38 | 39 | $DirectoryEntry = New-Object -TypeName 'System.DirectoryServices.DirectoryEntry' -ArgumentList $SearchRoot 40 | $Searcher = New-Object -TypeName 'System.DirectoryServices.DirectorySearcher' -ArgumentList $DirectoryEntry, $LDAPFilter, $Properties, $SearchScope 41 | $Searcher.PageSize = 1000 42 | $Result = $Searcher.FindAll() 43 | if($Raw.IsPresent) { 44 | Write-Output $Result 45 | } else { 46 | foreach($Object in $Result) { 47 | $ObjectData = @{} 48 | foreach($prop in $Object.Properties.Keys) { 49 | if($Object.Properties[$prop].Count -eq 1) { 50 | $Data = $Object.Properties[$prop].Item(0) 51 | } else { 52 | $Data = for ($i = 0; $i -lt $Object.Properties[$prop].Count; $i++) { 53 | $Object.Properties[$prop].Item($i) 54 | } 55 | } 56 | $ObjectData.Add($prop,$Data) 57 | } 58 | [PSCustomObject]$ObjectData 59 | } 60 | } 61 | } 62 | catch { 63 | throw 64 | } 65 | finally { 66 | try { 67 | $Searcher.Dispose() 68 | } 69 | catch { 70 | # Don't care about errors 71 | } 72 | } 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /Source/Private/Get-LDAPObject.ps1: -------------------------------------------------------------------------------- 1 | function Get-LDAPObject { 2 | [CmdletBinding()] 3 | param ( 4 | # DistinguishedName of LDAP object to bind to 5 | [Parameter(Mandatory)] 6 | [string] 7 | $DistinguishedName, 8 | 9 | # Set domain controller to use 10 | [Parameter()] 11 | [string] 12 | $Server, 13 | 14 | # Set Credentials to use when connecting 15 | [Parameter()] 16 | [pscredential] 17 | $Credential 18 | ) 19 | try { 20 | $ArgumentList = $( 21 | if($PSBoundParameters.ContainsKey('Server')) { 22 | "LDAP://$Server/$DistinguishedName" 23 | } 24 | else { 25 | "LDAP://$DistinguishedName" 26 | } 27 | if($PSBoundParameters.ContainsKey('Credential')) { 28 | $Credential.UserName 29 | $Credential.GetNetworkCredential().Password 30 | } 31 | ) 32 | $DirectoryEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $ArgumentList 33 | $null = try { 34 | # Try to read the object to force an exception if no object was found. 35 | $DirectoryEntry | Format-List 36 | } 37 | catch { 38 | throw "Object not found: $DistinguishedName" 39 | } 40 | return $DirectoryEntry 41 | } 42 | catch { 43 | throw 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /Source/Private/Get-SID.ps1: -------------------------------------------------------------------------------- 1 | function Get-SID { 2 | [CmdletBinding()] 3 | param ( 4 | # DistinguishedName of LDAP object to get SID from 5 | [Parameter(Mandatory)] 6 | [string] 7 | $DistinguishedName, 8 | 9 | # Set domain controller to use 10 | [Parameter()] 11 | [string] 12 | $Server, 13 | 14 | # Set Credentials to use when connecting 15 | [Parameter()] 16 | [pscredential] 17 | $Credential 18 | ) 19 | 20 | process { 21 | $Object = Get-LDAPObject @PSBoundParameters 22 | New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $Object.ObjectSID.Value, 0 23 | } 24 | 25 | } 26 | -------------------------------------------------------------------------------- /Source/Private/Set-DSACLAccessRule.ps1: -------------------------------------------------------------------------------- 1 | function Set-DSACLAccessRule { 2 | [CmdletBinding()] 3 | param ( 4 | [Parameter(Mandatory)] 5 | [ValidateNotNullOrEmpty()] 6 | [System.DirectoryServices.DirectoryEntry] 7 | $Target, 8 | 9 | [Parameter(Mandatory,ValueFromPipeline)] 10 | [System.DirectoryServices.ActiveDirectoryAccessRule] 11 | $ACE 12 | ) 13 | process { 14 | try { 15 | $Target.psbase.ObjectSecurity.AddAccessRule($ACE) 16 | } 17 | catch { 18 | throw 19 | } 20 | } 21 | end { 22 | Set-DSACLObject -DirectoryEntry $Target 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Source/Private/Set-DSACLObject.ps1: -------------------------------------------------------------------------------- 1 | function Set-DSACLObject { 2 | [CmdletBinding()] 3 | param ( 4 | [Parameter(Mandatory)] 5 | [ValidateNotNullOrEmpty()] 6 | [System.DirectoryServices.DirectoryEntry] 7 | $DirectoryEntry 8 | ) 9 | try { 10 | $DirectoryEntry.psbase.CommitChanges() 11 | } catch { 12 | throw 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /Source/Private/Set-Owner.ps1: -------------------------------------------------------------------------------- 1 | function Set-Owner { 2 | [CmdletBinding()] 3 | param ( 4 | [Parameter(Mandatory, ValueFromPipeline)] 5 | [ValidateNotNullOrEmpty()] 6 | [System.DirectoryServices.DirectoryEntry] 7 | $Target, 8 | 9 | [Parameter(Mandatory)] 10 | [String] 11 | $OwnerDN 12 | ) 13 | process { 14 | try { 15 | $Owner = Get-SID -DistinguishedName $OwnerDN 16 | $Target.psbase.ObjectSecurity.SetOwner($Owner) 17 | Set-DSACLObject -DirectoryEntry $Target 18 | } 19 | catch { 20 | throw 21 | } 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLCreateChild.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give Delegate rights to create objects of selected type in target (usually an OU) 4 | 5 | .EXAMPLE 6 | Add-DSACLCreateChild -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User 7 | Will give the group with DistinguishedName in $UserAdminGroup access to create user objects in 8 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance do disable inheritance. 9 | 10 | #> 11 | function Add-DSACLCreateChild { 12 | [CmdletBinding(DefaultParameterSetName='ByTypeName')] 13 | param ( 14 | # DistinguishedName of object to modify ACL on. Usually an OU. 15 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipeline,ValueFromPipelineByPropertyName)] 16 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipeline,ValueFromPipelineByPropertyName)] 17 | [String] 18 | $TargetDN, 19 | 20 | # DistinguishedName of group or user to give permissions to. 21 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipelineByPropertyName)] 22 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipelineByPropertyName)] 23 | [String] 24 | $DelegateDN, 25 | 26 | # Object type to give full control over 27 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 28 | [ValidateSet('Computer', 'Contact', 'Group', 'ManagedServiceAccount', 'GroupManagedServiceAccount', 'User','All')] 29 | [String] 30 | $ObjectTypeName, 31 | 32 | # ObjectType guid, used for custom object types 33 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 34 | [Guid] 35 | $ObjectTypeGuid, 36 | 37 | # Allow or Deny 38 | [Parameter(ParameterSetName='ByTypeName')] 39 | [Parameter(ParameterSetName='ByGuid')] 40 | [System.Security.AccessControl.AccessControlType] 41 | $AccessType = 'Allow', 42 | 43 | # Sets access right to "This object only" 44 | [Parameter(ParameterSetName='ByTypeName')] 45 | [Parameter(ParameterSetName='ByGuid')] 46 | [Switch] 47 | $NoInheritance 48 | ) 49 | 50 | process { 51 | try { 52 | if ($NoInheritance.IsPresent) { 53 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'None' 54 | } 55 | else { 56 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'All' 57 | } 58 | switch ($PSCmdlet.ParameterSetName) { 59 | 'ByTypeName' { $ObjectType = $Script:GuidTable[$ObjectTypeName]} 60 | 'ByGuid' { $ObjectType = $ObjectTypeGuid } 61 | } 62 | 63 | $Params = @{ 64 | TargetDN = $TargetDN 65 | DelegateDN = $DelegateDN 66 | ActiveDirectoryRights = 'CreateChild' 67 | AccessControlType = $AccessType 68 | ObjectType = $ObjectType 69 | InheritanceType = $InheritanceType 70 | } 71 | Add-DSACLCustom @Params 72 | 73 | } 74 | catch { 75 | throw 76 | } 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLCustom.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give Delegate custom rights in target (usually an OU) 4 | 5 | .DESCRIPTION 6 | Used to delegate any custom rights in Active Directory. 7 | Requires knowledge of creating ActiveDirectoryAccessRules, please use with caution. 8 | 9 | #> 10 | function Add-DSACLCustom { 11 | [CmdletBinding(DefaultParameterSetName='Delegate')] 12 | param ( 13 | # DistinguishedName of object to modify ACL on. Usually an OU. 14 | [Parameter(Mandatory,ParameterSetName='Delegate')] 15 | [Parameter(Mandatory,ParameterSetName='Self')] 16 | [Parameter(Mandatory,ParameterSetName='Sid')] 17 | [String] 18 | $TargetDN, 19 | 20 | # Give access to "Self" instead of a user or group 21 | [Parameter(Mandatory,ParameterSetName='Self')] 22 | [Switch] 23 | $Self, 24 | 25 | # DistinguishedName of group or user to give permissions to. 26 | [Parameter(Mandatory,ParameterSetName='Delegate')] 27 | [String] 28 | $DelegateDN, 29 | 30 | [Parameter(Mandatory,ParameterSetName='Sid')] 31 | [String] 32 | $SID, 33 | 34 | # List of access rights that should be applied 35 | [Parameter(Mandatory,ParameterSetName='Delegate')] 36 | [Parameter(Mandatory,ParameterSetName='Self')] 37 | [Parameter(Mandatory,ParameterSetName='Sid')] 38 | [System.DirectoryServices.ActiveDirectoryRights[]] 39 | $ActiveDirectoryRights, 40 | 41 | # Sets allow or deny 42 | [Parameter(Mandatory,ParameterSetName='Delegate')] 43 | [Parameter(Mandatory,ParameterSetName='Self')] 44 | [Parameter(Mandatory,ParameterSetName='Sid')] 45 | [System.Security.AccessControl.AccessControlType] 46 | $AccessControlType, 47 | 48 | # Sets guid where access right should apply 49 | [Parameter(ParameterSetName='Delegate')] 50 | [Parameter(ParameterSetName='Self')] 51 | [Parameter(ParameterSetName='Sid')] 52 | [Guid] 53 | $ObjectType, 54 | 55 | # Sets if and how this rule should be inherited 56 | [Parameter(ParameterSetName='Delegate')] 57 | [Parameter(ParameterSetName='Self')] 58 | [Parameter(ParameterSetName='Sid')] 59 | [System.DirectoryServices.ActiveDirectorySecurityInheritance] 60 | $InheritanceType, 61 | 62 | # Sets guid of object types that should inherit this rule 63 | [Parameter(ParameterSetName='Delegate')] 64 | [Parameter(ParameterSetName='Self')] 65 | [Parameter(ParameterSetName='Sid')] 66 | [Guid] 67 | $InheritedObjectType 68 | 69 | ) 70 | 71 | process { 72 | try { 73 | $Target = Get-LDAPObject -DistinguishedName $TargetDN -ErrorAction Stop 74 | switch ($PSCmdlet.ParameterSetName) { 75 | 'Delegate' { 76 | $DelegateSID = Get-SID -DistinguishedName $DelegateDN 77 | } 78 | 'Self' { $DelegateSID = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList 'S-1-5-10' } 79 | 'Sid' { $DelegateSID = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $SID } 80 | } 81 | 82 | $null = $PSBoundParameters.Remove('Self') 83 | $null = $PSBoundParameters.Remove('TargetDN') 84 | $null = $PSBoundParameters.Remove('DelegateDN') 85 | $null = $PSBoundParameters.Remove('SID') 86 | $PSBoundParameters.Add('Identity',$DelegateSID) 87 | 88 | $ACE = New-DSACLAccessRule @PSBoundParameters 89 | 90 | Set-DSACLAccessRule -Target $Target -ACE $ACE 91 | } 92 | catch { 93 | throw 94 | } 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLDeleteChild.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give Delegate rights to delete objects of selected type in target (usually an OU) 4 | 5 | .EXAMPLE 6 | Add-DSACLDeleteChild -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User 7 | Will give the group with DistinguishedName in $UserAdminGroup access to delete user objects in 8 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance do disable inheritance. 9 | 10 | #> 11 | function Add-DSACLDeleteChild { 12 | [CmdletBinding(DefaultParameterSetName='ByTypeName')] 13 | param ( 14 | # DistinguishedName of object to modify ACL on. Usually an OU. 15 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipeline,ValueFromPipelineByPropertyName)] 16 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipeline,ValueFromPipelineByPropertyName)] 17 | [String] 18 | $TargetDN, 19 | 20 | # DistinguishedName of group or user to give permissions to. 21 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipelineByPropertyName)] 22 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipelineByPropertyName)] 23 | [String] 24 | $DelegateDN, 25 | 26 | # Object type to give full control over 27 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 28 | [ValidateSet('Computer', 'Contact', 'Group', 'ManagedServiceAccount', 'GroupManagedServiceAccount', 'User','All')] 29 | [String] 30 | $ObjectTypeName, 31 | 32 | # ObjectType guid, used for custom object types 33 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 34 | [Guid] 35 | $ObjectTypeGuid, 36 | 37 | # Allow or Deny 38 | [Parameter(ParameterSetName='ByTypeName')] 39 | [Parameter(ParameterSetName='ByGuid')] 40 | [System.Security.AccessControl.AccessControlType] 41 | $AccessType = 'Allow', 42 | 43 | # Sets access right to "This object only" 44 | [Parameter(ParameterSetName='ByTypeName')] 45 | [Parameter(ParameterSetName='ByGuid')] 46 | [Switch] 47 | $NoInheritance, 48 | 49 | # Adds DeleteTree right allowing to delete an object and all its child objects in one operation. 50 | # This is often required for deleting computer objects 51 | [Parameter(ParameterSetName='ByTypeName')] 52 | [Parameter(ParameterSetName='ByGuid')] 53 | [Switch] 54 | $IncludeChildren 55 | ) 56 | 57 | process { 58 | try { 59 | if ($NoInheritance.IsPresent) { 60 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Children 61 | } 62 | else { 63 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents 64 | } 65 | switch ($PSCmdlet.ParameterSetName) { 66 | 'ByTypeName' { $ObjectType = $Script:GuidTable[$ObjectTypeName]} 67 | 'ByGuid' { $ObjectType = $ObjectTypeGuid } 68 | } 69 | 70 | if ($IncludeChildren.IsPresent) { 71 | $ActiveDirectoryRights = 'Delete', 'DeleteTree' 72 | } 73 | else { 74 | $ActiveDirectoryRights = 'Delete' 75 | } 76 | 77 | $Params = @{ 78 | TargetDN = $TargetDN 79 | DelegateDN = $DelegateDN 80 | ActiveDirectoryRights = $ActiveDirectoryRights 81 | AccessControlType = $AccessType 82 | ObjectType = $Script:GuidTable['All'] 83 | InheritanceType = $InheritanceType 84 | InheritedObjectType = $ObjectType 85 | } 86 | Add-DSACLCustom @Params 87 | 88 | } 89 | catch { 90 | throw 91 | } 92 | } 93 | } 94 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLFullControl.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give Delegate FullControl rights on objects of selected type in target (usually an OU) 4 | 5 | .EXAMPLE 6 | Add-DSACLFullControl -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User -AccessType Allow 7 | Will give the group with DistinguishedName in $UserAdminGroup FullControl of user objects in 8 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance do disable inheritance. 9 | #> 10 | function Add-DSACLFullControl { 11 | [CmdletBinding(DefaultParameterSetName='ByTypeName')] 12 | param ( 13 | # DistinguishedName of object to modify ACL on. Usually an OU. 14 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipeline,ValueFromPipelineByPropertyName)] 15 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipeline,ValueFromPipelineByPropertyName)] 16 | [String] 17 | $TargetDN, 18 | 19 | # DistinguishedName of group or user to give permissions to. 20 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipelineByPropertyName)] 21 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipelineByPropertyName)] 22 | [String] 23 | $DelegateDN, 24 | 25 | # Object type to give full control over 26 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 27 | [ValidateSet('Computer', 'Contact', 'Group', 'ManagedServiceAccount', 'GroupManagedServiceAccount', 'User', 'All')] 28 | [String] 29 | $ObjectTypeName, 30 | 31 | # ObjectType guid, used for custom object types 32 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 33 | [Guid] 34 | $ObjectTypeGuid, 35 | 36 | # Allow or Deny 37 | [Parameter(ParameterSetName='ByTypeName')] 38 | [Parameter(ParameterSetName='ByGuid')] 39 | [System.Security.AccessControl.AccessControlType] 40 | $AccessType = 'Allow', 41 | 42 | # Sets access right to "This object only" 43 | [Parameter(ParameterSetName='ByTypeName')] 44 | [Parameter(ParameterSetName='ByGuid')] 45 | [Switch] 46 | $NoInheritance 47 | ) 48 | 49 | process { 50 | try { 51 | if ($NoInheritance.IsPresent) { 52 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Children' 53 | } 54 | else { 55 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Descendents' 56 | } 57 | switch ($PSCmdlet.ParameterSetName) { 58 | 'ByTypeName' { $ObjectType = $Script:GuidTable[$ObjectTypeName]} 59 | 'ByGuid' { $ObjectType = $ObjectTypeGuid } 60 | } 61 | 62 | $Params = @{ 63 | TargetDN = $TargetDN 64 | DelegateDN = $DelegateDN 65 | ActiveDirectoryRights = 'GenericAll' 66 | AccessControlType = $AccessType 67 | InheritedObjectType = $ObjectType 68 | InheritanceType = $InheritanceType 69 | } 70 | Add-DSACLCustom @Params 71 | 72 | } 73 | catch { 74 | throw 75 | } 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLJoinDomain.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give DelegateDN rights to join computers in target (usually an OU). 4 | 5 | .EXAMPLE 6 | Add-DSACLJoinDomain -TargetDN $ComputersOU -DelegateDN $JoinDomainAccounts -AccessType Allow 7 | Will give the group with DistinguishedName in $JoinDomainAccounts rights to join computers to 8 | the domain. Requires a computer account to be created already. 9 | 10 | Use switch -AllowCreate to allow to create computer objects in OU and join without a 11 | pre-existing computer object. Add -NoInheritance do disable the access to ineherit to sub-OUs. 12 | #> 13 | function Add-DSACLJoinDomain { 14 | [CmdletBinding()] 15 | param ( 16 | # DistinguishedName of object to modify ACL on. Usually an OU. 17 | [Parameter(Mandatory)] 18 | [String] 19 | $TargetDN, 20 | 21 | # DistinguishedName of group or user to give permissions to. 22 | [Parameter(Mandatory)] 23 | [String] 24 | $DelegateDN, 25 | 26 | # Allow creating computer objects, this allows to join computers without a pre-staged computer account 27 | [Parameter()] 28 | [Switch] 29 | $AllowCreate, 30 | 31 | # Sets access right to "This object only" 32 | [Parameter()] 33 | [Switch] 34 | $NoInheritance 35 | ) 36 | 37 | process { 38 | try { 39 | 40 | $WriteParams = @{ 41 | TargetDN = $TargetDN 42 | DelegateDN = $DelegateDN 43 | ObjectTypeName = 'Computer' 44 | AccessType = 'Allow' 45 | NoInheritance = $NoInheritance 46 | } 47 | Add-DSACLResetPassword @WriteParams 48 | Add-DSACLWriteAccountRestrictions @WriteParams 49 | Add-DSACLWriteServicePrincipalName @WriteParams 50 | Add-DSACLWriteDNSHostName @WriteParams 51 | 52 | if($AllowCreate.IsPresent) { 53 | Add-DSACLCreateChild -TargetDN $TargetDN -DelegateDN $DelegateDN -ObjectTypeName Computer -NoInheritance:$NoInheritance 54 | } 55 | 56 | } 57 | catch { 58 | throw 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLLinkGPO.