Using PowerShell to delete user's permissions?
Hello Forum,
I am an accountant with zero backgroud in IT. I happen to be responsible on managing our small SharePoint 2010 environment (10 Web Applications, 20 Site Collections in each Web Application, and 300 Users), and even though it been a quite difficult task, I must
admit that I am kinda enjoying it because I get a chance to learn new things.
Whenever I encounter an issue, I google it up and most of the time I find answers on the Internet. Nevertheless, This time I think I am having a tough problem, that's why I have decided to register and post my question for the first time ever.
Well, I have a few users who have left our company, and they have permissions all over the place, some of these users have Full Control and Contribute permissions on different Site Collections, SubSites, Lists, and libraries across the Web Applications that
we have.
Unfortunately, We do not have a proper governance process in place, and yes things are messy in our SharePoint environment, I have noticed that some of these users were granted permissions on Lists and Libs directly without using any User Groups.
Now, It is my responsability to clean up the environment. I have spent most of my weekend guessing and cleaning up manually our SharePoint environment, by jumping from Site to another and checking through the UI and removing the user from there, But this repeated
manual work is killing my soul I swear.
I read a bout PowerShell and I managed to test simple commands and I hope it is the way to go. I have been using this small script:
$web = Get-SPWeb http://MySharePointSite
$user = get-spuser -Identity Domain\UserAccount -Web $web.url
$list = $web.Lists["Docs/Pics Library"]
$list.RoleAssignments.Remove( $user)
But again, Even though it is a bit faster than working with UI, I feel it not efficient enough because have to run it against every List, Docs Lib, Pics Lib...etcs
So guys, Is there a way in PowerShell that allows me to give the user account and the Web Application URL as parameters, and the script runs and loops through the entire Web Application with all its Site Collections and SubSites, Lists, Libs and remove that
user from there completely regardless if that user was added diretly or in a group?
Can PowerShell automate such a process or am I dreaming?
Yes it can.
However before we get there, we should note something: If you're using Active Directory (AD) for your users, and you almost certainly are, as long as the leaver's account is marked as 'Disabled' in there then security wise you're fine. The rest is just to
keep things clean.
If you search a bit longer you'll probably find a more complete script but to extend yours a bit we can do a few things. What we want to do is introduce 'loops'. I'm assuming you know nothing about programing but a loop is a process where the code does a
certain activity for a set number of times or until it reaches a point to finish.
What we'll do is use three 'get things' commands to get all the sites, all the webs in a site and then all the lists in a web to get us a list of things to run our loop on, then run your remove code.
#This gets all the site collections you have permission to see
$sites = Get-SPSite -Limit All
#This loops through each site collection and calls it 'siteCollection'
foreach ($siteCollection in $sites)
#This gets all the webs in the site collection
$webs = $siteCollection.AllWebs
#This loops through all the webs
foreach ($website in $webs)
$user = get-spuser -Identity Domain\UserAccount -Web $website.url
#This gets all the lists in the library
$lists = $web.Lists
foreach ($list in $lists)
$list.RoleAssignments.Remove( $user)
Now this isn't great code, there's lots of ways it may not work perfectly but it shouldn't break anything. One thing you should remember is to close the PowerShell session once you've run it as this will suffer from memory leaks (where it keeps eating up
RAM until you close the application).
Another thing, have you discovered PowerShell ISE yet? It's vital if you want to do semi complicated PowerShell.
Welcome to the wonderful world of SharePoint and PowerShell. If you want let me know and i can point you to some nice gentle 'how to' resources.
And finally, this isn't the solution to your entire problem but it will do a decent chunk of it for you and could serve as a starting point to doing the entire lot...
Similar Messages
-
How to Use PowerShell to Delete FIM Users That Have a Null attribute name
FIM Community Information Center Article
Wiki Page:
How to Use PowerShell to Delete FIM Users That Have a Null <attribute name>
Go to the FIM Community Information Center
Mike Crowley | MVP
My Blog --
Planet TechnologiesHave you run side-by-side metrics on this?