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Delegate rights to link GPO on target (usually an OU) 4 | 5 | .EXAMPLE 6 | Add-DSACLLinkGPO -TargetDN $UsersOU -DelegateDN $GPAdmin -AccessType Allow 7 | Will give the group with DistinguishedName in $GPAdmin rights to link GPOs on 8 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 9 | #> 10 | function Add-DSACLLinkGPO { 11 | [CmdletBinding()] 12 | param ( 13 | # DistinguishedName of object to modify ACL on. Usually an OU. 14 | [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] 15 | [String] 16 | $TargetDN, 17 | 18 | # DistinguishedName of group or user to give permissions to. 19 | [Parameter(Mandatory,ValueFromPipelineByPropertyName)] 20 | [String] 21 | $DelegateDN, 22 | 23 | # Allow or Deny 24 | [Parameter()] 25 | [System.Security.AccessControl.AccessControlType] 26 | $AccessType = 'Allow', 27 | 28 | # Sets access right to "This object only" 29 | [Parameter()] 30 | [Switch] 31 | $NoInheritance 32 | ) 33 | 34 | process { 35 | try { 36 | $Params = @{ 37 | TargetDN = $TargetDN 38 | DelegateDN = $DelegateDN 39 | ActiveDirectoryRights = 'WriteProperty' 40 | AccessControlType = $AccessType 41 | ObjectType = $Script:GuidTable['gPLink'] 42 | } 43 | 44 | if ($NoInheritance.IsPresent) { 45 | $Params['InheritanceType'] = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None 46 | } 47 | else { 48 | $Params['InheritanceType'] = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All 49 | $Params['InheritedObjectType'] = $Script:GuidTable['OrganizationalUnit'] 50 | } 51 | 52 | Add-DSACLCustom @Params 53 | 54 | } 55 | catch { 56 | throw 57 | } 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLManageGroupMember.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give Delegate rights to manage members in group(s). 4 | 5 | .EXAMPLE 6 | Add-DSACLManageGroupMember -TargetDN $GroupsOU -DelegateDN $AccessAdminGroup -AccessType Allow 7 | Will give the group with DistinguishedName in $AccessAdminGroup access to manage members 8 | of any group in the OU with DistinguishedName in $GroupsOU and all sub-OUs. Add -NoInheritance do disable inheritance. 9 | 10 | .EXAMPLE 11 | Add-DSACLManageGroupMember -TargetDN $GroupsOU -DelegateDN $AccessAdminGroup -AccessType Allow -NoInheritance 12 | Will give the group with DistinguishedName in $AccessAdminGroup access to manage members 13 | of any group in the OU with DistinguishedName in $GroupsOU. Will not effect groups in sub-OUs. 14 | 15 | .EXAMPLE 16 | Add-DSACLManageGroupMember -TargetDN $SpecialGroup -DelegateDN $AccessAdminGroup -AccessType Allow -DirectOnGroup 17 | Will give the group with DistinguishedName in $AccessAdminGroup access to manage members 18 | of the group in with DistinguishedName in $SpecialGroup. 19 | 20 | #> 21 | function Add-DSACLManageGroupMember { 22 | [CmdletBinding(DefaultParameterSetName='OnContainer')] 23 | param ( 24 | # DistinguishedName of object to modify ACL on. Usually an OU. 25 | [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] 26 | [String] 27 | $TargetDN, 28 | 29 | # DistinguishedName of group or user to give permissions to. 30 | [Parameter(Mandatory,ValueFromPipelineByPropertyName)] 31 | [String] 32 | $DelegateDN, 33 | 34 | # Allow or Deny 35 | [Parameter()] 36 | [System.Security.AccessControl.AccessControlType] 37 | $AccessType = 'Allow', 38 | 39 | # Sets access right to "Children". Use this to effect all groups in OU but not subOUs 40 | [Parameter(ParameterSetName='OnContainer')] 41 | [Switch] 42 | $NoInheritance, 43 | 44 | # Sets access right to "This object only", use this when TargetDN is a group. 45 | [Parameter(ParameterSetName='OnGroup')] 46 | [Switch] 47 | $DirectOnGroup 48 | ) 49 | 50 | process { 51 | try { 52 | if ($NoInheritance.IsPresent) { 53 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Children' 54 | } elseif ($DirectOnGroup.IsPresent) { 55 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'None' 56 | } else { 57 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Descendents' 58 | } 59 | 60 | $Params = @{ 61 | TargetDN = $TargetDN 62 | DelegateDN = $DelegateDN 63 | ActiveDirectoryRights = 'WriteProperty' 64 | AccessControlType = $AccessType 65 | ObjectType = $Script:GuidTable['member'] 66 | InheritanceType = $InheritanceType 67 | InheritedObjectType = $Script:GuidTable['group'] 68 | } 69 | Add-DSACLCustom @Params 70 | 71 | } 72 | catch { 73 | throw 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLManagerCanUpdateGroupMember.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give Delegate rights to groups manager to manage members in group(s). 4 | Note that this access stays with the user if the manager changes. 5 | 6 | .EXAMPLE 7 | Add-DSACLManagerCanUpdateGroupMember -TargetDN $Group 8 | Will give the current manager of the group in $Group access to manage members. 9 | Note that this access stays with the user if the manager changes. 10 | 11 | #> 12 | function Add-DSACLManagerCanUpdateGroupMember { 13 | [CmdletBinding(DefaultParameterSetName='OnContainer')] 14 | param ( 15 | # DistinguishedName of object to modify ACL on. Has to be a group. 16 | [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] 17 | [String] 18 | $TargetDN 19 | ) 20 | 21 | process { 22 | try { 23 | $Group = Get-LDAPObject -DistinguishedName $TargetDN 24 | if($Group.objectClass -notcontains 'group') { 25 | throw 'Target has to be a group.' 26 | } 27 | $DelegateDN = $Group.managedBy 28 | 29 | Add-DSACLManageGroupMember -TargetDN $TargetDN -DelegateDN $DelegateDN -DirectOnGroup 30 | } 31 | catch { 32 | throw 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLMoveObjectFrom.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Delegates right to move object of type ObjectTypeName from TargetDN. 4 | Moving also requires create-child rights in target container. 5 | 6 | .DESCRIPTION 7 | Delegates the rights to rename and delete objects in TargetDN. 8 | #> 9 | 10 | function Add-DSACLMoveObjectFrom { 11 | [CmdletBinding()] 12 | param ( 13 | # Object type to allow being moved 14 | [Parameter(Mandatory)] 15 | [ValidateSet('Computer', 'Contact', 'Group', 'ManagedServiceAccount', 'GroupManagedServiceAccount', 'User','All')] 16 | [String] 17 | $ObjectTypeName, 18 | 19 | # DistinguishedName of object to modify ACL on. Usually an OU. 20 | [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] 21 | $TargetDN, 22 | 23 | # DistinguishedName of group or user to give permissions to. 24 | [Parameter(Mandatory,ValueFromPipelineByPropertyName)] 25 | $DelegateDN, 26 | 27 | # Sets access right to "This object only" 28 | [Switch] 29 | $NoInheritance 30 | ) 31 | 32 | process { 33 | try { 34 | $ErrorActionPreference = 'Stop' 35 | Add-DSACLRenameObject @PSBoundParameters 36 | Add-DSACLDeleteChild @PSBoundParameters 37 | } catch { 38 | throw 39 | } 40 | } 41 | 42 | } 43 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLRenameObject.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give Delegate rights to rename objects in target (usually an OU) 4 | 5 | .EXAMPLE 6 | Add-DSACLRenameObject -ObjectTypeName Computer -TargetDN $ComputersOU -DelegateDN $ComputerAdminGroup -AccessType Allow 7 | Will give the group with DistinguishedName in $ComputerAdminGroup rights to rename computers in 8 | the OU with DistinguishedName in $ComputersOU and all sub-OUs. Add -NoInheritance do disable inheritance. 9 | #> 10 | function Add-DSACLRenameObject { 11 | [CmdletBinding(DefaultParameterSetName='Delegate')] 12 | param ( 13 | # Object type to allow being renamed 14 | [Parameter(Mandatory,ParameterSetName='Delegate')] 15 | [ValidateSet('Computer', 'Contact', 'Group', 'ManagedServiceAccount', 'GroupManagedServiceAccount', 'User','All')] 16 | [String] 17 | $ObjectTypeName, 18 | 19 | # DistinguishedName of object to modify ACL on. Usually an OU. 20 | [Parameter(Mandatory,ParameterSetName='Delegate')] 21 | [String] 22 | $TargetDN, 23 | 24 | # DistinguishedName of group or user to give permissions to. 25 | [Parameter(Mandatory,ParameterSetName='Delegate')] 26 | [String] 27 | $DelegateDN, 28 | 29 | # Sets access right to "This object only" 30 | [Parameter(ParameterSetName='Delegate')] 31 | [Switch] 32 | $NoInheritance 33 | ) 34 | 35 | process { 36 | try { 37 | 38 | $null = $PSBoundParameters.Remove('ObjectTypeName') 39 | $null = $PSBoundParameters.Remove('NoInheritance') 40 | 41 | if ($NoInheritance.IsPresent) { 42 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Children 43 | } 44 | else { 45 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents 46 | } 47 | 48 | $AceParams = @{ 49 | ActiveDirectoryRights = 'WriteProperty' 50 | AccessControlType = 'Allow' 51 | InheritanceType = $InheritanceType 52 | InheritedObjectType = $Script:GuidTable[$ObjectTypeName] 53 | } 54 | 55 | 'distinguishedName', 'name', 'CN' | ForEach-Object -Process { 56 | Add-DSACLCustom -ObjectType $Script:GuidTable[$_] @AceParams @PSBoundParameters 57 | } 58 | 59 | if($ObjectTypeName -eq 'Computer') { 60 | 61 | 'Account Restrictions' ,'sAMAccountName' | ForEach-Object -Process { 62 | Add-DSACLCustom -ObjectType $Script:GuidTable[$_] @AceParams @PSBoundParameters 63 | } 64 | 65 | $WriteParams = @{ 66 | TargetDN = $TargetDN 67 | DelegateDN = $DelegateDN 68 | ObjectTypeName = 'Computer' 69 | AccessType = 'Allow' 70 | NoInheritance = $NoInheritance.IsPresent 71 | } 72 | Add-DSACLWriteDNSHostName @WriteParams 73 | Add-DSACLWriteServicePrincipalName @WriteParams 74 | 75 | } 76 | 77 | } 78 | catch { 79 | throw 80 | } 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLReplicatingDirectoryChanges.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Give Delegate "Replicating Directory Changes" rights on domain with DistinguishedName in target 4 | 5 | .EXAMPLE 6 | Add-DSACLReplicatingDirectoryChanges -DelegateDN $AADCServiceAccount 7 | Will give the service account with DistinguishedName in $AADCServiceAccount the right "Replicating Directory Changes". 8 | Add -AllowReplicateSecrets to grant "Replicating Directory Changes All" instead.. 9 | 10 | #> 11 | function Add-DSACLReplicatingDirectoryChanges { 12 | [CmdletBinding(DefaultParameterSetName='ByTypeName')] 13 | param ( 14 | # DistinguishedName of group or user to give permissions to. 15 | [Parameter(Mandatory)] 16 | [String] 17 | $DelegateDN, 18 | 19 | # Allow replicating secrets, like passwords (Corresponds to "Replicating Directory Changes All") 20 | [Parameter()] 21 | [Switch] 22 | $AllowReplicateSecrets 23 | ) 24 | 25 | process { 26 | try { 27 | 28 | $TargetDN = Get-LdapObject -DistinguishedName RootDse | Select-Object -ExpandProperty defaultNamingContext 29 | 30 | if ($AllowReplicateSecrets.IsPresent) { 31 | # Replicating Directory Changes All 32 | $ObjectType = '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' 33 | } 34 | else { 35 | # Replicating Directory Changes 36 | $ObjectType = '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' 37 | } 38 | $Params = @{ 39 | TargetDN = $TargetDN 40 | DelegateDN = $DelegateDN 41 | ActiveDirectoryRights = 'ExtendedRight' 42 | AccessControlType = 'Allow' 43 | ObjectType = $ObjectType 44 | InheritanceType = 'None' 45 | } 46 | Add-DSACLCustom @Params 47 | 48 | } 49 | catch { 50 | throw 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLResetPassword.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Delegate ResetPassword rights on objects of selected type in target (usually an OU) 4 | 5 | .EXAMPLE 6 | Add-DSACLResetPassword -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User -AccessType Allow 7 | Will give the group with DistinguishedName in $UserAdminGroup ResetPassword rights of user objects in 8 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 9 | #> 10 | function Add-DSACLResetPassword { 11 | [CmdletBinding(DefaultParameterSetName='ByTypeName')] 12 | param ( 13 | # DistinguishedName of object to modify ACL on. Usually an OU. 14 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipeline,ValueFromPipelineByPropertyName)] 15 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipeline,ValueFromPipelineByPropertyName)] 16 | [String] 17 | $TargetDN, 18 | 19 | # DistinguishedName of group or user to give permissions to. 20 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipelineByPropertyName)] 21 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipelineByPropertyName)] 22 | [String] 23 | $DelegateDN, 24 | 25 | # Object type to give full control over 26 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 27 | [ValidateSet('User', 'Computer', 'ManagedServiceAccount', 'GroupManagedServiceAccount')] 28 | [String] 29 | $ObjectTypeName, 30 | 31 | # ObjectType guid, used for custom object types 32 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 33 | [Guid] 34 | $ObjectTypeGuid, 35 | 36 | # Allow or Deny 37 | [Parameter(ParameterSetName='ByTypeName')] 38 | [Parameter(ParameterSetName='ByGuid')] 39 | [System.Security.AccessControl.AccessControlType] 40 | $AccessType = 'Allow', 41 | 42 | # Sets access right to "This object only" 43 | [Parameter(ParameterSetName='ByTypeName')] 44 | [Parameter(ParameterSetName='ByGuid')] 45 | [Switch] 46 | $NoInheritance 47 | ) 48 | 49 | process { 50 | try { 51 | if ($NoInheritance.IsPresent) { 52 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Children' 53 | } 54 | else { 55 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Descendents' 56 | } 57 | switch ($PSCmdlet.ParameterSetName) { 58 | 'ByTypeName' { $ObjectType = $Script:GuidTable[$ObjectTypeName]} 59 | 'ByGuid' { $ObjectType = $ObjectTypeGuid } 60 | } 61 | 62 | $Params = @{ 63 | TargetDN = $TargetDN 64 | DelegateDN = $DelegateDN 65 | ActiveDirectoryRights = 'ExtendedRight' 66 | AccessControlType = $AccessType 67 | ObjectType = $Script:GuidTable['ResetPassword'] 68 | InheritanceType = $InheritanceType 69 | InheritedObjectType = $ObjectType 70 | } 71 | Add-DSACLCustom @Params 72 | 73 | } 74 | catch { 75 | throw 76 | } 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLWriteAccountRestrictions.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Delegate rights to write to the property set "Account Restrictions" on objects of selected type in target (usually an OU) 4 | 5 | .DESCRIPTION 6 | Delegate rights to write to the property set "Account Restrictions" on objects of selected type in target (usually an OU) 7 | 8 | A property set is a set of attributes that can be used to minimize the amount of ACE's to create. The property set 9 | "Account Restrictions". More information about this set can be found here: https://docs.microsoft.com/en-us/windows/desktop/adschema/r-user-account-restrictions 10 | 11 | .EXAMPLE 12 | Add-DSACLWriteAccountRestrictions -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User -AccessType Allow 13 | Will give the group with DistinguishedName in $UserAdminGroup rights to SET SPN of user objects in 14 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 15 | #> 16 | 17 | function Add-DSACLWriteAccountRestrictions { 18 | [CmdletBinding(DefaultParameterSetName='ByTypeName')] 19 | param ( 20 | # DistinguishedName of object to modify ACL on. Usually an OU. 21 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipeline,ValueFromPipelineByPropertyName)] 22 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipeline,ValueFromPipelineByPropertyName)] 23 | [String] 24 | $TargetDN, 25 | 26 | # DistinguishedName of group or user to give permissions to. 27 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipelineByPropertyName)] 28 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipelineByPropertyName)] 29 | [String] 30 | $DelegateDN, 31 | 32 | # Object type to give full control over 33 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 34 | [ValidateSet('User', 'Computer', 'ManagedServiceAccount','GroupManagedServiceAccount')] 35 | [String] 36 | $ObjectTypeName, 37 | 38 | # ObjectType guid, used for custom object types 39 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 40 | [Guid] 41 | $ObjectTypeGuid, 42 | 43 | # Allow or Deny 44 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 45 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 46 | [System.Security.AccessControl.AccessControlType] 47 | $AccessType, 48 | 49 | # Sets access right to "This object only" 50 | [Parameter(ParameterSetName='ByTypeName')] 51 | [Parameter(ParameterSetName='ByGuid')] 52 | [Switch] 53 | $NoInheritance 54 | ) 55 | 56 | process { 57 | try { 58 | 59 | if ($NoInheritance.IsPresent) { 60 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Children' 61 | } else { 62 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Descendents' 63 | } 64 | 65 | switch ($PSCmdlet.ParameterSetName) { 66 | 'ByTypeName' { $InheritanceObjectType = $Script:GuidTable[$ObjectTypeName]} 67 | 'ByGuid' { $InheritanceObjectType = $ObjectTypeGuid } 68 | } 69 | 70 | $AceParams = @{ 71 | TargetDN = $TargetDN 72 | DelegateDN = $DelegateDN 73 | ActiveDirectoryRights = 'WriteProperty' 74 | AccessControlType = 'Allow' 75 | ObjectType = $Script:GuidTable['Account Restrictions'] 76 | InheritanceType = $InheritanceType 77 | InheritedObjectType = $InheritanceObjectType 78 | } 79 | Add-DSACLCustom @AceParams 80 | 81 | } catch { 82 | throw 83 | } 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLWriteDNSHostName.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Delegate rights to SET DNSHostName on objects of selected type in target (usually an OU) 4 | 5 | .EXAMPLE 6 | Add-DSACLWriteDNSHostName -TargetDN $ComputersOU -DelegateDN $ComputerAdminGroup -ObjectTypeName Computer -AccessType Allow 7 | Will give the group with DistinguishedName in $ComputerAdminGroup rights to SET DNSHostName of computer objects in 8 | the OU with DistinguishedName in $ComputersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 9 | #> 10 | function Add-DSACLWriteDNSHostName { 11 | [CmdletBinding(DefaultParameterSetName='ByTypeName')] 12 | param ( 13 | # DistinguishedName of object to modify ACL on. Usually an OU. 14 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipeline,ValueFromPipelineByPropertyName)] 15 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipeline,ValueFromPipelineByPropertyName)] 16 | [String] 17 | $TargetDN, 18 | 19 | # DistinguishedName of group or user to give permissions to. 20 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipelineByPropertyName)] 21 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipelineByPropertyName)] 22 | [String] 23 | $DelegateDN, 24 | 25 | # Object type to give full control over 26 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 27 | [ValidateSet('Computer', 'ManagedServiceAccount','GroupManagedServiceAccount')] 28 | [String] 29 | $ObjectTypeName, 30 | 31 | # ObjectType guid, used for custom object types 32 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 33 | [Guid] 34 | $ObjectTypeGuid, 35 | 36 | # Allow or Deny 37 | [Parameter(ParameterSetName='ByTypeName')] 38 | [Parameter(ParameterSetName='ByGuid')] 39 | [System.Security.AccessControl.AccessControlType] 40 | $AccessType = 'Allow', 41 | 42 | # Sets access right to "This object only" 43 | [Parameter(ParameterSetName='ByTypeName')] 44 | [Parameter(ParameterSetName='ByGuid')] 45 | [Switch] 46 | $NoInheritance, 47 | 48 | # Only effects validated writes 49 | [Parameter(ParameterSetName='ByTypeName')] 50 | [Parameter(ParameterSetName='ByGuid')] 51 | [Switch] 52 | $ValidatedOnly 53 | ) 54 | 55 | process { 56 | try { 57 | if ($NoInheritance.IsPresent) { 58 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Children' 59 | } else { 60 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Descendents' 61 | } 62 | 63 | switch ($PSCmdlet.ParameterSetName) { 64 | 'ByTypeName' { $InheritanceObjectType = $Script:GuidTable[$ObjectTypeName]} 65 | 'ByGuid' { $InheritanceObjectType = $ObjectTypeGuid } 66 | } 67 | 68 | if($ValidatedOnly.IsPresent) { 69 | $ObjectType = $Script:GuidTable['Validated write to DNS host name'] 70 | $ActiveDirectoryRights = [System.DirectoryServices.ActiveDirectoryRights]::Self 71 | } else { 72 | $ObjectType = $Script:GuidTable['DNS Host Name Attributes'] 73 | $ActiveDirectoryRights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty 74 | } 75 | 76 | $AceParams = @{ 77 | TargetDN = $TargetDN 78 | DelegateDN = $DelegateDN 79 | ActiveDirectoryRights = $ActiveDirectoryRights 80 | AccessControlType = 'Allow' 81 | ObjectType = $ObjectType 82 | InheritanceType = $InheritanceType 83 | InheritedObjectType = $InheritanceObjectType 84 | } 85 | Add-DSACLCustom @AceParams 86 | 87 | } catch { 88 | throw 89 | } 90 | } 91 | } 92 | -------------------------------------------------------------------------------- /Source/Public/Add-DSACLWriteServicePrincipalName.