I've run the Delete Object method and your script against similar data sets and yours appears to take a fair bit longer. I'd have to re-run in identical circumstances, a few times, to really say for sure, but my initial impression is that it will take hours
longer.
I guess the point is somewhat moot anyway, as for me the bit that generally takes longest is the actual query, rather than the deletions.
Boy how I wish I could just enter something into the FIM Portal directly that would blast out a bunch of users matching a query. One day...
FIMSpecialist.com | MCTS: FIM 2010 | Now Offering
ECMA1->ECMA2 Upgrade Services -
Using Powershell to delete all users from the Portal
Summary
This script will delete all users from the Portal except for Administrator and the Built-In Sync account.
Based on Markus's "Delete a User" script.
Useful when developing your system if you want to quickly clear out the data and start again.
set-variable -name URI -value "http://localhost:5725/resourcemanagementservice' " -option constant
function DeleteObject
PARAM($objectType, $objectId)
END
$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$importObject.ObjectType = $objectType
$importObject.TargetObjectIdentifier = $objectId
$importObject.SourceObjectIdentifier = $objectId
$importObject.State = 2
$importObject | Import-FIMConfig -uri $URI
if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
$allobjects = export-fimconfig -uri $URI `
–onlyBaseResources `
-customconfig "/Person"
$allobjects | Foreach-Object {
$displayName = $_.ResourceManagementObject.ResourceManagementAttributes | `
Where-Object {$_.AttributeName -eq "DisplayName"}
if([string]::Compare($displayName.Value, "Administrator", $True) -eq 0)
{write-host "Administrator NOT deleted"}
elseif([string]::Compare($displayName.Value, "Built-in Synchronization Account", $True) -eq 0)
{write-host "Built-in Synchronization Account NOT deleted"}
else {
$objectId = (($_.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
DeleteObject -objectType "Person" `
-objectId $objectId
write-host "`nObject deleted`n" $displayName.Value }
Go to the FIM ScriptBox
http://www.wapshere.com/missmiisThe DeleteObject function opens and closes a connection for each object. This approach is faster:
http://social.technet.microsoft.com/wiki/contents/articles/23570.how-to-use-powershell-to-delete-fim-users-that-have-a-null-attribute-name.aspx
Mike Crowley | MVP
My Blog --
Planet Technologies -
I am having a little problem here with setting NTFS permissions via PowerShell.
Basically I am able to make a new directory on the share, and assign a user NTFS permissions however it just assigns the select user without any permissions set.
$username = "test.user"
$directory = "\\testlab-sv01\Share\newfolder"
New-Item -Path $directory -ItemType Directory
$colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("$username")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL $directory
$objACL.AddAccessRule($objACE)
Set-ACL $directory $objACL
A side question, why isn't this native in Powershell? Is it for security reasons? I expected there to be a cmdlet for it.
Thanks.
KyleWhen you say there are no permissions, do mean that the ACL Editor is showing 'Special permissions' and none of the other boxes are checked?
Try changing the inheritance and propagation flags to this:
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
That sets the ACE to apply to the folder (InheritOnly propagation flag isn't set) , subfolders (ContainerInherit inheritance flag is set), and files (ObjectInherit inheritance flag is set), which is necessary for the ACE to not be considered 'special' in
the ACL Editor.
Awesome. Thanks. That did work.
And yes I did mean that it was showing special permissions with nothing checked.
Kyle -
How to use Powershell to update user details in Active Directory?
Hi,
I received an updated contact list from HR of about 1500 names, and I want to update (make corrections and add missing data) ADUC quickly without having to do each user manually. How would I go about that using power-shell?
The fields that need updating are:
Under the General tab -> Description, Telephone number
Everything under the Address tab
Under the Telephone tab - > Mobile
Under the Organization tab -> Job Title, Department, Company, Manager
The server we're using is Windows Server 2008 R2.