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Delegate rights to SET ServicePrincipalName (SPN) on objects of selected type in target (usually an OU) 4 | 5 | .EXAMPLE 6 | Add-DSACLWriteServicePrincipalName -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User -AccessType Allow 7 | Will give the group with DistinguishedName in $UserAdminGroup rights to SET SPN of user objects in 8 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 9 | #> 10 | function Add-DSACLWriteServicePrincipalName { 11 | [CmdletBinding(DefaultParameterSetName='ByTypeName')] 12 | param ( 13 | # DistinguishedName of object to modify ACL on. Usually an OU. 14 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipeline,ValueFromPipelineByPropertyName)] 15 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipeline,ValueFromPipelineByPropertyName)] 16 | [String] 17 | $TargetDN, 18 | 19 | # DistinguishedName of group or user to give permissions to. 20 | [Parameter(Mandatory,ParameterSetName='ByTypeName',ValueFromPipelineByPropertyName)] 21 | [Parameter(Mandatory,ParameterSetName='ByGuid',ValueFromPipelineByPropertyName)] 22 | [String] 23 | $DelegateDN, 24 | 25 | # Object type to give full control over 26 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 27 | [ValidateSet('User', 'Computer', 'ManagedServiceAccount','GroupManagedServiceAccount')] 28 | [String] 29 | $ObjectTypeName, 30 | 31 | # ObjectType guid, used for custom object types 32 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 33 | [Guid] 34 | $ObjectTypeGuid, 35 | 36 | # Allow or Deny 37 | [Parameter(Mandatory,ParameterSetName='ByTypeName')] 38 | [Parameter(Mandatory,ParameterSetName='ByGuid')] 39 | [System.Security.AccessControl.AccessControlType] 40 | $AccessType, 41 | 42 | # Sets access right to "This object only" 43 | [Parameter(ParameterSetName='ByTypeName')] 44 | [Parameter(ParameterSetName='ByGuid')] 45 | [Switch] 46 | $NoInheritance, 47 | 48 | # Only effects validated writes 49 | [Parameter(ParameterSetName='ByTypeName')] 50 | [Parameter(ParameterSetName='ByGuid')] 51 | [Switch] 52 | $ValidatedOnly 53 | ) 54 | 55 | process { 56 | try { 57 | 58 | if ($NoInheritance.IsPresent) { 59 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Children' 60 | } else { 61 | $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]'Descendents' 62 | } 63 | 64 | switch ($PSCmdlet.ParameterSetName) { 65 | 'ByTypeName' { $InheritanceObjectType = $Script:GuidTable[$ObjectTypeName]} 66 | 'ByGuid' { $InheritanceObjectType = $ObjectTypeGuid } 67 | } 68 | 69 | if($ValidatedOnly.IsPresent) { 70 | $ActiveDirectoryRights = 'Self' 71 | } else { 72 | $ActiveDirectoryRights = 'WriteProperty' 73 | } 74 | 75 | $AceParams = @{ 76 | TargetDN = $TargetDN 77 | DelegateDN = $DelegateDN 78 | ActiveDirectoryRights = $ActiveDirectoryRights 79 | AccessControlType = 'Allow' 80 | ObjectType = $Script:GuidTable['servicePrincipalName'] 81 | InheritanceType = $InheritanceType 82 | InheritedObjectType = $InheritanceObjectType 83 | } 84 | Add-DSACLCustom @AceParams 85 | 86 | } catch { 87 | throw 88 | } 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /Source/Public/ConvertFrom-DSACLInheritedObjectTypeGuid.ps1: -------------------------------------------------------------------------------- 1 | function ConvertFrom-DSACLInheritedObjectTypeGuid { 2 | [CmdletBinding(DefaultParameterSetName='Access')] 3 | param ( 4 | [Parameter(Mandatory, ParameterSetName='Access', ValueFromPipeline)] 5 | [Alias('ACE')] 6 | [Alias('Access')] 7 | [System.DirectoryServices.ActiveDirectoryAccessRule] 8 | $AccessRule, 9 | 10 | [Parameter(Mandatory, ParameterSetName='Audit', ValueFromPipeline)] 11 | [Alias('Audit')] 12 | [System.DirectoryServices.ActiveDirectoryAuditRule] 13 | $AuditRule 14 | ) 15 | 16 | begin { 17 | try { 18 | $null = Get-Variable -Name DSACLAttributeGuid -Scope Script -ErrorAction Stop 19 | } 20 | catch { 21 | $null = Register-DSACLRightsMapVariable -Scope Script 22 | } 23 | } 24 | 25 | process { 26 | 27 | switch($PSCmdlet.ParameterSetName) { 28 | 'Access' { 29 | $ObjectFlags = $AccessRule.ObjectFlags 30 | $InheritedObjectType = $AccessRule.InheritedObjectType 31 | } 32 | 33 | 'Audit' { 34 | $ObjectFlags = $AuditRule.ObjectFlags 35 | $InheritedObjectType = $AuditRule.InheritedObjectType 36 | } 37 | } 38 | if ($ObjectFlags.HasFlag([System.Security.AccessControl.ObjectAceFlags]::InheritedObjectAceTypePresent)) { 39 | 40 | if ($Script:DSACLClassGuid.ContainsKey($InheritedObjectType.ToString())) { 41 | return $Script:DSACLClassGuid[$InheritedObjectType.ToString()] 42 | } 43 | 44 | if ($Script:DSACLAttributeGuid.ContainsKey($InheritedObjectType.ToString())) { 45 | return $Script:DSACLAttributeGuid[$InheritedObjectType.ToString()] 46 | } 47 | 48 | return $InheritedObjectType.ToString() 49 | } 50 | else { 51 | return 'All' 52 | } 53 | 54 | } 55 | } -------------------------------------------------------------------------------- /Source/Public/ConvertFrom-DSACLObjectTypeGuid.ps1: -------------------------------------------------------------------------------- 1 | function ConvertFrom-DSACLObjectTypeGuid { 2 | [CmdletBinding(DefaultParameterSetName='Access')] 3 | param ( 4 | [Parameter(Mandatory, ParameterSetName='Access', ValueFromPipeline)] 5 | [Alias('ACE')] 6 | [Alias('Access')] 7 | [System.DirectoryServices.ActiveDirectoryAccessRule] 8 | $AccessRule, 9 | 10 | [Parameter(Mandatory, ParameterSetName='Audit', ValueFromPipeline)] 11 | [Alias('Audit')] 12 | [System.DirectoryServices.ActiveDirectoryAuditRule] 13 | $AuditRule 14 | ) 15 | 16 | begin { 17 | try { 18 | $null = Get-Variable -Name DSACLAttributeGuid -Scope Script -ErrorAction Stop 19 | } 20 | catch { 21 | $null = Register-DSACLRightsMapVariable -Scope Script 22 | } 23 | } 24 | 25 | process { 26 | switch($PSCmdlet.ParameterSetName) { 27 | 'Access' { 28 | $ObjectFlags = $AccessRule.ObjectFlags 29 | $ActiveDirectoryRights = $AccessRule.ActiveDirectoryRights 30 | $ObjectType = $AccessRule.ObjectType 31 | } 32 | 33 | 'Audit' { 34 | $ObjectFlags = $AuditRule.ObjectFlags 35 | $ActiveDirectoryRights = $AuditRule.ActiveDirectoryRights 36 | $ObjectType = $AuditRule.ObjectType 37 | } 38 | } 39 | if ($ObjectFlags.HasFlag([System.Security.AccessControl.ObjectAceFlags]::ObjectAceTypePresent)) { 40 | 41 | # Check for Extended Access Rights 42 | if ( $ActiveDirectoryRights.HasFlag([System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight) ) { 43 | if($Script:DSACLExtendedGuid.ContainsKey($ObjectType.ToString())) { 44 | return $Script:DSACLExtendedGuid[$ObjectType.ToString()] 45 | } 46 | } 47 | 48 | # Validated (Self) and not WriteProperty, check in extended map 49 | if ( 50 | -not $ActiveDirectoryRights.HasFlag([System.DirectoryServices.ActiveDirectoryRights]::WriteProperty) -and 51 | $ActiveDirectoryRights.HasFlag([System.DirectoryServices.ActiveDirectoryRights]::Self) 52 | ) { 53 | if ($Script:DSACLValidatedWriteGuid.ContainsKey($ObjectType.ToString())) { 54 | return $Script:DSACLValidatedWriteGuid[$ObjectType.ToString()] 55 | } 56 | } 57 | 58 | # Search for Classes if AccessRight is CreateChild or DeleteChild 59 | if( 60 | $ActiveDirectoryRights.HasFlag([System.DirectoryServices.ActiveDirectoryRights]::CreateChild) -or 61 | $ActiveDirectoryRights.HasFlag([System.DirectoryServices.ActiveDirectoryRights]::DeleteChild) 62 | ) { 63 | if ($Script:DSACLClassGuid.ContainsKey($ObjectType.ToString())) { 64 | return $Script:DSACLClassGuid[$ObjectType.ToString()] 65 | } 66 | } 67 | 68 | if( 69 | $ActiveDirectoryRights.HasFlag([System.DirectoryServices.ActiveDirectoryRights]::ReadProperty) -or 70 | $ActiveDirectoryRights.HasFlag([System.DirectoryServices.ActiveDirectoryRights]::WriteProperty) 71 | ) { 72 | # Search for Attribute-Sets 73 | if ($Script:DSACLPropertySetGuid.ContainsKey($ObjectType.ToString())) { 74 | return $Script:DSACLPropertySetGuid[$ObjectType.ToString()] 75 | } 76 | 77 | # Search for Attributes 78 | if ($Script:DSACLAttributeGuid.ContainsKey($ObjectType.ToString())) { 79 | return $Script:DSACLAttributeGuid[$ObjectType.ToString()] 80 | } 81 | } 82 | 83 | # TODO: Add more scenarios 84 | 85 | # Fallback to return guid 86 | return $ObjectType.ToString() 87 | } 88 | else { 89 | return 'All' 90 | } 91 | } 92 | } -------------------------------------------------------------------------------- /Source/Public/Get-DSACLDefaultContainer.ps1: -------------------------------------------------------------------------------- 1 | function Get-DSACLDefaultContainer { 2 | [CmdletBinding()] 3 | param ( 4 | $DomainDN, 5 | [ValidateSet('Users','Computers')] 6 | [string] 7 | $Type = 'Computers' 8 | ) 9 | if(-not $PSBoundParameters.ContainsKey('DomainDN')) { 10 | $LDAPFilter = '(objectclass=domain)' 11 | } else { 12 | $LDAPFilter = "(distinguishedname=$DomainDN)" 13 | } 14 | 15 | $Domains = Find-LDAPObject -LDAPFilter $LDAPFilter 16 | if($null -eq $Domains) { 17 | throw 'Domain not found, please specify correct DomainDN' 18 | } 19 | if($Domains.Count -gt 1) { 20 | throw 'More than one domain found, please specify DomainDN' 21 | } 22 | 23 | $Domains.wellknownobjects | Where-Object -FilterScript {$_ -match $Script:DefaultContainersPatternTable[$Type]} | ForEach-Object -Process { 24 | if($Matches.ContainsKey('DN')) { 25 | [DSACLDefaultContainerConfig]::new( 26 | 'Default{0}Container' -f $Type, 27 | $Matches['DN'], 28 | $Matches['prefix'], 29 | $Domains.wellknownobjects.IndexOf($_), 30 | $Domains.distinguishedname 31 | ) 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /Source/Public/Get-DSACLMachineAccountQuota.ps1: -------------------------------------------------------------------------------- 1 | function Get-DSACLMachineAccountQuota { 2 | [CmdletBinding()] 3 | param () 4 | try { 5 | $DefaultNamingContextDN = Get-LdapObject -DistinguishedName RootDse | Select-Object -ExpandProperty defaultNamingContext 6 | $DefaultNamingContext = Get-LdapObject -DistinguishedName $DefaultNamingContextDN 7 | $DefaultNamingContext.'ms-DS-MachineAccountQuota'.Value 8 | } catch { 9 | throw 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /Source/Public/New-DSACLAccessRule.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Create Access Control Entry for Active Directory ACL 4 | .DESCRIPTION 5 | Create Access Control Entry for Active Directory ACL 6 | .EXAMPLE 7 | New-ADAccessRule -Identity $SID -ActiveDirectoryRights 'CreateChild', 'DeleteChild' -AccessControlType Allow -ObjectType $TypeGuid -InheritanceType None 8 | Create access rule that gives the object with SID $SID access to create and delete objects of type $TypeGuid on "this object only" 9 | #> 10 | function New-DSACLAccessRule { 11 | [CmdletBinding()] 12 | param ( 13 | # SID of principal that will rule will apply to 14 | [Parameter(Mandatory = $true, ParameterSetName = '1', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 15 | [Parameter(Mandatory = $true, ParameterSetName = '2', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 16 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 17 | [Parameter(Mandatory = $true, ParameterSetName = '4', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 18 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 19 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 20 | [System.Security.Principal.SecurityIdentifier] 21 | $Identity, 22 | 23 | # List of access rights that should be applied 24 | [Parameter(Mandatory = $true, ParameterSetName = '1', ValueFromPipelineByPropertyName = $true)] 25 | [Parameter(Mandatory = $true, ParameterSetName = '2', ValueFromPipelineByPropertyName = $true)] 26 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipelineByPropertyName = $true)] 27 | [Parameter(Mandatory = $true, ParameterSetName = '4', ValueFromPipelineByPropertyName = $true)] 28 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipelineByPropertyName = $true)] 29 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 30 | [System.DirectoryServices.ActiveDirectoryRights[]] 31 | $ActiveDirectoryRights, 32 | 33 | # Sets allow or deny 34 | [Parameter(Mandatory = $true, ParameterSetName = '1', ValueFromPipelineByPropertyName = $true)] 35 | [Parameter(Mandatory = $true, ParameterSetName = '2', ValueFromPipelineByPropertyName = $true)] 36 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipelineByPropertyName = $true)] 37 | [Parameter(Mandatory = $true, ParameterSetName = '4', ValueFromPipelineByPropertyName = $true)] 38 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipelineByPropertyName = $true)] 39 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 40 | [System.Security.AccessControl.AccessControlType] 41 | $AccessControlType, 42 | 43 | # Sets guid where access right should apply 44 | [Parameter(Mandatory = $true, ParameterSetName = '4', ValueFromPipelineByPropertyName = $true)] 45 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipelineByPropertyName = $true)] 46 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 47 | [Guid] 48 | $ObjectType, 49 | 50 | # Sets if and how this rule should be inherited 51 | [Parameter(Mandatory = $true, ParameterSetName = '2', ValueFromPipelineByPropertyName = $true)] 52 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipelineByPropertyName = $true)] 53 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipelineByPropertyName = $true)] 54 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 55 | [System.DirectoryServices.ActiveDirectorySecurityInheritance] 56 | $InheritanceType, 57 | 58 | # Sets guid of object types that should inherit this rule 59 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipelineByPropertyName = $true)] 60 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 61 | [Guid] 62 | $InheritedObjectType 63 | ) 64 | process { 65 | switch ($PSCmdlet.ParameterSetName) { 66 | '1' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AccessControlType} 67 | '2' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AccessControlType, $InheritanceType} 68 | '3' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AccessControlType, $InheritanceType, $InheritedObjectType} 69 | '4' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AccessControlType, $ObjectType} 70 | '5' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AccessControlType, $ObjectType, $InheritanceType} 71 | '6' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AccessControlType, $ObjectType, $InheritanceType, $InheritedObjectType} 72 | } 73 | New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $ArgumentList 74 | } 75 | } -------------------------------------------------------------------------------- /Source/Public/New-DSACLAuditRule.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Create Access Control Entry for Active Directory ACL 4 | .DESCRIPTION 5 | Create Access Control Entry for Active Directory ACL 6 | .EXAMPLE 7 | New-ADAccessRule -Identity $SID -ActiveDirectoryRights 'CreateChild', 'DeleteChild' -AccessControlType Allow -ObjectType $TypeGuid -InheritanceType None 8 | Create access rule that gives the object with SID $SID access to create and delete objects of type $TypeGuid on "this object only" 9 | #> 10 | function New-DSACLAuditRule { 11 | [CmdletBinding()] 12 | param ( 13 | # SID of principal that will rule will apply to 14 | [Parameter(Mandatory = $true, ParameterSetName = '1', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 15 | [Parameter(Mandatory = $true, ParameterSetName = '2', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 16 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 17 | [Parameter(Mandatory = $true, ParameterSetName = '4', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 18 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 19 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] 20 | [System.Security.Principal.SecurityIdentifier] 21 | $Identity, 22 | 23 | # List of access rights that should be applied 24 | [Parameter(Mandatory = $true, ParameterSetName = '1', ValueFromPipelineByPropertyName = $true)] 25 | [Parameter(Mandatory = $true, ParameterSetName = '2', ValueFromPipelineByPropertyName = $true)] 26 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipelineByPropertyName = $true)] 27 | [Parameter(Mandatory = $true, ParameterSetName = '4', ValueFromPipelineByPropertyName = $true)] 28 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipelineByPropertyName = $true)] 29 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 30 | [System.DirectoryServices.ActiveDirectoryRights[]] 31 | $ActiveDirectoryRights, 32 | 33 | # Sets allow or deny 34 | [Parameter(Mandatory = $true, ParameterSetName = '1', ValueFromPipelineByPropertyName = $true)] 35 | [Parameter(Mandatory = $true, ParameterSetName = '2', ValueFromPipelineByPropertyName = $true)] 36 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipelineByPropertyName = $true)] 37 | [Parameter(Mandatory = $true, ParameterSetName = '4', ValueFromPipelineByPropertyName = $true)] 38 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipelineByPropertyName = $true)] 39 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 40 | [System.Security.AccessControl.AuditFlags] 41 | $AuditFlags, 42 | 43 | # Sets guid where access right should apply 44 | [Parameter(Mandatory = $true, ParameterSetName = '4', ValueFromPipelineByPropertyName = $true)] 45 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipelineByPropertyName = $true)] 46 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 47 | [Guid] 48 | $ObjectType, 49 | 50 | # Sets if and how this rule should be inherited 51 | [Parameter(Mandatory = $true, ParameterSetName = '2', ValueFromPipelineByPropertyName = $true)] 52 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipelineByPropertyName = $true)] 53 | [Parameter(Mandatory = $true, ParameterSetName = '5', ValueFromPipelineByPropertyName = $true)] 54 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 55 | [System.DirectoryServices.ActiveDirectorySecurityInheritance] 56 | $InheritanceType, 57 | 58 | # Sets guid of object types that should inherit this rule 59 | [Parameter(Mandatory = $true, ParameterSetName = '3', ValueFromPipelineByPropertyName = $true)] 60 | [Parameter(Mandatory = $true, ParameterSetName = '6', ValueFromPipelineByPropertyName = $true)] 61 | [Guid] 62 | $InheritedObjectType 63 | ) 64 | process { 65 | switch ($PSCmdlet.ParameterSetName) { 66 | '1' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AuditFlags} 67 | '2' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AuditFlags, $InheritanceType} 68 | '3' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AuditFlags, $InheritanceType, $InheritedObjectType} 69 | '4' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AuditFlags, $ObjectType} 70 | '5' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AuditFlags, $ObjectType, $InheritanceType} 71 | '6' {$ArgumentList = $Identity, $ActiveDirectoryRights, $AuditFlags, $ObjectType, $InheritanceType, $InheritedObjectType} 72 | } 73 | New-Object -TypeName System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $ArgumentList 74 | } 75 | } -------------------------------------------------------------------------------- /Source/Public/Register-DSACLRightsMapVariable.ps1: -------------------------------------------------------------------------------- 1 | function Register-DSACLRightsMapVariable { 2 | [CmdletBinding()] 3 | param( 4 | [Parameter(DontShow)] 5 | [String] 6 | $Scope = 'Global' 7 | ) 8 | $rootDSE = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList 'LDAP://RootDSE' 9 | 10 | # Create empty hash-tables 11 | $ClassName = @{} 12 | $ClassGuid = @{} 13 | $AttributeName = @{} 14 | $AttributeGuid = @{} 15 | $ExtendedName = @{} 16 | $ExtendedGuid = @{} 17 | $ValidatedWriteName = @{} 18 | $ValidatedWriteGuid = @{} 19 | $PropertySetName = @{} 20 | $PropertySetGuid = @{} 21 | 22 | # Locate Classes 23 | $Params = @{ 24 | SearchBase = $rootDSE.SchemaNamingContext.Value 25 | LDAPFilter = '(&(objectClass=classSchema)(schemaIDGUID=*))' 26 | Property = @('lDAPDisplayName', 'schemaIDGUID') 27 | } 28 | Find-LDAPObject @Params | ForEach-Object { 29 | $ClassName[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID 30 | $ClassGuid[[string][guid]$_.schemaIDGUID]=$_.lDAPDisplayName 31 | } 32 | 33 | # Locate Attributes 34 | $Params = @{ 35 | SearchBase = $rootDSE.SchemaNamingContext.Value 36 | LDAPFilter = '(&(objectClass=attributeSchema)(schemaIDGUID=*))' 37 | Property = @('lDAPDisplayName', 'schemaIDGUID') 38 | } 39 | Find-LDAPObject @Params | ForEach-Object { 40 | $AttributeName[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID 41 | $AttributeGuid[[string][guid]$_.schemaIDGUID]=$_.lDAPDisplayName 42 | } 43 | 44 | # Info on AccessRights found here: https://docs.microsoft.com/en-us/windows/desktop/ad/creating-a-control-access-right 45 | # Locate Extended Rights 46 | $Params = @{ 47 | SearchBase = $rootDSE.ConfigurationNamingContext 48 | LDAPFilter = '(&(objectclass=controlAccessRight)(rightsGUID=*)(validAccesses=256))' 49 | Property = @('displayName','rightsGUID') 50 | } 51 | Find-LDAPObject @Params | ForEach-Object { 52 | $ExtendedName[$_.displayName]=[System.GUID]$_.rightsGUID 53 | $ExtendedGuid[$_.rightsGUID]=$_.displayName 54 | } 55 | 56 | # Locate Validated Writes 57 | $Params = @{ 58 | SearchBase = $rootDSE.ConfigurationNamingContext 59 | LDAPFilter = '(&(objectclass=controlAccessRight)(rightsGUID=*)(validAccesses=8))' 60 | Property = @('displayName','rightsGUID') 61 | } 62 | Find-LDAPObject @Params | ForEach-Object { 63 | $ValidatedWriteName[$_.displayName]=[System.GUID]$_.rightsGUID 64 | $ValidatedWriteGuid[$_.rightsGUID]=$_.displayName 65 | } 66 | 67 | # Locate Property Sets 68 | $Params = @{ 69 | SearchBase = $rootDSE.ConfigurationNamingContext 70 | LDAPFilter = '(&(objectclass=controlAccessRight)(rightsGUID=*)(validAccesses=48))' 71 | Property = @('displayName','rightsGUID') 72 | } 73 | Find-LDAPObject @Params | ForEach-Object { 74 | $PropertySetName[$_.displayName]=[System.GUID]$_.rightsGUID 75 | $PropertySetGuid[$_.rightsGUID]=$_.displayName 76 | } 77 | 78 | $( 79 | New-Variable -Scope $Scope -Name DSACLClassName -Value $ClassName -Description 'Maps Active Directory Class names to GUIDs' -Option ReadOnly -Force -PassThru 80 | New-Variable -Scope $Scope -Name DSACLClassGuid -Value $ClassGuid -Description 'Maps Active Directory Class GUIDs to names' -Option ReadOnly -Force -PassThru 81 | New-Variable -Scope $Scope -Name DSACLAttributeName -Value $AttributeName -Description 'Maps Active Directory Attribute names to GUIDs' -Option ReadOnly -Force -PassThru 82 | New-Variable -Scope $Scope -Name DSACLAttributeGuid -Value $AttributeGuid -Description 'Maps Active Directory Attribute GUIDs to names' -Option ReadOnly -Force -PassThru 83 | New-Variable -Scope $Scope -Name DSACLExtendedName -Value $ExtendedName -Description 'Maps Active Directory Extended Right names to GUIDs' -Option ReadOnly -Force -PassThru 84 | New-Variable -Scope $Scope -Name DSACLExtendedGuid -Value $ExtendedGuid -Description 'Maps Active Directory Extended Right GUIDs to names' -Option ReadOnly -Force -PassThru 85 | New-Variable -Scope $Scope -Name DSACLValidatedWriteName -Value $ValidatedWriteName -Description 'Maps Active Directory ValidatedWrite names to GUIDs' -Option ReadOnly -Force -PassThru 86 | New-Variable -Scope $Scope -Name DSACLValidatedWriteGuid -Value $ValidatedWriteGuid -Description 'Maps Active Directory ValidatedWrite GUIDs to names' -Option ReadOnly -Force -PassThru 87 | New-Variable -Scope $Scope -Name DSACLPropertySetName -Value $PropertySetName -Description 'Maps Active Directory Property Set names to GUIDs' -Option ReadOnly -Force -PassThru 88 | New-Variable -Scope $Scope -Name DSACLPropertySetGuid -Value $PropertySetGuid -Description 'Maps Active Directory Property Set GUIDs to names' -Option ReadOnly -Force -PassThru 89 | ) | Select-Object -Property Name, Description 90 | } 91 | -------------------------------------------------------------------------------- /Source/Public/Resolve-DSACLGuid.ps1: -------------------------------------------------------------------------------- 1 | function Resolve-DSACLGuid { 2 | [CmdletBinding()] 3 | param ( 4 | [guid]$Guid 5 | ) 6 | 7 | begin { 8 | try { 9 | $null = Get-Variable -Name DSACLAttributeGuid -Scope Script -ErrorAction Stop 10 | } 11 | catch { 12 | $null = Register-DSACLRightsMapVariable -Scope Script 13 | } 14 | } 15 | 16 | process { 17 | $Result = [ordered]@{} 18 | if($DSACLAttributeGuid.ContainsKey($Guid.ToString())) { 19 | $Result.Add('Attribute',$DSACLAttributeGuid[$Guid.ToString()]) 20 | } 21 | if($DSACLClassGuid.ContainsKey($Guid.ToString())) { 22 | $Result.Add('Class',$DSACLClassGuid[$Guid.ToString()]) 23 | } 24 | if($DSACLExtendedGuid.ContainsKey($Guid.ToString())) { 25 | $Result.Add('ExtendedRight',$DSACLExtendedGuid[$Guid.ToString()]) 26 | } 27 | if($DSACLPropertySetGuid.ContainsKey($Guid.ToString())) { 28 | $Result.Add('PropertySet',$DSACLPropertySetGuid[$Guid.ToString()]) 29 | } 30 | if($DSACLValidatedWriteName.ContainsKey($Guid.ToString())) { 31 | $Result.Add('ValidatedWrite',$DSACLValidatedWriteName[$Guid.ToString()]) 32 | } 33 | [pscustomobject]$Result 34 | } 35 | 36 | } -------------------------------------------------------------------------------- /Source/Public/Resolve-DSACLObjectName.ps1: -------------------------------------------------------------------------------- 1 | function Resolve-DSACLObjectName { 2 | [CmdletBinding()] 3 | param ( 4 | [string]$Name 5 | ) 6 | 7 | begin { 8 | try { 9 | $null = Get-Variable -Name DSACLAttributeGuid -Scope Script -ErrorAction Stop 10 | } 11 | catch { 12 | $null = Register-DSACLRightsMapVariable -Scope Script 13 | } 14 | } 15 | 16 | process { 17 | $Result = [ordered]@{} 18 | if($DSACLAttributeName.ContainsKey($Name)) { 19 | $Result.Add('Attribute',$DSACLAttributeName[$Name]) 20 | } 21 | if($DSACLClassName.ContainsKey($Name)) { 22 | $Result.Add('Class',$DSACLClassName[$Name]) 23 | } 24 | if($DSACLExtendedName.ContainsKey($Name)) { 25 | $Result.Add('ExtendedRight',$DSACLExtendedName[$Name]) 26 | } 27 | if($DSACLPropertySetName.ContainsKey($Name)) { 28 | $Result.Add('PropertySet',$DSACLPropertySetName[$Name]) 29 | } 30 | if($DSACLValidatedWriteName.ContainsKey($Name)) { 31 | $Result.Add('ValidatedWrite',$DSACLValidatedWriteName[$Name]) 32 | } 33 | [pscustomobject]$Result 34 | } 35 | 36 | } -------------------------------------------------------------------------------- /Source/Public/Set-DSACLDefaultContainer.ps1: -------------------------------------------------------------------------------- 1 | function Set-DSACLDefaultContainer { 2 | [CmdletBinding()] 3 | param ( 4 | [string] 5 | $DomainDN, 6 | 7 | [ValidateSet('Users','Computers')] 8 | [string] 9 | $Type = 'Computers', 10 | 11 | [string] 12 | $NewValue 13 | ) 14 | 15 | $null = $PSBoundParameters.Remove('NewValue') 16 | $ContainerObject = Get-DSACLDefaultContainer @PSBoundParameters 17 | 18 | if($ContainerObject.Index -ge 0 ) { 19 | $FullNewValue = '{0}{1}' -f $ContainerObject.Prefix, $NewValue 20 | $DirectoryEntry = Get-LDAPObject -DistinguishedName $ContainerObject.DomainDN 21 | $DirectoryEntry.wellKnownObjects.RemoveAt($ContainerObject.Index) 22 | $null = $DirectoryEntry.wellKnownObjects.Add($FullNewValue) 23 | Set-DSACLObject -DirectoryEntry $DirectoryEntry 24 | } else { 25 | throw 'Failed to locate wellknown container.' 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /Source/Public/Set-DSACLMachineAccountQuota.ps1: -------------------------------------------------------------------------------- 1 | function Set-DSACLMachineAccountQuota { 2 | [CmdletBinding()] 3 | param ( 4 | [Parameter(Mandatory)] 5 | [int] 6 | $Quota 7 | ) 8 | try { 9 | $DefaultNamingContextDN = Get-LdapObject -DistinguishedName RootDse | Select-Object -ExpandProperty defaultNamingContext 10 | $DefaultNamingContext = Get-LdapObject -DistinguishedName $DefaultNamingContextDN 11 | $DefaultNamingContext.'ms-DS-MachineAccountQuota' = $Quota 12 | Set-DSACLObject -DirectoryEntry $DefaultNamingContext 13 | } catch { 14 | throw 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /Source/Public/Set-DSACLOwner.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Sets an Active Directory object as the Owner of an Access Control List (ACL). 4 | 5 | .DESCRIPTION 6 | The **Set-DSACLOwner** cmdlet will set the given OwnerDN (Objects Distinguished Name) as Owner of the specified TargetDN (Target Distinguished Name). 7 | The TargetDN parameter specifies what object the modification will execute on. 8 | The OwnerDN parameter specifies what object in Active Directory that will take ownership of the target. 9 | 10 | .EXAMPLE 11 | Set-DSACLOwner -TargetDN "OU=Accounting,DC=FABRIKAM,DC=COM" -OwnerDN "CN=Chew David,OU=Accounting,DC=FABRIKAM,DC=COM" 12 | #> 13 | function Set-DSACLOwner { 14 | [CmdletBinding(SupportsShouldProcess)] 15 | [Alias('chown')] 16 | [Alias('setowner')] 17 | param ( 18 | # DistinguishedName of object to modify ACL on. 19 | [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] 20 | [String] 21 | $TargetDN, 22 | 23 | # DistinguishedName of group or user to give permissions to. 24 | [Parameter(Mandatory,ValueFromPipelineByPropertyName)] 25 | [String] 26 | $OwnerDN 27 | ) 28 | 29 | process { 30 | try { 31 | $Target = Get-LDAPObject -DistinguishedName $TargetDN -ErrorAction Stop 32 | $Owner = Get-LDAPObject -DistinguishedName $OwnerDN -ErrorAction Stop 33 | if($PSCmdlet.ShouldProcess($TargetDN,'Setting owner')) { 34 | Set-Owner -Target $Target -Owner $Owner.DistinguishedName 35 | } 36 | } 37 | catch { 38 | throw 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /Source/_ModuleVariables.ps1: -------------------------------------------------------------------------------- 1 | $Script:GuidTable = @{ 2 | 'Account Restrictions' = [guid]'4c164200-20c0-11d0-a768-00aa006e0529' 3 | 'All' = [guid]'00000000-0000-0000-0000-000000000000' 4 | 'CN' = [guid]'bf96793f-0de6-11d0-a285-00aa003049e2' 5 | 'Computer' = [guid]'bf967a86-0de6-11d0-a285-00aa003049e2' 6 | 'Contact' = [guid]'5cb41ed0-0e4c-11d0-a286-00aa003049e2' 7 | 'distinguishedName' = [guid]'bf9679e4-0de6-11d0-a285-00aa003049e2' 8 | 'dNSHostName' = [guid]'72e39547-7b18-11d1-adef-00c04fd8d5cd' 9 | 'DNS Host Name Attributes' = [guid]'72e39547-7b18-11d1-adef-00c04fd8d5cd' 10 | 'gPLink' = [guid]'f30e3bbe-9ff0-11d1-b603-0000f80367c1' 11 | 'Group' = [guid]'bf967a9c-0de6-11d0-a285-00aa003049e2' 12 | 'GroupManagedServiceAccount' = [guid]'7b8b558a-93a5-4af7-adca-c017e67f1057' 13 | 'ManagedServiceAccount' = [guid]'ce206244-5827-4a86-ba1c-1c0c386c1b64' 14 | 'member' = [guid]'bf9679c0-0de6-11d0-a285-00aa003049e2' 15 | 'name' = [guid]'bf967a0e-0de6-11d0-a285-00aa003049e2' 16 | 'OrganizationalUnit' = [guid]'bf967aa5-0de6-11d0-a285-00aa003049e2' 17 | 'PwdLastSet' = [guid]'bf967a0a-0de6-11d0-a285-00aa003049e2' 18 | 'ResetPassword' = [guid]'00299570-246d-11d0-a768-00aa006e0529' 19 | 'sAMAccountName' = [guid]'3e0abfd0-126a-11d0-a060-00aa006c33ed' 20 | 'self-membership' = [guid]'bf9679c0-0de6-11d0-a285-00aa003049e2' 21 | 'servicePrincipalName' = [guid]'f3a64788-5306-11d1-a9c5-0000f80367c1' 22 | 'User' = [guid]'bf967aba-0de6-11d0-a285-00aa003049e2' 23 | 'userParameters' = [guid]'bf967a6d-0de6-11d0-a285-00aa003049e2' 24 | 'Validated write to DNS host name' = [guid]'72e39547-7b18-11d1-adef-00c04fd8d5cd' 25 | 'Validated write to service principal name' = [guid]'f3a64788-5306-11d1-a9c5-0000f80367c1' 26 | } 27 | 28 | $Script:DefaultContainersPatternTable = @{ 29 | Computers = '^(?B:32:AA312825768811D1ADED00C04FD8D5CD:)(?.+)$' 30 | Users = '^(?B:32:A9D1CA15768811D1ADED00C04FD8D5CD:)(?.+)$' 31 | } 32 | 33 | #$Script:RightsMapLoaded = $false 34 | -------------------------------------------------------------------------------- /Source/build.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | Path = "DSACL.psd1" 3 | OutputDirectory = "..\bin\DSACL" 4 | Prefix = '.\_ModuleVariables.ps1' 5 | SourceDirectories = 'Classes','Private','Public','en-US' 6 | PublicFilter = 'Public\*.ps1' 7 | VersionedOutputDirectory = $true 8 | } -------------------------------------------------------------------------------- /appveyor.yml: -------------------------------------------------------------------------------- 1 | # Custom Appveyor settings 2 | 3 | image: Visual Studio 2017 4 | 5 | matrix: 6 | # immediately finish build on failure 7 | fast_finish: true 8 | 9 | # Scripts that run after cloning 10 | install: 11 | - ps: Install-Module -Name InvokeBuild, PowerShellGet, Pester, ModuleBuilder -SkipPublisherCheck -Force 12 | build_script: 13 | - ps: | 14 | $ErrorActionPreference = 'Stop' 15 | Invoke-Build 16 | Compress-Archive -Path ".\bin\$Env:APPVEYOR_PROJECT_NAME" -DestinationPath ".\$Env:APPVEYOR_PROJECT_NAME.zip" 17 | Push-AppveyorArtifact ".\$Env:APPVEYOR_PROJECT_NAME.zip" 18 | -------------------------------------------------------------------------------- /docs/Add-DSACLCreateChild.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLCreateChild 9 | 10 | ## SYNOPSIS 11 | Give Delegate rights to create objects of selected type in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ### ByTypeName (Default) 16 | ``` 17 | Add-DSACLCreateChild -TargetDN -DelegateDN -ObjectTypeName 18 | [-AccessType ] [-NoInheritance] [] 19 | ``` 20 | 21 | ### ByGuid 22 | ``` 23 | Add-DSACLCreateChild -TargetDN -DelegateDN -ObjectTypeGuid 24 | [-AccessType ] [-NoInheritance] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Give Delegate rights to create objects of selected type in target (usually an Organizational Unit) 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> Add-DSACLCreateChild -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User 35 | ``` 36 | 37 | Will give the group with DistinguishedName in $UserAdminGroup access to create user objects in 38 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance do disable inheritance. 39 | 40 | ## PARAMETERS 41 | 42 | ### -AccessType 43 | Specifies if the Access Control Entry is Allow or Deny 44 | 45 | ```yaml 46 | Type: AccessControlType 47 | Parameter Sets: (All) 48 | Aliases: 49 | Accepted values: Allow, Deny 50 | 51 | Required: False 52 | Position: Named 53 | Default value: None 54 | Accept pipeline input: False 55 | Accept wildcard characters: False 56 | ``` 57 | 58 | ### -DelegateDN 59 | DistinguishedName to delegate to 60 | 61 | ```yaml 62 | Type: String 63 | Parameter Sets: (All) 64 | Aliases: 65 | 66 | Required: True 67 | Position: Named 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -NoInheritance 74 | Switch parameter that disables Inheritance when delegating 75 | 76 | ```yaml 77 | Type: SwitchParameter 78 | Parameter Sets: (All) 79 | Aliases: 80 | 81 | Required: False 82 | Position: Named 83 | Default value: None 84 | Accept pipeline input: False 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -ObjectTypeGuid 89 | ObjectType guid is used for custom object types 90 | 91 | ```yaml 92 | Type: Guid 93 | Parameter Sets: ByGuid 94 | Aliases: 95 | 96 | Required: True 97 | Position: Named 98 | Default value: None 99 | Accept pipeline input: False 100 | Accept wildcard characters: False 101 | ``` 102 | 103 | ### -ObjectTypeName 104 | Object type to give full control over 105 | 106 | ```yaml 107 | Type: String 108 | Parameter Sets: ByTypeName 109 | Aliases: 110 | Accepted values: Computer, Contact, Group, ManagedServiceAccount, GroupManagedServiceAccount, User, All 111 | 112 | Required: True 113 | Position: Named 114 | Default value: None 115 | Accept pipeline input: False 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### -TargetDN 120 | DistinguishedName of object to modify ACL on, usually an OU 121 | 122 | ```yaml 123 | Type: String 124 | Parameter Sets: (All) 125 | Aliases: 126 | 127 | Required: True 128 | Position: Named 129 | Default value: None 130 | Accept pipeline input: True (ByPropertyName, ByValue) 131 | Accept wildcard characters: False 132 | ``` 133 | 134 | ### CommonParameters 135 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 136 | 137 | ## INPUTS 138 | 139 | ### System.String 140 | 141 | ## OUTPUTS 142 | 143 | ### System.Object 144 | ## NOTES 145 | 146 | ## RELATED LINKS 147 | -------------------------------------------------------------------------------- /docs/Add-DSACLCustom.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLCustom 9 | 10 | ## SYNOPSIS 11 | Give Delegate custom rights in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ### Delegate (Default) 16 | ``` 17 | Add-DSACLCustom -TargetDN -DelegateDN -ActiveDirectoryRights 18 | -AccessControlType [-ObjectType ] 19 | [-InheritanceType ] [-InheritedObjectType ] [] 20 | ``` 21 | 22 | ### Sid 23 | ``` 24 | Add-DSACLCustom -TargetDN -SID -ActiveDirectoryRights 25 | -AccessControlType [-ObjectType ] 26 | [-InheritanceType ] [-InheritedObjectType ] [] 27 | ``` 28 | 29 | ### Self 30 | ``` 31 | Add-DSACLCustom -TargetDN [-Self] -ActiveDirectoryRights 32 | -AccessControlType [-ObjectType ] 33 | [-InheritanceType ] [-InheritedObjectType ] [] 34 | ``` 35 | 36 | ## DESCRIPTION 37 | Used to delegate any custom rights in Active Directory. 38 | Requires knowledge of creating ActiveDirectoryAccessRules, please use with caution. 39 | 40 | ## EXAMPLES 41 | 42 | ### Example 1 43 | ```powershell 44 | PS C:\> {{ Add example code here }} 45 | ``` 46 | 47 | {{ Add example description here }} 48 | 49 | ## PARAMETERS 50 | 51 | ### -AccessControlType 52 | Specifies if the Access Control Entry is Allow or Deny 53 | 54 | ```yaml 55 | Type: AccessControlType 56 | Parameter Sets: (All) 57 | Aliases: 58 | Accepted values: Allow, Deny 59 | 60 | Required: True 61 | Position: Named 62 | Default value: None 63 | Accept pipeline input: False 64 | Accept wildcard characters: False 65 | ``` 66 | 67 | ### -ActiveDirectoryRights 68 | List of access rights that should be applied 69 | 70 | ```yaml 71 | Type: ActiveDirectoryRights[] 72 | Parameter Sets: (All) 73 | Aliases: 74 | Accepted values: CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, DeleteTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, GenericWrite, GenericRead, WriteDacl, WriteOwner, GenericAll, Synchronize, AccessSystemSecurity 75 | 76 | Required: True 77 | Position: Named 78 | Default value: None 79 | Accept pipeline input: False 80 | Accept wildcard characters: False 81 | ``` 82 | 83 | ### -DelegateDN 84 | DistinguishedName of group or user to give permissions to. 85 | 86 | ```yaml 87 | Type: String 88 | Parameter Sets: Delegate 89 | Aliases: 90 | 91 | Required: True 92 | Position: Named 93 | Default value: None 94 | Accept pipeline input: False 95 | Accept wildcard characters: False 96 | ``` 97 | 98 | ### -InheritanceType 99 | Sets if and how this rule should be inherited 100 | 101 | ```yaml 102 | Type: ActiveDirectorySecurityInheritance 103 | Parameter Sets: (All) 104 | Aliases: 105 | Accepted values: None, All, Descendents, SelfAndChildren, Children 106 | 107 | Required: False 108 | Position: Named 109 | Default value: None 110 | Accept pipeline input: False 111 | Accept wildcard characters: False 112 | ``` 113 | 114 | ### -InheritedObjectType 115 | Sets guid of object types that should inherit this rule 116 | 117 | ```yaml 118 | Type: Guid 119 | Parameter Sets: (All) 120 | Aliases: 121 | 122 | Required: False 123 | Position: Named 124 | Default value: None 125 | Accept pipeline input: False 126 | Accept wildcard characters: False 127 | ``` 128 | 129 | ### -ObjectType 130 | Sets guid where access right should apply 131 | 132 | ```yaml 133 | Type: Guid 134 | Parameter Sets: (All) 135 | Aliases: 136 | 137 | Required: False 138 | Position: Named 139 | Default value: None 140 | Accept pipeline input: False 141 | Accept wildcard characters: False 142 | ``` 143 | 144 | ### -SID 145 | Specify Secure Identifier (SID) 146 | 147 | ```yaml 148 | Type: String 149 | Parameter Sets: Sid 150 | Aliases: 151 | 152 | Required: True 153 | Position: Named 154 | Default value: None 155 | Accept pipeline input: False 156 | Accept wildcard characters: False 157 | ``` 158 | 159 | ### -Self 160 | Give access to "Self" instead of a user or group 161 | 162 | ```yaml 163 | Type: SwitchParameter 164 | Parameter Sets: Self 165 | Aliases: 166 | 167 | Required: True 168 | Position: Named 169 | Default value: None 170 | Accept pipeline input: False 171 | Accept wildcard characters: False 172 | ``` 173 | 174 | ### -TargetDN 175 | DistinguishedName of object to modify ACL on. Usually an OU. 176 | 177 | ```yaml 178 | Type: String 179 | Parameter Sets: (All) 180 | Aliases: 181 | 182 | Required: True 183 | Position: Named 184 | Default value: None 185 | Accept pipeline input: False 186 | Accept wildcard characters: False 187 | ``` 188 | 189 | ### CommonParameters 190 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 191 | 192 | ## INPUTS 193 | 194 | ### None 195 | 196 | ## OUTPUTS 197 | 198 | ### System.Object 199 | ## NOTES 200 | 201 | ## RELATED LINKS 202 | -------------------------------------------------------------------------------- /docs/Add-DSACLDeleteChild.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLDeleteChild 9 | 10 | ## SYNOPSIS 11 | Give Delegate rights to delete objects of selected type in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ### ByTypeName (Default) 16 | ``` 17 | Add-DSACLDeleteChild -TargetDN -DelegateDN -ObjectTypeName 18 | [-AccessType ] [-NoInheritance] [-IncludeChildren] [] 19 | ``` 20 | 21 | ### ByGuid 22 | ``` 23 | Add-DSACLDeleteChild -TargetDN -DelegateDN -ObjectTypeGuid 24 | [-AccessType ] [-NoInheritance] [-IncludeChildren] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Give Delegate rights to delete objects of selected type in target (usually an OU) 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> Add-DSACLDeleteChild -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User 35 | ``` 36 | 37 | Will give the group with DistinguishedName in $UserAdminGroup access to delete user objects in 38 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance do disable inheritance. 39 | 40 | ## PARAMETERS 41 | 42 | ### -AccessType 43 | Specifies if the Access Control Entry is Allow or Deny 44 | 45 | ```yaml 46 | Type: AccessControlType 47 | Parameter Sets: (All) 48 | Aliases: 49 | Accepted values: Allow, Deny 50 | 51 | Required: False 52 | Position: Named 53 | Default value: None 54 | Accept pipeline input: False 55 | Accept wildcard characters: False 56 | ``` 57 | 58 | ### -DelegateDN 59 | DistinguishedName of group or user to give permissions to. 60 | 61 | ```yaml 62 | Type: String 63 | Parameter Sets: (All) 64 | Aliases: 65 | 66 | Required: True 67 | Position: Named 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -IncludeChildren 74 | Adds DeleteTree right allowing to delete an object and all its child objects in one operation 75 | 76 | This is often required for deleting computer objects 77 | 78 | ```yaml 79 | Type: SwitchParameter 80 | Parameter Sets: (All) 81 | Aliases: 82 | 83 | Required: False 84 | Position: Named 85 | Default value: None 86 | Accept pipeline input: False 87 | Accept wildcard characters: False 88 | ``` 89 | 90 | ### -NoInheritance 91 | Sets access right to "This object only" 92 | 93 | ```yaml 94 | Type: SwitchParameter 95 | Parameter Sets: (All) 96 | Aliases: 97 | 98 | Required: False 99 | Position: Named 100 | Default value: None 101 | Accept pipeline input: False 102 | Accept wildcard characters: False 103 | ``` 104 | 105 | ### -ObjectTypeGuid 106 | ObjectType guid, used for custom object types 107 | 108 | ```yaml 109 | Type: Guid 110 | Parameter Sets: ByGuid 111 | Aliases: 112 | 113 | Required: True 114 | Position: Named 115 | Default value: None 116 | Accept pipeline input: False 117 | Accept wildcard characters: False 118 | ``` 119 | 120 | ### -ObjectTypeName 121 | Object type to give full control over 122 | 123 | ```yaml 124 | Type: String 125 | Parameter Sets: ByTypeName 126 | Aliases: 127 | Accepted values: Computer, Contact, Group, ManagedServiceAccount, GroupManagedServiceAccount, User, All 128 | 129 | Required: True 130 | Position: Named 131 | Default value: None 132 | Accept pipeline input: False 133 | Accept wildcard characters: False 134 | ``` 135 | 136 | ### -TargetDN 137 | DistinguishedName of object to modify ACL on. Usually an OU. 138 | 139 | ```yaml 140 | Type: String 141 | Parameter Sets: (All) 142 | Aliases: 143 | 144 | Required: True 145 | Position: Named 146 | Default value: None 147 | Accept pipeline input: True (ByPropertyName, ByValue) 148 | Accept wildcard characters: False 149 | ``` 150 | 151 | ### CommonParameters 152 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 153 | 154 | ## INPUTS 155 | 156 | ### System.String 157 | 158 | ## OUTPUTS 159 | 160 | ### System.Object 161 | ## NOTES 162 | 163 | ## RELATED LINKS 164 | -------------------------------------------------------------------------------- /docs/Add-DSACLFullControl.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLFullControl 9 | 10 | ## SYNOPSIS 11 | Give Delegate FullControl rights on objects of selected type in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ### ByTypeName (Default) 16 | ``` 17 | Add-DSACLFullControl -TargetDN -DelegateDN -ObjectTypeName 18 | [-AccessType ] [-NoInheritance] [] 19 | ``` 20 | 21 | ### ByGuid 22 | ``` 23 | Add-DSACLFullControl -TargetDN -DelegateDN -ObjectTypeGuid 24 | [-AccessType ] [-NoInheritance] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Give Delegate FullControl rights on objects of selected type in target (usually an OU) 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> Add-DSACLFullControl -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User -AccessType Allow 35 | ``` 36 | 37 | Will give the group with DistinguishedName in $UserAdminGroup FullControl of user objects in 38 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance do disable inheritance. 39 | 40 | ## PARAMETERS 41 | 42 | ### -AccessType 43 | Specifies if the Access Control Entry is Allow or Deny 44 | 45 | ```yaml 46 | Type: AccessControlType 47 | Parameter Sets: (All) 48 | Aliases: 49 | Accepted values: Allow, Deny 50 | 51 | Required: False 52 | Position: Named 53 | Default value: None 54 | Accept pipeline input: False 55 | Accept wildcard characters: False 56 | ``` 57 | 58 | ### -DelegateDN 59 | DistinguishedName of group or user to give permissions to. 60 | 61 | ```yaml 62 | Type: String 63 | Parameter Sets: (All) 64 | Aliases: 65 | 66 | Required: True 67 | Position: Named 68 | Default value: None 69 | Accept pipeline input: True (ByPropertyName) 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ### -NoInheritance 74 | Sets access right to "This object only" 75 | 76 | ```yaml 77 | Type: SwitchParameter 78 | Parameter Sets: (All) 79 | Aliases: 80 | 81 | Required: False 82 | Position: Named 83 | Default value: None 84 | Accept pipeline input: False 85 | Accept wildcard characters: False 86 | ``` 87 | 88 | ### -ObjectTypeGuid 89 | ObjectType guid, used for custom object types 90 | 91 | ```yaml 92 | Type: Guid 93 | Parameter Sets: ByGuid 94 | Aliases: 95 | 96 | Required: True 97 | Position: Named 98 | Default value: None 99 | Accept pipeline input: False 100 | Accept wildcard characters: False 101 | ``` 102 | 103 | ### -ObjectTypeName 104 | Object type to give full control over 105 | 106 | ```yaml 107 | Type: String 108 | Parameter Sets: ByTypeName 109 | Aliases: 110 | Accepted values: Computer, Contact, Group, ManagedServiceAccount, GroupManagedServiceAccount, User, All 111 | 112 | Required: True 113 | Position: Named 114 | Default value: None 115 | Accept pipeline input: False 116 | Accept wildcard characters: False 117 | ``` 118 | 119 | ### -TargetDN 120 | DistinguishedName of object to modify ACL on. Usually an OU. 121 | 122 | ```yaml 123 | Type: String 124 | Parameter Sets: (All) 125 | Aliases: 126 | 127 | Required: True 128 | Position: Named 129 | Default value: None 130 | Accept pipeline input: True (ByPropertyName, ByValue) 131 | Accept wildcard characters: False 132 | ``` 133 | 134 | ### CommonParameters 135 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 136 | 137 | ## INPUTS 138 | 139 | ### System.String 140 | 141 | ## OUTPUTS 142 | 143 | ### System.Object 144 | ## NOTES 145 | 146 | ## RELATED LINKS 147 | -------------------------------------------------------------------------------- /docs/Add-DSACLJoinDomain.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLJoinDomain 9 | 10 | ## SYNOPSIS 11 | Give DelegateDN rights to join computers in target (usually an OU). 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Add-DSACLJoinDomain [-TargetDN] [-DelegateDN] [-AllowCreate] [-NoInheritance] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Give DelegateDN rights to join computers in target (usually an OU). 22 | 23 | ## EXAMPLES 24 | 25 | ### Example 1 26 | ```powershell 27 | PS C:\> Add-DSACLJoinDomain -TargetDN $ComputersOU -DelegateDN $JoinDomainAccounts -AccessType Allow 28 | ``` 29 | 30 | Will give the group with DistinguishedName in $JoinDomainAccounts rights to join computers to the domain. Requires a computer account to be created already. 31 | 32 | ## PARAMETERS 33 | 34 | ### -AllowCreate 35 | Allow creating computer objects, this allows to join computers without a pre-staged computer account 36 | 37 | ```yaml 38 | Type: SwitchParameter 39 | Parameter Sets: (All) 40 | Aliases: 41 | 42 | Required: False 43 | Position: Named 44 | Default value: None 45 | Accept pipeline input: False 46 | Accept wildcard characters: False 47 | ``` 48 | 49 | ### -DelegateDN 50 | DistinguishedName of group or user to give permissions to. 51 | 52 | ```yaml 53 | Type: String 54 | Parameter Sets: (All) 55 | Aliases: 56 | 57 | Required: True 58 | Position: 1 59 | Default value: None 60 | Accept pipeline input: False 61 | Accept wildcard characters: False 62 | ``` 63 | 64 | ### -NoInheritance 65 | Sets access right to "This object only" 66 | 67 | ```yaml 68 | Type: SwitchParameter 69 | Parameter Sets: (All) 70 | Aliases: 71 | 72 | Required: False 73 | Position: Named 74 | Default value: None 75 | Accept pipeline input: False 76 | Accept wildcard characters: False 77 | ``` 78 | 79 | ### -TargetDN 80 | DistinguishedName of object to modify ACL on. Usually an OU. 81 | 82 | ```yaml 83 | Type: String 84 | Parameter Sets: (All) 85 | Aliases: 86 | 87 | Required: True 88 | Position: 0 89 | Default value: None 90 | Accept pipeline input: False 91 | Accept wildcard characters: False 92 | ``` 93 | 94 | ### CommonParameters 95 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 96 | 97 | ## INPUTS 98 | 99 | ### None 100 | 101 | ## OUTPUTS 102 | 103 | ### System.Object 104 | ## NOTES 105 | 106 | ## RELATED LINKS 107 | -------------------------------------------------------------------------------- /docs/Add-DSACLLinkGPO.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLLinkGPO 9 | 10 | ## SYNOPSIS 11 | Delegate rights to link GPO on target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Add-DSACLLinkGPO [-TargetDN] [-DelegateDN] [[-AccessType] ] 17 | [-NoInheritance] [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Delegate rights to link GPO on target (usually an OU) 22 | 23 | ## EXAMPLES 24 | 25 | ### Example 1 26 | ```powershell 27 | PS C:\> Add-DSACLLinkGPO -TargetDN $UsersOU -DelegateDN $GPAdmin -AccessType Allow 28 | ``` 29 | 30 | Will give the group with DistinguishedName in $GPAdmin rights to link GPOs on 31 | the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 32 | 33 | ## PARAMETERS 34 | 35 | ### -AccessType 36 | Allow or Deny 37 | 38 | ```yaml 39 | Type: AccessControlType 40 | Parameter Sets: (All) 41 | Aliases: 42 | Accepted values: Allow, Deny 43 | 44 | Required: False 45 | Position: 2 46 | Default value: None 47 | Accept pipeline input: False 48 | Accept wildcard characters: False 49 | ``` 50 | 51 | ### -DelegateDN 52 | DistinguishedName of group or user to give permissions to. 53 | 54 | ```yaml 55 | Type: String 56 | Parameter Sets: (All) 57 | Aliases: 58 | 59 | Required: True 60 | Position: 1 61 | Default value: None 62 | Accept pipeline input: True (ByPropertyName) 63 | Accept wildcard characters: False 64 | ``` 65 | 66 | ### -NoInheritance 67 | Sets access right to "This object only" 68 | 69 | ```yaml 70 | Type: SwitchParameter 71 | Parameter Sets: (All) 72 | Aliases: 73 | 74 | Required: False 75 | Position: Named 76 | Default value: None 77 | Accept pipeline input: False 78 | Accept wildcard characters: False 79 | ``` 80 | 81 | ### -TargetDN 82 | DistinguishedName of object to modify ACL on. Usually an OU. 83 | 84 | ```yaml 85 | Type: String 86 | Parameter Sets: (All) 87 | Aliases: 88 | 89 | Required: True 90 | Position: 0 91 | Default value: None 92 | Accept pipeline input: True (ByPropertyName, ByValue) 93 | Accept wildcard characters: False 94 | ``` 95 | 96 | ### CommonParameters 97 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 98 | 99 | ## INPUTS 100 | 101 | ### System.String 102 | 103 | ## OUTPUTS 104 | 105 | ### System.Object 106 | ## NOTES 107 | 108 | ## RELATED LINKS 109 | -------------------------------------------------------------------------------- /docs/Add-DSACLManageGroupMember.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLManageGroupMember 9 | 10 | ## SYNOPSIS 11 | Give Delegate rights to manage members in group(s). 12 | 13 | ## SYNTAX 14 | 15 | ### OnContainer (Default) 16 | ``` 17 | Add-DSACLManageGroupMember -TargetDN -DelegateDN [-AccessType ] 18 | [-NoInheritance] [] 19 | ``` 20 | 21 | ### OnGroup 22 | ``` 23 | Add-DSACLManageGroupMember -TargetDN -DelegateDN [-AccessType ] 24 | [-DirectOnGroup] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Give Delegate rights to manage members in group(s). 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> Add-DSACLManageGroupMember -TargetDN $GroupsOU -DelegateDN $AccessAdminGroup -AccessType Allow 35 | ``` 36 | 37 | Will give the group with DistinguishedName in $AccessAdminGroup access to manage members of any group in the OU with DistinguishedName in $GroupsOU and all sub-OUs. Add -NoInheritance do disable inheritance. 38 | 39 | ### Example 2 40 | ```powershell 41 | PS C:\> Add-DSACLManageGroupMember -TargetDN $GroupsOU -DelegateDN $AccessAdminGroup -AccessType Allow -NoInheritance 42 | ``` 43 | 44 | Will give the group with DistinguishedName in $AccessAdminGroup access to manage members of any group in the OU with DistinguishedName in $GroupsOU. Will not effect groups in sub-OUs. 45 | 46 | ### Example 3 47 | ```powershell 48 | PS C:\> Add-DSACLManageGroupMember -TargetDN $SpecialGroup -DelegateDN $AccessAdminGroup -AccessType Allow -DirectOnGroup 49 | ``` 50 | 51 | Will give the group with DistinguishedName in $AccessAdminGroup access to manage members of the group in with DistinguishedName in $SpecialGroup. 52 | 53 | ## PARAMETERS 54 | 55 | ### -AccessType 56 | Allow or Deny 57 | 58 | ```yaml 59 | Type: AccessControlType 60 | Parameter Sets: (All) 61 | Aliases: 62 | Accepted values: Allow, Deny 63 | 64 | Required: False 65 | Position: Named 66 | Default value: None 67 | Accept pipeline input: False 68 | Accept wildcard characters: False 69 | ``` 70 | 71 | ### -DelegateDN 72 | DistinguishedName of group or user to give permissions to. 73 | 74 | ```yaml 75 | Type: String 76 | Parameter Sets: (All) 77 | Aliases: 78 | 79 | Required: True 80 | Position: Named 81 | Default value: None 82 | Accept pipeline input: True (ByPropertyName) 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -DirectOnGroup 87 | Sets access right to "This object only", use this when TargetDN is a group. 88 | 89 | ```yaml 90 | Type: SwitchParameter 91 | Parameter Sets: OnGroup 92 | Aliases: 93 | 94 | Required: False 95 | Position: Named 96 | Default value: None 97 | Accept pipeline input: False 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -NoInheritance 102 | Sets access right to "Children". Use this to effect all groups in OU but not subOUs 103 | 104 | ```yaml 105 | Type: SwitchParameter 106 | Parameter Sets: OnContainer 107 | Aliases: 108 | 109 | Required: False 110 | Position: Named 111 | Default value: None 112 | Accept pipeline input: False 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -TargetDN 117 | DistinguishedName of object to modify ACL on. Usually an OU. 118 | 119 | ```yaml 120 | Type: String 121 | Parameter Sets: (All) 122 | Aliases: 123 | 124 | Required: True 125 | Position: Named 126 | Default value: None 127 | Accept pipeline input: True (ByPropertyName, ByValue) 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ### CommonParameters 132 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 133 | 134 | ## INPUTS 135 | 136 | ### System.String 137 | 138 | ## OUTPUTS 139 | 140 | ### System.Object 141 | ## NOTES 142 | 143 | ## RELATED LINKS 144 | -------------------------------------------------------------------------------- /docs/Add-DSACLManagerCanUpdateGroupMember.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLManagerCanUpdateGroupMember 9 | 10 | ## SYNOPSIS 11 | Give Delegate rights to groups manager to manage members in group(s). 12 | Note that this access stays with the user if the manager changes. 13 | 14 | ## SYNTAX 15 | 16 | ``` 17 | Add-DSACLManagerCanUpdateGroupMember [-TargetDN] [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | Give Delegate rights to groups manager to manage members in group(s). 22 | Note that this access stays with the user if the manager changes. 23 | 24 | ## EXAMPLES 25 | 26 | ### Example 1 27 | ```powershell 28 | PS C:\> Add-DSACLManagerCanUpdateGroupMember -TargetDN $Group 29 | ``` 30 | 31 | Will give the current manager of the group in $Group access to manage members. 32 | Note that this access stays with the user if the manager changes. 33 | 34 | ## PARAMETERS 35 | 36 | ### -TargetDN 37 | DistinguishedName of object to modify ACL on. Has to be a group. 38 | 39 | ```yaml 40 | Type: String 41 | Parameter Sets: (All) 42 | Aliases: 43 | 44 | Required: True 45 | Position: 0 46 | Default value: None 47 | Accept pipeline input: True (ByPropertyName, ByValue) 48 | Accept wildcard characters: False 49 | ``` 50 | 51 | ### CommonParameters 52 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 53 | 54 | ## INPUTS 55 | 56 | ### System.String 57 | 58 | ## OUTPUTS 59 | 60 | ### System.Object 61 | ## NOTES 62 | 63 | ## RELATED LINKS 64 | -------------------------------------------------------------------------------- /docs/Add-DSACLMoveObjectFrom.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLMoveObjectFrom 9 | 10 | ## SYNOPSIS 11 | Delegates right to move object of type ObjectTypeName from TargetDN. 12 | Moving also requires create-child rights in target container. 13 | 14 | ## SYNTAX 15 | 16 | ``` 17 | Add-DSACLMoveObjectFrom [-ObjectTypeName] [-TargetDN] [-DelegateDN] [-NoInheritance] 18 | [] 19 | ``` 20 | 21 | ## DESCRIPTION 22 | Delegates the rights to rename and delete objects in TargetDN. 23 | 24 | ## EXAMPLES 25 | 26 | ### Example 1 27 | ```powershell 28 | PS C:\> {{ Add example code here }} 29 | ``` 30 | 31 | {{ Add example description here }} 32 | 33 | ## PARAMETERS 34 | 35 | ### -DelegateDN 36 | DistinguishedName of group or user to give permissions to. 37 | 38 | ```yaml 39 | Type: Object 40 | Parameter Sets: (All) 41 | Aliases: 42 | 43 | Required: True 44 | Position: 2 45 | Default value: None 46 | Accept pipeline input: True (ByPropertyName) 47 | Accept wildcard characters: False 48 | ``` 49 | 50 | ### -NoInheritance 51 | Sets access right to "This object only" 52 | 53 | ```yaml 54 | Type: SwitchParameter 55 | Parameter Sets: (All) 56 | Aliases: 57 | 58 | Required: False 59 | Position: Named 60 | Default value: None 61 | Accept pipeline input: False 62 | Accept wildcard characters: False 63 | ``` 64 | 65 | ### -ObjectTypeName 66 | Object type to allow being moved 67 | 68 | ```yaml 69 | Type: String 70 | Parameter Sets: (All) 71 | Aliases: 72 | Accepted values: Computer, Contact, Group, ManagedServiceAccount, GroupManagedServiceAccount, User, All 73 | 74 | Required: True 75 | Position: 0 76 | Default value: None 77 | Accept pipeline input: False 78 | Accept wildcard characters: False 79 | ``` 80 | 81 | ### -TargetDN 82 | DistinguishedName of object to modify ACL on. Usually an OU. 83 | 84 | ```yaml 85 | Type: Object 86 | Parameter Sets: (All) 87 | Aliases: 88 | 89 | Required: True 90 | Position: 1 91 | Default value: None 92 | Accept pipeline input: True (ByPropertyName, ByValue) 93 | Accept wildcard characters: False 94 | ``` 95 | 96 | ### CommonParameters 97 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 98 | 99 | ## INPUTS 100 | 101 | ### System.Object 102 | 103 | ## OUTPUTS 104 | 105 | ### System.Object 106 | ## NOTES 107 | 108 | ## RELATED LINKS 109 | -------------------------------------------------------------------------------- /docs/Add-DSACLRenameObject.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLRenameObject 9 | 10 | ## SYNOPSIS 11 | Give Delegate rights to rename objects in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Add-DSACLRenameObject -ObjectTypeName -TargetDN -DelegateDN [-NoInheritance] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | {{ Fill in the Description }} 22 | 23 | ## EXAMPLES 24 | 25 | ### Example 1 26 | ```powershell 27 | PS C:\> Add-DSACLRenameObject -ObjectTypeName Computer -TargetDN $ComputersOU -DelegateDN $ComputerAdminGroup -AccessType Allow 28 | ``` 29 | 30 | Will give the group with DistinguishedName in $ComputerAdminGroup rights to rename computers in the OU with DistinguishedName in $ComputersOU and all sub-OUs. Add -NoInheritance do disable inheritance. 31 | 32 | ## PARAMETERS 33 | 34 | ### -DelegateDN 35 | DistinguishedName of group or user to give permissions to. 36 | 37 | ```yaml 38 | Type: String 39 | Parameter Sets: (All) 40 | Aliases: 41 | 42 | Required: True 43 | Position: Named 44 | Default value: None 45 | Accept pipeline input: False 46 | Accept wildcard characters: False 47 | ``` 48 | 49 | ### -NoInheritance 50 | Sets access right to "This object only" 51 | 52 | ```yaml 53 | Type: SwitchParameter 54 | Parameter Sets: (All) 55 | Aliases: 56 | 57 | Required: False 58 | Position: Named 59 | Default value: None 60 | Accept pipeline input: False 61 | Accept wildcard characters: False 62 | ``` 63 | 64 | ### -ObjectTypeName 65 | Object type to allow being renamed 66 | 67 | ```yaml 68 | Type: String 69 | Parameter Sets: (All) 70 | Aliases: 71 | Accepted values: Computer, Contact, Group, ManagedServiceAccount, GroupManagedServiceAccount, User, All 72 | 73 | Required: True 74 | Position: Named 75 | Default value: None 76 | Accept pipeline input: False 77 | Accept wildcard characters: False 78 | ``` 79 | 80 | ### -TargetDN 81 | DistinguishedName of object to modify ACL on. Usually an OU. 82 | 83 | ```yaml 84 | Type: String 85 | Parameter Sets: (All) 86 | Aliases: 87 | 88 | Required: True 89 | Position: Named 90 | Default value: None 91 | Accept pipeline input: False 92 | Accept wildcard characters: False 93 | ``` 94 | 95 | ### CommonParameters 96 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 97 | 98 | ## INPUTS 99 | 100 | ### None 101 | 102 | ## OUTPUTS 103 | 104 | ### System.Object 105 | ## NOTES 106 | 107 | ## RELATED LINKS 108 | -------------------------------------------------------------------------------- /docs/Add-DSACLReplicatingDirectoryChanges.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLReplicatingDirectoryChanges 9 | 10 | ## SYNOPSIS 11 | Give Delegate "Replicating Directory Changes" rights on domain with DistinguishedName in target 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Add-DSACLReplicatingDirectoryChanges [-DelegateDN] [-AllowReplicateSecrets] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | Give Delegate "Replicating Directory Changes" rights on domain with DistinguishedName in target 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> Add-DSACLReplicatingDirectoryChanges -DelegateDN $AADCServiceAccount 27 | ``` 28 | 29 | Will give the service account with DistinguishedName in $AADCServiceAccount the right "Replicating Directory Changes". 30 | Add -AllowReplicateSecrets to grant "Replicating Directory Changes All" instead.. 31 | 32 | ## PARAMETERS 33 | 34 | ### -AllowReplicateSecrets 35 | Allow replicating secrets, like passwords (Corresponds to "Replicating Directory Changes All") 36 | 37 | ```yaml 38 | Type: SwitchParameter 39 | Parameter Sets: (All) 40 | Aliases: 41 | 42 | Required: False 43 | Position: Named 44 | Default value: None 45 | Accept pipeline input: False 46 | Accept wildcard characters: False 47 | ``` 48 | 49 | ### -DelegateDN 50 | DistinguishedName of group or user to give permissions to. 51 | 52 | ```yaml 53 | Type: String 54 | Parameter Sets: (All) 55 | Aliases: 56 | 57 | Required: True 58 | Position: 0 59 | Default value: None 60 | Accept pipeline input: False 61 | Accept wildcard characters: False 62 | ``` 63 | 64 | ### CommonParameters 65 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 66 | 67 | ## INPUTS 68 | 69 | ### None 70 | 71 | ## OUTPUTS 72 | 73 | ### System.Object 74 | ## NOTES 75 | 76 | ## RELATED LINKS 77 | -------------------------------------------------------------------------------- /docs/Add-DSACLResetPassword.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLResetPassword 9 | 10 | ## SYNOPSIS 11 | Delegate ResetPassword rights on objects of selected type in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ### ByTypeName (Default) 16 | ``` 17 | Add-DSACLResetPassword -TargetDN -DelegateDN -ObjectTypeName 18 | [-AccessType ] [-NoInheritance] [] 19 | ``` 20 | 21 | ### ByGuid 22 | ``` 23 | Add-DSACLResetPassword -TargetDN -DelegateDN -ObjectTypeGuid 24 | [-AccessType ] [-NoInheritance] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Delegate ResetPassword rights on objects of selected type in target (usually an OU) 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> Add-DSACLResetPassword -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User -AccessType Allow 35 | ``` 36 | 37 | Will give the group with DistinguishedName in $UserAdminGroup ResetPassword rights of user objects in the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 38 | 39 | ## PARAMETERS 40 | 41 | ### -AccessType 42 | Allow or Deny 43 | 44 | ```yaml 45 | Type: AccessControlType 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Allow, Deny 49 | 50 | Required: False 51 | Position: Named 52 | Default value: None 53 | Accept pipeline input: False 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -DelegateDN 58 | DistinguishedName of group or user to give permissions to. 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | 65 | Required: True 66 | Position: Named 67 | Default value: None 68 | Accept pipeline input: True (ByPropertyName) 69 | Accept wildcard characters: False 70 | ``` 71 | 72 | ### -NoInheritance 73 | Sets access right to "This object only" 74 | 75 | ```yaml 76 | Type: SwitchParameter 77 | Parameter Sets: (All) 78 | Aliases: 79 | 80 | Required: False 81 | Position: Named 82 | Default value: None 83 | Accept pipeline input: False 84 | Accept wildcard characters: False 85 | ``` 86 | 87 | ### -ObjectTypeGuid 88 | ObjectType guid, used for custom object types 89 | 90 | ```yaml 91 | Type: Guid 92 | Parameter Sets: ByGuid 93 | Aliases: 94 | 95 | Required: True 96 | Position: Named 97 | Default value: None 98 | Accept pipeline input: False 99 | Accept wildcard characters: False 100 | ``` 101 | 102 | ### -ObjectTypeName 103 | Object type to give full control over 104 | 105 | ```yaml 106 | Type: String 107 | Parameter Sets: ByTypeName 108 | Aliases: 109 | Accepted values: User, Computer, ManagedServiceAccount, GroupManagedServiceAccount 110 | 111 | Required: True 112 | Position: Named 113 | Default value: None 114 | Accept pipeline input: False 115 | Accept wildcard characters: False 116 | ``` 117 | 118 | ### -TargetDN 119 | DistinguishedName of object to modify ACL on. Usually an OU. 120 | 121 | ```yaml 122 | Type: String 123 | Parameter Sets: (All) 124 | Aliases: 125 | 126 | Required: True 127 | Position: Named 128 | Default value: None 129 | Accept pipeline input: True (ByPropertyName, ByValue) 130 | Accept wildcard characters: False 131 | ``` 132 | 133 | ### CommonParameters 134 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 135 | 136 | ## INPUTS 137 | 138 | ### System.String 139 | 140 | ## OUTPUTS 141 | 142 | ### System.Object 143 | ## NOTES 144 | 145 | ## RELATED LINKS 146 | -------------------------------------------------------------------------------- /docs/Add-DSACLWriteAccountRestrictions.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLWriteAccountRestrictions 9 | 10 | ## SYNOPSIS 11 | Delegate rights to write to the property set "Account Restrictions" on objects of selected type in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ### ByTypeName (Default) 16 | ``` 17 | Add-DSACLWriteAccountRestrictions -TargetDN -DelegateDN -ObjectTypeName 18 | -AccessType [-NoInheritance] [] 19 | ``` 20 | 21 | ### ByGuid 22 | ``` 23 | Add-DSACLWriteAccountRestrictions -TargetDN -DelegateDN -ObjectTypeGuid 24 | -AccessType [-NoInheritance] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | Delegate rights to write to the property set "Account Restrictions" on objects of selected type in target (usually an OU) 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> Add-DSACLWriteAccountRestrictions -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User -AccessType Allow 35 | ``` 36 | 37 | Will give the group with DistinguishedName in $UserAdminGroup rights to SET SPN of user objects in the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 38 | 39 | ## PARAMETERS 40 | 41 | ### -AccessType 42 | llow or Deny 43 | 44 | ```yaml 45 | Type: AccessControlType 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Allow, Deny 49 | 50 | Required: True 51 | Position: Named 52 | Default value: None 53 | Accept pipeline input: False 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -DelegateDN 58 | DistinguishedName of group or user to give permissions to. 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | 65 | Required: True 66 | Position: Named 67 | Default value: None 68 | Accept pipeline input: True (ByPropertyName) 69 | Accept wildcard characters: False 70 | ``` 71 | 72 | ### -NoInheritance 73 | Sets access right to "This object only" 74 | 75 | ```yaml 76 | Type: SwitchParameter 77 | Parameter Sets: (All) 78 | Aliases: 79 | 80 | Required: False 81 | Position: Named 82 | Default value: None 83 | Accept pipeline input: False 84 | Accept wildcard characters: False 85 | ``` 86 | 87 | ### -ObjectTypeGuid 88 | ObjectType guid, used for custom object types 89 | 90 | ```yaml 91 | Type: Guid 92 | Parameter Sets: ByGuid 93 | Aliases: 94 | 95 | Required: True 96 | Position: Named 97 | Default value: None 98 | Accept pipeline input: False 99 | Accept wildcard characters: False 100 | ``` 101 | 102 | ### -ObjectTypeName 103 | Object type to give full control over 104 | 105 | ```yaml 106 | Type: String 107 | Parameter Sets: ByTypeName 108 | Aliases: 109 | Accepted values: User, Computer, ManagedServiceAccount, GroupManagedServiceAccount 110 | 111 | Required: True 112 | Position: Named 113 | Default value: None 114 | Accept pipeline input: False 115 | Accept wildcard characters: False 116 | ``` 117 | 118 | ### -TargetDN 119 | DistinguishedName of object to modify ACL on. Usually an OU. 120 | 121 | ```yaml 122 | Type: String 123 | Parameter Sets: (All) 124 | Aliases: 125 | 126 | Required: True 127 | Position: Named 128 | Default value: None 129 | Accept pipeline input: True (ByPropertyName, ByValue) 130 | Accept wildcard characters: False 131 | ``` 132 | 133 | ### CommonParameters 134 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 135 | 136 | ## INPUTS 137 | 138 | ### System.String 139 | 140 | ## OUTPUTS 141 | 142 | ### System.Object 143 | ## NOTES 144 | 145 | ## RELATED LINKS 146 | -------------------------------------------------------------------------------- /docs/Add-DSACLWriteDNSHostName.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLWriteDNSHostName 9 | 10 | ## SYNOPSIS 11 | Delegate rights to SET DNSHostName on objects of selected type in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ### ByTypeName (Default) 16 | ``` 17 | Add-DSACLWriteDNSHostName -TargetDN -DelegateDN -ObjectTypeName 18 | [-AccessType ] [-NoInheritance] [-ValidatedOnly] [] 19 | ``` 20 | 21 | ### ByGuid 22 | ``` 23 | Add-DSACLWriteDNSHostName -TargetDN -DelegateDN -ObjectTypeGuid 24 | [-AccessType ] [-NoInheritance] [-ValidatedOnly] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{ Fill in the Description }} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> Add-DSACLWriteDNSHostName -TargetDN $ComputersOU -DelegateDN $ComputerAdminGroup -ObjectTypeName Computer -AccessType Allow 35 | ``` 36 | 37 | Will give the group with DistinguishedName in $ComputerAdminGroup rights to SET DNSHostName of computer objects in the OU with DistinguishedName in $ComputersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 38 | 39 | ## PARAMETERS 40 | 41 | ### -AccessType 42 | Allow or Deny. Allow is set by default 43 | 44 | ```yaml 45 | Type: AccessControlType 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Allow, Deny 49 | 50 | Required: False 51 | Position: Named 52 | Default value: None 53 | Accept pipeline input: False 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -DelegateDN 58 | DistinguishedName of group or user to give permissions to. 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | 65 | Required: True 66 | Position: Named 67 | Default value: None 68 | Accept pipeline input: True (ByPropertyName) 69 | Accept wildcard characters: False 70 | ``` 71 | 72 | ### -NoInheritance 73 | Sets access right to "This object only" 74 | 75 | ```yaml 76 | Type: SwitchParameter 77 | Parameter Sets: (All) 78 | Aliases: 79 | 80 | Required: False 81 | Position: Named 82 | Default value: None 83 | Accept pipeline input: False 84 | Accept wildcard characters: False 85 | ``` 86 | 87 | ### -ObjectTypeGuid 88 | ObjectType guid, used for custom object types 89 | 90 | ```yaml 91 | Type: Guid 92 | Parameter Sets: ByGuid 93 | Aliases: 94 | 95 | Required: True 96 | Position: Named 97 | Default value: None 98 | Accept pipeline input: False 99 | Accept wildcard characters: False 100 | ``` 101 | 102 | ### -ObjectTypeName 103 | Object type to give full control over 104 | 105 | ```yaml 106 | Type: String 107 | Parameter Sets: ByTypeName 108 | Aliases: 109 | Accepted values: Computer, ManagedServiceAccount, GroupManagedServiceAccount 110 | 111 | Required: True 112 | Position: Named 113 | Default value: None 114 | Accept pipeline input: False 115 | Accept wildcard characters: False 116 | ``` 117 | 118 | ### -TargetDN 119 | DistinguishedName of object to modify ACL on. Usually an OU. 120 | 121 | ```yaml 122 | Type: String 123 | Parameter Sets: (All) 124 | Aliases: 125 | 126 | Required: True 127 | Position: Named 128 | Default value: None 129 | Accept pipeline input: True (ByPropertyName, ByValue) 130 | Accept wildcard characters: False 131 | ``` 132 | 133 | ### -ValidatedOnly 134 | Only effects validated writes 135 | 136 | ```yaml 137 | Type: SwitchParameter 138 | Parameter Sets: (All) 139 | Aliases: 140 | 141 | Required: False 142 | Position: Named 143 | Default value: None 144 | Accept pipeline input: False 145 | Accept wildcard characters: False 146 | ``` 147 | 148 | ### CommonParameters 149 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 150 | 151 | ## INPUTS 152 | 153 | ### System.String 154 | 155 | ## OUTPUTS 156 | 157 | ### System.Object 158 | ## NOTES 159 | 160 | ## RELATED LINKS 161 | -------------------------------------------------------------------------------- /docs/Add-DSACLWriteServicePrincipalName.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Add-DSACLWriteServicePrincipalName 9 | 10 | ## SYNOPSIS 11 | Delegate rights to SET ServicePrincipalName (SPN) on objects of selected type in target (usually an OU) 12 | 13 | ## SYNTAX 14 | 15 | ### ByTypeName (Default) 16 | ``` 17 | Add-DSACLWriteServicePrincipalName -TargetDN -DelegateDN -ObjectTypeName 18 | -AccessType [-NoInheritance] [-ValidatedOnly] [] 19 | ``` 20 | 21 | ### ByGuid 22 | ``` 23 | Add-DSACLWriteServicePrincipalName -TargetDN -DelegateDN -ObjectTypeGuid 24 | -AccessType [-NoInheritance] [-ValidatedOnly] [] 25 | ``` 26 | 27 | ## DESCRIPTION 28 | {{ Fill in the Description }} 29 | 30 | ## EXAMPLES 31 | 32 | ### Example 1 33 | ```powershell 34 | PS C:\> Add-DSACLWriteServicePrincipalName -TargetDN $UsersOU -DelegateDN $UserAdminGroup -ObjectTypeName User -AccessType Allow 35 | ``` 36 | 37 | Will give the group with DistinguishedName in $UserAdminGroup rights to SET SPN of user objects in the OU with DistinguishedName in $UsersOU and all sub-OUs. Add -NoInheritance to disable inheritance. 38 | 39 | ## PARAMETERS 40 | 41 | ### -AccessType 42 | Allow or Deny 43 | 44 | ```yaml 45 | Type: AccessControlType 46 | Parameter Sets: (All) 47 | Aliases: 48 | Accepted values: Allow, Deny 49 | 50 | Required: True 51 | Position: Named 52 | Default value: None 53 | Accept pipeline input: False 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -DelegateDN 58 | DistinguishedName of group or user to give permissions to. 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | 65 | Required: True 66 | Position: Named 67 | Default value: None 68 | Accept pipeline input: True (ByPropertyName) 69 | Accept wildcard characters: False 70 | ``` 71 | 72 | ### -NoInheritance 73 | Sets access right to "This object only" 74 | 75 | ```yaml 76 | Type: SwitchParameter 77 | Parameter Sets: (All) 78 | Aliases: 79 | 80 | Required: False 81 | Position: Named 82 | Default value: None 83 | Accept pipeline input: False 84 | Accept wildcard characters: False 85 | ``` 86 | 87 | ### -ObjectTypeGuid 88 | ObjectType guid, used for custom object types 89 | 90 | ```yaml 91 | Type: Guid 92 | Parameter Sets: ByGuid 93 | Aliases: 94 | 95 | Required: True 96 | Position: Named 97 | Default value: None 98 | Accept pipeline input: False 99 | Accept wildcard characters: False 100 | ``` 101 | 102 | ### -ObjectTypeName 103 | Object type to give full control over 104 | 105 | ```yaml 106 | Type: String 107 | Parameter Sets: ByTypeName 108 | Aliases: 109 | Accepted values: User, Computer, ManagedServiceAccount, GroupManagedServiceAccount 110 | 111 | Required: True 112 | Position: Named 113 | Default value: None 114 | Accept pipeline input: False 115 | Accept wildcard characters: False 116 | ``` 117 | 118 | ### -TargetDN 119 | DistinguishedName of object to modify ACL on. Usually an OU. 120 | 121 | ```yaml 122 | Type: String 123 | Parameter Sets: (All) 124 | Aliases: 125 | 126 | Required: True 127 | Position: Named 128 | Default value: None 129 | Accept pipeline input: True (ByPropertyName, ByValue) 130 | Accept wildcard characters: False 131 | ``` 132 | 133 | ### -ValidatedOnly 134 | Only effects validated writes 135 | 136 | ```yaml 137 | Type: SwitchParameter 138 | Parameter Sets: (All) 139 | Aliases: 140 | 141 | Required: False 142 | Position: Named 143 | Default value: None 144 | Accept pipeline input: False 145 | Accept wildcard characters: False 146 | ``` 147 | 148 | ### CommonParameters 149 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 150 | 151 | ## INPUTS 152 | 153 | ### System.String 154 | 155 | ## OUTPUTS 156 | 157 | ### System.Object 158 | ## NOTES 159 | 160 | ## RELATED LINKS 161 | -------------------------------------------------------------------------------- /docs/ConvertFrom-DSACLInheritedObjectTypeGuid.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # ConvertFrom-DSACLInheritedObjectTypeGuid 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ### Access (Default) 16 | ``` 17 | ConvertFrom-DSACLInheritedObjectTypeGuid -AccessRule [] 18 | ``` 19 | 20 | ### Audit 21 | ``` 22 | ConvertFrom-DSACLInheritedObjectTypeGuid -AuditRule [] 23 | ``` 24 | 25 | ## DESCRIPTION 26 | {{ Fill in the Description }} 27 | 28 | ## EXAMPLES 29 | 30 | ### Example 1 31 | ```powershell 32 | PS C:\> {{ Add example code here }} 33 | ``` 34 | 35 | {{ Add example description here }} 36 | 37 | ## PARAMETERS 38 | 39 | ### -AccessRule 40 | {{ Fill AccessRule Description }} 41 | 42 | ```yaml 43 | Type: ActiveDirectoryAccessRule 44 | Parameter Sets: Access 45 | Aliases: Access, ACE 46 | 47 | Required: True 48 | Position: Named 49 | Default value: None 50 | Accept pipeline input: True (ByValue) 51 | Accept wildcard characters: False 52 | ``` 53 | 54 | ### -AuditRule 55 | {{ Fill AuditRule Description }} 56 | 57 | ```yaml 58 | Type: ActiveDirectoryAuditRule 59 | Parameter Sets: Audit 60 | Aliases: Audit 61 | 62 | Required: True 63 | Position: Named 64 | Default value: None 65 | Accept pipeline input: True (ByValue) 66 | Accept wildcard characters: False 67 | ``` 68 | 69 | ### CommonParameters 70 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 71 | 72 | ## INPUTS 73 | 74 | ### System.DirectoryServices.ActiveDirectoryAccessRule 75 | 76 | ### System.DirectoryServices.ActiveDirectoryAuditRule 77 | 78 | ## OUTPUTS 79 | 80 | ### System.Object 81 | ## NOTES 82 | 83 | ## RELATED LINKS 84 | -------------------------------------------------------------------------------- /docs/ConvertFrom-DSACLObjectTypeGuid.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # ConvertFrom-DSACLObjectTypeGuid 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ### Access (Default) 16 | ``` 17 | ConvertFrom-DSACLObjectTypeGuid -AccessRule [] 18 | ``` 19 | 20 | ### Audit 21 | ``` 22 | ConvertFrom-DSACLObjectTypeGuid -AuditRule [] 23 | ``` 24 | 25 | ## DESCRIPTION 26 | {{ Fill in the Description }} 27 | 28 | ## EXAMPLES 29 | 30 | ### Example 1 31 | ```powershell 32 | PS C:\> {{ Add example code here }} 33 | ``` 34 | 35 | {{ Add example description here }} 36 | 37 | ## PARAMETERS 38 | 39 | ### -AccessRule 40 | {{ Fill AccessRule Description }} 41 | 42 | ```yaml 43 | Type: ActiveDirectoryAccessRule 44 | Parameter Sets: Access 45 | Aliases: Access, ACE 46 | 47 | Required: True 48 | Position: Named 49 | Default value: None 50 | Accept pipeline input: True (ByValue) 51 | Accept wildcard characters: False 52 | ``` 53 | 54 | ### -AuditRule 55 | {{ Fill AuditRule Description }} 56 | 57 | ```yaml 58 | Type: ActiveDirectoryAuditRule 59 | Parameter Sets: Audit 60 | Aliases: Audit 61 | 62 | Required: True 63 | Position: Named 64 | Default value: None 65 | Accept pipeline input: True (ByValue) 66 | Accept wildcard characters: False 67 | ``` 68 | 69 | ### CommonParameters 70 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 71 | 72 | ## INPUTS 73 | 74 | ### System.DirectoryServices.ActiveDirectoryAccessRule 75 | 76 | ### System.DirectoryServices.ActiveDirectoryAuditRule 77 | 78 | ## OUTPUTS 79 | 80 | ### System.Object 81 | ## NOTES 82 | 83 | ## RELATED LINKS 84 | -------------------------------------------------------------------------------- /docs/Get-DSACLDefaultContainer.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-DSACLDefaultContainer 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-DSACLDefaultContainer [[-DomainDN] ] [[-Type] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{ Fill in the Description }} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -DomainDN 34 | {{ Fill DomainDN Description }} 35 | 36 | ```yaml 37 | Type: Object 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### -Type 49 | {{ Fill Type Description }} 50 | 51 | ```yaml 52 | Type: String 53 | Parameter Sets: (All) 54 | Aliases: 55 | Accepted values: Users, Computers 56 | 57 | Required: False 58 | Position: 1 59 | Default value: None 60 | Accept pipeline input: False 61 | Accept wildcard characters: False 62 | ``` 63 | 64 | ### CommonParameters 65 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 66 | 67 | ## INPUTS 68 | 69 | ### None 70 | 71 | ## OUTPUTS 72 | 73 | ### System.Object 74 | ## NOTES 75 | 76 | ## RELATED LINKS 77 | -------------------------------------------------------------------------------- /docs/Get-DSACLMachineAccountQuota.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Get-DSACLMachineAccountQuota 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Get-DSACLMachineAccountQuota [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{ Fill in the Description }} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### CommonParameters 34 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 35 | 36 | ## INPUTS 37 | 38 | ### None 39 | 40 | ## OUTPUTS 41 | 42 | ### System.Object 43 | ## NOTES 44 | 45 | ## RELATED LINKS 46 | -------------------------------------------------------------------------------- /docs/New-DSACLAccessRule.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-DSACLAccessRule 9 | 10 | ## SYNOPSIS 11 | Create Access Control Entry for Active Directory ACL 12 | 13 | ## SYNTAX 14 | 15 | ### 6 16 | ``` 17 | New-DSACLAccessRule -Identity -ActiveDirectoryRights 18 | -AccessControlType -ObjectType 19 | -InheritanceType -InheritedObjectType [] 20 | ``` 21 | 22 | ### 5 23 | ``` 24 | New-DSACLAccessRule -Identity -ActiveDirectoryRights 25 | -AccessControlType -ObjectType 26 | -InheritanceType [] 27 | ``` 28 | 29 | ### 4 30 | ``` 31 | New-DSACLAccessRule -Identity -ActiveDirectoryRights 32 | -AccessControlType -ObjectType [] 33 | ``` 34 | 35 | ### 3 36 | ``` 37 | New-DSACLAccessRule -Identity -ActiveDirectoryRights 38 | -AccessControlType -InheritanceType 39 | -InheritedObjectType [] 40 | ``` 41 | 42 | ### 2 43 | ``` 44 | New-DSACLAccessRule -Identity -ActiveDirectoryRights 45 | -AccessControlType -InheritanceType 46 | [] 47 | ``` 48 | 49 | ### 1 50 | ``` 51 | New-DSACLAccessRule -Identity -ActiveDirectoryRights 52 | -AccessControlType [] 53 | ``` 54 | 55 | ## DESCRIPTION 56 | Create Access Control Entry for Active Directory ACL 57 | 58 | ## EXAMPLES 59 | 60 | ### Example 1 61 | ```powershell 62 | PS C:\> New-ADAccessRule -Identity $SID -ActiveDirectoryRights 'CreateChild', 'DeleteChild' -AccessControlType Allow -ObjectType $TypeGuid -InheritanceType None 63 | ``` 64 | 65 | Create access rule that gives the object with SID $SID access to create and delete objects of type $TypeGuid on "this object only" 66 | 67 | ## PARAMETERS 68 | 69 | ### -AccessControlType 70 | Sets allow or deny 71 | 72 | ```yaml 73 | Type: AccessControlType 74 | Parameter Sets: (All) 75 | Aliases: 76 | Accepted values: Allow, Deny 77 | 78 | Required: True 79 | Position: Named 80 | Default value: None 81 | Accept pipeline input: True (ByPropertyName) 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### -ActiveDirectoryRights 86 | List of access rights that should be applied 87 | 88 | ```yaml 89 | Type: ActiveDirectoryRights[] 90 | Parameter Sets: (All) 91 | Aliases: 92 | Accepted values: CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, DeleteTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, GenericWrite, GenericRead, WriteDacl, WriteOwner, GenericAll, Synchronize, AccessSystemSecurity 93 | 94 | Required: True 95 | Position: Named 96 | Default value: None 97 | Accept pipeline input: True (ByPropertyName) 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -Identity 102 | SID of principal that will rule will apply to 103 | 104 | ```yaml 105 | Type: SecurityIdentifier 106 | Parameter Sets: (All) 107 | Aliases: 108 | 109 | Required: True 110 | Position: Named 111 | Default value: None 112 | Accept pipeline input: True (ByPropertyName, ByValue) 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -InheritanceType 117 | Sets if and how this rule should be inherited 118 | 119 | ```yaml 120 | Type: ActiveDirectorySecurityInheritance 121 | Parameter Sets: 6, 5, 3, 2 122 | Aliases: 123 | Accepted values: None, All, Descendents, SelfAndChildren, Children 124 | 125 | Required: True 126 | Position: Named 127 | Default value: None 128 | Accept pipeline input: True (ByPropertyName) 129 | Accept wildcard characters: False 130 | ``` 131 | 132 | ### -InheritedObjectType 133 | Sets guid of object types that should inherit this rule 134 | 135 | ```yaml 136 | Type: Guid 137 | Parameter Sets: 6, 3 138 | Aliases: 139 | 140 | Required: True 141 | Position: Named 142 | Default value: None 143 | Accept pipeline input: True (ByPropertyName) 144 | Accept wildcard characters: False 145 | ``` 146 | 147 | ### -ObjectType 148 | Sets guid where access right should apply 149 | 150 | ```yaml 151 | Type: Guid 152 | Parameter Sets: 6, 5, 4 153 | Aliases: 154 | 155 | Required: True 156 | Position: Named 157 | Default value: None 158 | Accept pipeline input: True (ByPropertyName) 159 | Accept wildcard characters: False 160 | ``` 161 | 162 | ### CommonParameters 163 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 164 | 165 | ## INPUTS 166 | 167 | ### System.Security.Principal.SecurityIdentifier 168 | 169 | ### System.DirectoryServices.ActiveDirectoryRights[] 170 | 171 | ### System.Security.AccessControl.AccessControlType 172 | 173 | ### System.Guid 174 | 175 | ### System.DirectoryServices.ActiveDirectorySecurityInheritance 176 | 177 | ## OUTPUTS 178 | 179 | ### System.Object 180 | ## NOTES 181 | 182 | ## RELATED LINKS 183 | -------------------------------------------------------------------------------- /docs/New-DSACLAuditRule.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-DSACLAuditRule 9 | 10 | ## SYNOPSIS 11 | Create Access Control Entry for Active Directory ACL 12 | 13 | ## SYNTAX 14 | 15 | ### 6 16 | ``` 17 | New-DSACLAuditRule -Identity -ActiveDirectoryRights 18 | -AuditFlags -ObjectType -InheritanceType 19 | -InheritedObjectType [] 20 | ``` 21 | 22 | ### 5 23 | ``` 24 | New-DSACLAuditRule -Identity -ActiveDirectoryRights 25 | -AuditFlags -ObjectType -InheritanceType 26 | [] 27 | ``` 28 | 29 | ### 4 30 | ``` 31 | New-DSACLAuditRule -Identity -ActiveDirectoryRights 32 | -AuditFlags -ObjectType [] 33 | ``` 34 | 35 | ### 3 36 | ``` 37 | New-DSACLAuditRule -Identity -ActiveDirectoryRights 38 | -AuditFlags -InheritanceType -InheritedObjectType 39 | [] 40 | ``` 41 | 42 | ### 2 43 | ``` 44 | New-DSACLAuditRule -Identity -ActiveDirectoryRights 45 | -AuditFlags -InheritanceType [] 46 | ``` 47 | 48 | ### 1 49 | ``` 50 | New-DSACLAuditRule -Identity -ActiveDirectoryRights 51 | -AuditFlags [] 52 | ``` 53 | 54 | ## DESCRIPTION 55 | Create Access Control Entry for Active Directory ACL 56 | 57 | ## EXAMPLES 58 | 59 | ### Example 1 60 | ```powershell 61 | PS C:\> New-ADAccessRule -Identity $SID -ActiveDirectoryRights 'CreateChild', 'DeleteChild' -AccessControlType Allow -ObjectType $TypeGuid -InheritanceType None 62 | ``` 63 | 64 | Create access rule that gives the object with SID $SID access to create and delete objects of type $TypeGuid on "this object only" 65 | 66 | ## PARAMETERS 67 | 68 | ### -ActiveDirectoryRights 69 | List of access rights that should be applied 70 | 71 | ```yaml 72 | Type: ActiveDirectoryRights[] 73 | Parameter Sets: (All) 74 | Aliases: 75 | Accepted values: CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, DeleteTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, GenericWrite, GenericRead, WriteDacl, WriteOwner, GenericAll, Synchronize, AccessSystemSecurity 76 | 77 | Required: True 78 | Position: Named 79 | Default value: None 80 | Accept pipeline input: True (ByPropertyName) 81 | Accept wildcard characters: False 82 | ``` 83 | 84 | ### -AuditFlags 85 | Sets allow or deny 86 | 87 | ```yaml 88 | Type: AuditFlags 89 | Parameter Sets: (All) 90 | Aliases: 91 | Accepted values: None, Success, Failure 92 | 93 | Required: True 94 | Position: Named 95 | Default value: None 96 | Accept pipeline input: True (ByPropertyName) 97 | Accept wildcard characters: False 98 | ``` 99 | 100 | ### -Identity 101 | SID of principal that will rule will apply to 102 | 103 | ```yaml 104 | Type: SecurityIdentifier 105 | Parameter Sets: (All) 106 | Aliases: 107 | 108 | Required: True 109 | Position: Named 110 | Default value: None 111 | Accept pipeline input: True (ByPropertyName, ByValue) 112 | Accept wildcard characters: False 113 | ``` 114 | 115 | ### -InheritanceType 116 | Sets if and how this rule should be inherited 117 | 118 | ```yaml 119 | Type: ActiveDirectorySecurityInheritance 120 | Parameter Sets: 6, 5, 3, 2 121 | Aliases: 122 | Accepted values: None, All, Descendents, SelfAndChildren, Children 123 | 124 | Required: True 125 | Position: Named 126 | Default value: None 127 | Accept pipeline input: True (ByPropertyName) 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ### -InheritedObjectType 132 | Sets guid of object types that should inherit this rule 133 | 134 | ```yaml 135 | Type: Guid 136 | Parameter Sets: 6, 3 137 | Aliases: 138 | 139 | Required: True 140 | Position: Named 141 | Default value: None 142 | Accept pipeline input: True (ByPropertyName) 143 | Accept wildcard characters: False 144 | ``` 145 | 146 | ### -ObjectType 147 | Sets guid where access right should apply 148 | 149 | ```yaml 150 | Type: Guid 151 | Parameter Sets: 6, 5, 4 152 | Aliases: 153 | 154 | Required: True 155 | Position: Named 156 | Default value: None 157 | Accept pipeline input: True (ByPropertyName) 158 | Accept wildcard characters: False 159 | ``` 160 | 161 | ### CommonParameters 162 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 163 | 164 | ## INPUTS 165 | 166 | ### System.Security.Principal.SecurityIdentifier 167 | 168 | ### System.DirectoryServices.ActiveDirectoryRights[] 169 | 170 | ### System.Security.AccessControl.AuditFlags 171 | 172 | ### System.Guid 173 | 174 | ### System.DirectoryServices.ActiveDirectorySecurityInheritance 175 | 176 | ## OUTPUTS 177 | 178 | ### System.Object 179 | ## NOTES 180 | 181 | ## RELATED LINKS 182 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # DSACL - Documentation 2 | 3 | DSACL documentation is made possible using [platyPS](https://github.com/PowerShell/platyPS) 4 | 5 | ## Contributions to DSACL documentation 6 | 7 | 1. Fork the repository 8 | 2. Checkout a new branch 9 | 3. Install platyPS and DSACL: 10 | 11 | ```powershell 12 | Install-Module PlatyPS -Force -Verbose 13 | Install-Module DSACL -Force -Verbose 14 | ``` 15 | 16 | 4. Edit the markdown files in /docs 17 | 5. Update external help 18 | 6. Push changes -------------------------------------------------------------------------------- /docs/Register-DSACLRightsMapVariable.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Register-DSACLRightsMapVariable 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Register-DSACLRightsMapVariable [[-Scope] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{ Fill in the Description }} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Scope 34 | {{ Fill Scope Description }} 35 | 36 | ```yaml 37 | Type: String 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### CommonParameters 49 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 50 | 51 | ## INPUTS 52 | 53 | ### None 54 | 55 | ## OUTPUTS 56 | 57 | ### System.Object 58 | ## NOTES 59 | 60 | ## RELATED LINKS 61 | -------------------------------------------------------------------------------- /docs/Resolve-DSACLGuid.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Resolve-DSACLGuid 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Resolve-DSACLGuid [[-Guid] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{ Fill in the Description }} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Guid 34 | {{ Fill Guid Description }} 35 | 36 | ```yaml 37 | Type: Guid 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### CommonParameters 49 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 50 | 51 | ## INPUTS 52 | 53 | ### None 54 | 55 | ## OUTPUTS 56 | 57 | ### System.Object 58 | ## NOTES 59 | 60 | ## RELATED LINKS 61 | -------------------------------------------------------------------------------- /docs/Resolve-DSACLObjectName.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Resolve-DSACLObjectName 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Resolve-DSACLObjectName [[-Name] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{ Fill in the Description }} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Name 34 | {{ Fill Name Description }} 35 | 36 | ```yaml 37 | Type: String 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### CommonParameters 49 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 50 | 51 | ## INPUTS 52 | 53 | ### None 54 | 55 | ## OUTPUTS 56 | 57 | ### System.Object 58 | ## NOTES 59 | 60 | ## RELATED LINKS 61 | -------------------------------------------------------------------------------- /docs/Set-DSACLDefaultContainer.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Set-DSACLDefaultContainer 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Set-DSACLDefaultContainer [[-DomainDN] ] [[-Type] ] [[-NewValue] ] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{ Fill in the Description }} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -DomainDN 34 | {{ Fill DomainDN Description }} 35 | 36 | ```yaml 37 | Type: String 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: False 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### -NewValue 49 | {{ Fill NewValue Description }} 50 | 51 | ```yaml 52 | Type: String 53 | Parameter Sets: (All) 54 | Aliases: 55 | 56 | Required: False 57 | Position: 2 58 | Default value: None 59 | Accept pipeline input: False 60 | Accept wildcard characters: False 61 | ``` 62 | 63 | ### -Type 64 | {{ Fill Type Description }} 65 | 66 | ```yaml 67 | Type: String 68 | Parameter Sets: (All) 69 | Aliases: 70 | Accepted values: Users, Computers 71 | 72 | Required: False 73 | Position: 1 74 | Default value: None 75 | Accept pipeline input: False 76 | Accept wildcard characters: False 77 | ``` 78 | 79 | ### CommonParameters 80 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 81 | 82 | ## INPUTS 83 | 84 | ### None 85 | 86 | ## OUTPUTS 87 | 88 | ### System.Object 89 | ## NOTES 90 | 91 | ## RELATED LINKS 92 | -------------------------------------------------------------------------------- /docs/Set-DSACLMachineAccountQuota.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Set-DSACLMachineAccountQuota 9 | 10 | ## SYNOPSIS 11 | {{ Fill in the Synopsis }} 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Set-DSACLMachineAccountQuota [-Quota] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | {{ Fill in the Description }} 21 | 22 | ## EXAMPLES 23 | 24 | ### Example 1 25 | ```powershell 26 | PS C:\> {{ Add example code here }} 27 | ``` 28 | 29 | {{ Add example description here }} 30 | 31 | ## PARAMETERS 32 | 33 | ### -Quota 34 | {{ Fill Quota Description }} 35 | 36 | ```yaml 37 | Type: Int32 38 | Parameter Sets: (All) 39 | Aliases: 40 | 41 | Required: True 42 | Position: 0 43 | Default value: None 44 | Accept pipeline input: False 45 | Accept wildcard characters: False 46 | ``` 47 | 48 | ### CommonParameters 49 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 50 | 51 | ## INPUTS 52 | 53 | ### None 54 | 55 | ## OUTPUTS 56 | 57 | ### System.Object 58 | ## NOTES 59 | 60 | ## RELATED LINKS 61 | -------------------------------------------------------------------------------- /docs/Set-DSACLOwner.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: DSACL-help.xml 3 | Module Name: DSACL 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Set-DSACLOwner 9 | 10 | ## SYNOPSIS 11 | Sets an Active Directory object as the Owner of an Access Control List (ACL). 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | Set-DSACLOwner [-TargetDN] [-OwnerDN] [-WhatIf] [-Confirm] [] 17 | ``` 18 | 19 | ## DESCRIPTION 20 | The **Set-DSACLOwner** cmdlet will set the given OwnerDN (Objects Distinguished Name) as Owner of the specified TargetDN (Target Distinguished Name). 21 | 22 | The TargetDN parameter specifies what object the modification will execute on. 23 | 24 | The OwnerDN parameter specifies what object in Active Directory that will take ownership of the target. 25 | 26 | ## EXAMPLES 27 | 28 | ### Example 1 29 | ```powershell 30 | PS C:\> Set-DSACLOwner -TargetDN "OU=Accounting,DC=FABRIKAM,DC=COM" -OwnerDN "CN=Chew David,OU=Accounting,DC=FABRIKAM,DC=COM" 31 | ``` 32 | 33 | The following example will set Chew David as owner of the Accounting Organizational Units Access Control List. 34 | 35 | ## PARAMETERS 36 | 37 | ### -Confirm 38 | Prompts you for confirmation before running the cmdlet. 39 | 40 | ```yaml 41 | Type: SwitchParameter 42 | Parameter Sets: (All) 43 | Aliases: cf 44 | 45 | Required: False 46 | Position: Named 47 | Default value: None 48 | Accept pipeline input: False 49 | Accept wildcard characters: False 50 | ``` 51 | 52 | ### -OwnerDN 53 | The OwnerDN parameter specifies what object in Active Directory that will take ownership of the target. 54 | 55 | ```yaml 56 | Type: String 57 | Parameter Sets: (All) 58 | Aliases: 59 | 60 | Required: True 61 | Position: 1 62 | Default value: None 63 | Accept pipeline input: True (ByPropertyName) 64 | Accept wildcard characters: False 65 | ``` 66 | 67 | ### -TargetDN 68 | The TargetDN parameter specifies what object the modification will execute on. 69 | 70 | ```yaml 71 | Type: String 72 | Parameter Sets: (All) 73 | Aliases: 74 | 75 | Required: True 76 | Position: 0 77 | Default value: None 78 | Accept pipeline input: True (ByPropertyName, ByValue) 79 | Accept wildcard characters: False 80 | ``` 81 | 82 | ### -WhatIf 83 | Shows what would happen if the cmdlet runs. 84 | The cmdlet is not run. 85 | 86 | ```yaml 87 | Type: SwitchParameter 88 | Parameter Sets: (All) 89 | Aliases: wi 90 | 91 | Required: False 92 | Position: Named 93 | Default value: None 94 | Accept pipeline input: False 95 | Accept wildcard characters: False 96 | ``` 97 | 98 | ### CommonParameters 99 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). 100 | 101 | ## INPUTS 102 | 103 | ### System.String 104 | 105 | ## OUTPUTS 106 | 107 | ### System.Object 108 | ## NOTES 109 | 110 | ## RELATED LINKS 111 | -------------------------------------------------------------------------------- /license.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Simon Wåhlin 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /test/Integration/IntegrationTests.ps1: -------------------------------------------------------------------------------- 1 | param ( 2 | $ModulePath = "$PSScriptRoot\..\..", 3 | $DomainDN = 'DC=lab,DC=simonw,DC=se', 4 | $DomainFlatName = 'LAB' 5 | ) 6 | $ErrorActionPreference = 'Stop' 7 | # Remove trailing slash or backslash 8 | $ModulePath = $ModulePath -replace '[\\/]*$' 9 | $ModuleName = Split-Path -Path $ModulePath -Leaf 10 | 11 | # Validate we are in designated test environment 12 | try { 13 | Import-Module -Name ActiveDirectory -ErrorAction Stop 14 | Import-Module -Name Pester -MinimumVersion '4.1.1' -ErrorAction Stop 15 | Import-Module -Name $ModulePath 16 | $Domain = Get-ADDomain -ErrorAction Stop 17 | if ($Domain.DistinguishedName -ne $DomainDN) { 18 | throw 19 | } 20 | } catch { 21 | Write-Verbose -Message 'Not in test environment or invalid environment' -Verbose 22 | return 23 | } 24 | 25 | # Cleanup 26 | try { 27 | $TestOUName = "DSACL_Module_Test" 28 | Get-ADOrganizationalUnit -Identity "OU=$TestOUName,$DomainDN" | 29 | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false -PassThru | 30 | Remove-ADOrganizationalUnit -Recursive -Confirm:$false 31 | } 32 | catch { 33 | # Ignore errors 34 | } 35 | 36 | # Initialize with new OU structure 37 | try { 38 | $TestOU = New-ADOrganizationalUnit -Name $TestOUName -Path $DomainDN -PassThru 39 | $SubOU = New-ADOrganizationalUnit -Name 'Sub' -Path $TestOU -PassThru 40 | 41 | $TestUserName = 'DSACLModuleTest' 42 | $TestUser = New-ADUser -Name "$TestUserName" -Path "$TestOU" -PassThru 43 | $CleanACL = Get-Acl -Path "AD:\$($TestOU.DistinguishedName)" 44 | } 45 | catch { 46 | throw 47 | } 48 | 49 | function Assert-DSACL { 50 | [CmdletBinding()] 51 | param( 52 | [Parameter(ValueFromPipeline)] 53 | $ACL, 54 | $ActiveDirectoryRight, 55 | $InheritanceType, 56 | $InheritedObjectType, 57 | $ObjectType, 58 | $AccessControlType = 'Allow', 59 | $IdentityReference, 60 | [bool]$IsInherited 61 | ) 62 | 63 | $ACL | 64 | Select-Object -ExpandProperty Access | 65 | Where-Object -FilterScript { 66 | $_.ActiveDirectoryRights -eq $ActiveDirectoryRight -and 67 | $_.InheritanceType -eq $InheritanceType -and 68 | $_.ObjectType -eq $ObjectType -and 69 | $_.InheritedObjectType -eq $InheritedObjectType -and 70 | $_.AccessControlType -eq $AccessControlType -and 71 | $_.IdentityReference -like $IdentityReference -and 72 | $_.IsInherited -eq $IsInherited 73 | } 74 | } 75 | 76 | Describe "Integration testing in domain: $DomainDN" -Tag Integration { 77 | Context 'Testing Public Functions wrapping Add-DSACLCustom' { 78 | BeforeAll { 79 | Import-Module -Name $ModulePath 80 | } 81 | AfterEach { 82 | Set-ACL -Path "AD:\$($TestOU.DistinguishedName)" -AclObject $CleanACL 83 | } 84 | AfterAll { 85 | Get-Module -Name $ModuleName | Remove-Module -Force 86 | } 87 | 88 | $ObjectTypeCases = @( 89 | @{ 90 | ObjectType = 'Computer' 91 | ObjectGuid = 'bf967a86-0de6-11d0-a285-00aa003049e2' 92 | }, 93 | @{ 94 | ObjectType = 'Contact' 95 | ObjectGuid = '5cb41ed0-0e4c-11d0-a286-00aa003049e2' 96 | }, 97 | @{ 98 | ObjectType = 'Group' 99 | ObjectGuid = 'bf967a9c-0de6-11d0-a285-00aa003049e2' 100 | }, 101 | @{ 102 | ObjectType = 'ManagedServiceAccount' 103 | ObjectGuid = 'ce206244-5827-4a86-ba1c-1c0c386c1b64' 104 | }, 105 | @{ 106 | ObjectType = 'GroupManagedServiceAccount' 107 | ObjectGuid = '7b8b558a-93a5-4af7-adca-c017e67f1057' 108 | }, 109 | @{ 110 | ObjectType = 'User' 111 | ObjectGuid = 'bf967aba-0de6-11d0-a285-00aa003049e2' 112 | }, 113 | @{ 114 | ObjectType = 'All' 115 | ObjectGuid = '00000000-0000-0000-0000-000000000000' 116 | } 117 | ) 118 | 119 | $Commands = @( 120 | @{ 121 | Command = 'Add-DSACLCreateChild' 122 | ActiveDirectoryRights = 'CreateChild' 123 | InheritanceType = 'None','All' 124 | ObjectType = 'ObjectGuid' 125 | InheritedObjectType = '00000000-0000-0000-0000-000000000000' 126 | Types = 'Computer', 'Contact', 'Group', 'ManagedServiceAccount', 'GroupManagedServiceAccount', 'User', 'All' 127 | }, 128 | @{ 129 | Command = 'Add-DSACLDeleteChild' 130 | ActiveDirectoryRights = 'DeleteChild' 131 | InheritanceType = 'None','All' 132 | ObjectType = 'ObjectGuid' 133 | InheritedObjectType = '00000000-0000-0000-0000-000000000000' 134 | Types = 'Computer', 'Contact', 'Group', 'ManagedServiceAccount', 'GroupManagedServiceAccount', 'User', 'All' 135 | }, 136 | @{ 137 | Command = 'Add-DSACLFullControl' 138 | ActiveDirectoryRights = 'GenericAll' 139 | InheritanceType = 'Children','Descendents' 140 | ObjectType = '00000000-0000-0000-0000-000000000000' 141 | InheritedObjectType = 'ObjectGuid' 142 | Types = 'Computer', 'Contact', 'Group', 'ManagedServiceAccount', 'GroupManagedServiceAccount', 'User', 'All' 143 | }, 144 | @{ 145 | Command = 'Add-DSACLResetPassword' 146 | ActiveDirectoryRights = 'ExtendedRight' 147 | ObjectType = '00299570-246d-11d0-a768-00aa006e0529' 148 | InheritanceType = 'Children','Descendents' 149 | InheritedObjectType = 'ObjectGuid' 150 | Types = 'Computer','User','ManagedServiceAccount', 'GroupManagedServiceAccount' 151 | } 152 | ) 153 | foreach($Command in $Commands) { 154 | Context $Command.Command { 155 | <# 156 | $Command = $Commands[0] 157 | #> 158 | $TypeCases = $ObjectTypeCases | Where-Object -FilterScript {$_.ObjectType -in $Command.Types} 159 | <# 160 | 1 | % {$ObjectType, $ObjectGuid = $TypeCases[$_].ObjectType, $TypeCases[$_].ObjectGuid} 161 | #> 162 | 163 | It "Delegates access to allow $($Command.ActiveDirectoryRights) on without inheritance" -TestCases $TypeCases { 164 | param($ObjectType,$ObjectGuid) 165 | 166 | $DSACLParam = @{ 167 | TargetDN = $TestOU.DistinguishedName 168 | DelegateDN = $TestUser.DistinguishedName 169 | ObjectTypeName = $ObjectType 170 | AccessType = 'Allow' 171 | NoInheritance = $True 172 | } 173 | & $Command.Command @DSACLParam 174 | 175 | # Short pause to allow for Get-ACL to catch up (?) 176 | Start-Sleep -Seconds 1 177 | 178 | $ExpectedResult = @{ 179 | ActiveDirectoryRight = $Command.ActiveDirectoryRights 180 | ObjectType = if($Command.ObjectType -eq 'ObjectGuid'){$ObjectGuid}else{$Command.ObjectType} 181 | InheritedObjectType = if($Command.InheritedObjectType -eq 'ObjectGuid'){$ObjectGuid}else{$Command.InheritedObjectType} 182 | InheritanceType = $Command.InheritanceType[0] 183 | AccessControlType = 'Allow' 184 | IdentityReference = "$DomainFlatName\$TestUserName" 185 | IsInherited = $false 186 | } 187 | 188 | $ACL = Get-Acl -Path "AD:\$($TestOU.DistinguishedName)" 189 | $ACL | Assert-DSACL @ExpectedResult | Measure-Object | Select-Object -ExpandProperty Count | Should -BeExactly 1 190 | 191 | # FullControl on ALL objects without inheritance will still give full control to subOU with "ThisObjectOnly" 192 | if (-not ($Command.Command -eq 'Add-DSACLFullControl' -and $ObjectType -eq 'All')) { 193 | Get-Acl -Path "AD:\$($SubOU.DistinguishedName)" | 194 | Select-Object -ExpandProperty Access | 195 | Where-Object -FilterScript { 196 | $_.IdentityReference -like "$DomainFlatName\$TestUserName" -and 197 | $_.IsInherited -eq $true 198 | } | Measure-Object | Select-Object -ExpandProperty Count | Should -BeExactly 0 199 | } 200 | } 201 | 202 | It "Delegates access to allow $($Command.ActiveDirectoryRights) on with inheritance" -TestCases $TypeCases { 203 | param($ObjectType,$ObjectGuid) 204 | $DSACLParam = @{ 205 | TargetDN = $TestOU.DistinguishedName 206 | DelegateDN = $TestUser.DistinguishedName 207 | ObjectTypeName = $ObjectType 208 | AccessType = 'Allow' 209 | } 210 | & $Command.Command @DSACLParam 211 | 212 | # Short pause to allow for Get-ACL to catch up (?) 213 | Start-Sleep -Seconds 1 214 | 215 | $ExpectedResult = @{ 216 | ActiveDirectoryRight = $Command.ActiveDirectoryRights 217 | ObjectType = if($Command.ObjectType -eq 'ObjectGuid'){$ObjectGuid}else{$Command.ObjectType} 218 | InheritedObjectType = if($Command.InheritedObjectType -eq 'ObjectGuid'){$ObjectGuid}else{$Command.InheritedObjectType} 219 | InheritanceType = $Command.InheritanceType[1] 220 | AccessControlType = 'Allow' 221 | IdentityReference = "$DomainFlatName\$TestUserName" 222 | IsInherited = $false 223 | } 224 | 225 | Get-Acl -Path "AD:\$($TestOU.DistinguishedName)" | 226 | Assert-DSACL @ExpectedResult | 227 | Measure-Object | Select-Object -ExpandProperty Count | Should -BeExactly 1 228 | 229 | Get-Acl -Path "AD:\$($SubOU.DistinguishedName)" | 230 | Select-Object -ExpandProperty Access | 231 | Where-Object -FilterScript { 232 | $_.IdentityReference -like "$DomainFlatName\$TestUserName" -and 233 | $_.IsInherited -eq $true 234 | } | Measure-Object | Select-Object -ExpandProperty Count | Should -BeExactly 1 235 | } 236 | } 237 | } 238 | } 239 | } 240 | --------------------------------------------------------------------------------