Many thanks,
NickThere are 100 of such scripts are there online.
here are few tips and codes. you will get more.
https://gallery.technet.microsoft.com/scriptcenter/Feeding-data-to-Active-0227d15c
http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/31/use-powershell-to-modify-existing-user-accounts-in-active-directory.aspx
http://powershell.org/wp/forums/topic/ad-import-csv-update-attributes-script/
Please mark this as answer if it helps -
Using Powershell to Delete Excel Rows
Hi everyone. Again, I am having trouble working with Excel via Powershell. I am slowly learning my way around but cannot correctly utilize any information I may find that helps me get the correct results. So far I am working on a project
at work that is automating the testing of our build process. I am "borrowing" an excel sheet that I will save to my local machine to save as CSV. However, before saving to CSV I need to remove the empty rows. Unfortunately, the cells are
not really blank but still contain links to the server I pulled the workbook from.
I'm not sure what is easiest to do, but the "blanks" are within this range: A49:F320 and this is the range I'd like to delete. The code I am currently working with is:
$Excel = new-object -comobject excel.application
$Excel.Visible = $False
$Workbook = $Excel.Workbooks.Open($BuildXLS)
$Worksheet = $Workbook.Worksheets.Item(1)
$i = 1
If ($Worksheet.Cells.Item($i, 1).Value() -eq " ") {
$Range = $Worksheet.Cells.Item($i, 1).EntireRow
$a = $Range.Delete()
$i -= 1
$i += 1
Incidentally, mjolinor helped with an earlier issue parsing through the CSV. It was only after looking at the output that I discovered my real issue is working with the Excel.
$data = import-csv $csv | Where-Object {$_.juris -ne " "}
#format Juris-Version results
foreach ($line in $data)
if ($line.juris -eq 'US'){$line.Version = $FedVerNum}
else {$line.Version = $ContentVer}
write-output $line.juris$line.version | Out-File -Append "C:\1_JurisVersion.txt"
The output from that help session looks like:
US
$FedVerNum
State
$ContentVer
State
$ContentVer
Is there a away I can get this to read as
US $FedVerNum
state $ContentVer
state $ContentVer
state $ContentVer
Many thanks for the help and expertise!The Excel constants are "magic" numbers that can be found in Excel via the Object Browser in the Visual Basic Editor.
There are several that I use all the time, so I made a list of the ones I use most often:
Const ForReading = 1
Const xlAscending = 1
Const xlGuess = 0
Const xlTopToBottom = 1
Const xlSortNormal = 0
Const xlCount = -4112
Const xlArea = 1
Const xlBar = 2
Const xlColumn = 3
Const xlLine = 4
Const xlPie = 5
Const xlRadar = -4151
Const xlXYScatter = -4169
Const xlCombination = -4111
Const xl3DArea = -4098
Const xl3DBar = -4099
Const xl3DColumn = -4100
Const xl3DLine = -4101
Const xl3DPie = -4102
Const xl3DSurface = -4103
Const xlDoughnut = -4120
Const xlPasteValuesAndNumberFormats = 12
Const xlpasteFormats = -4122
Const xlpasteValues = -4163
Const xlValues = &HFFFFEFBD ' -4163
Const xlNone = &HFFFFEFD2 ' -4142
Const xlSelect = 3
Const xlCellTypeLastCell = 11
Or you can "Include" them like this:
[reflection.assembly]::loadWithPartialname("Microsoft.Office.Interop.Excel") |
Out-Null
$xlConstants = "microsoft.office.interop.excel.Constants" -as [type]
$ws.columns.item("F").HorizontalAlignment = $xlConstants::xlCenter
$ws.columns.item("K").HorizontalAlignment = $xlConstants::xlCenter
If you know what constants you need.
You can read about this here:
http://technet.microsoft.com/en-us/magazine/2009.01.heyscriptingguy.aspx -
Using PowerShell to delete an ExpectedRuleEntry
Summary
The script code below deletes an ExpectedRuleEntry object from your environment.
To run this script, you need to configure a Management Policy Rule that grants you permission to perform this operation:
Management Policy Rule Configuration
Name
Administration: Administrators can delete Expected Rule Entries
Type
Request
Grants Permissions
True
Disabled
False
Requestors and Operators
Requestor
Administrators
Operation
Delete
Target Resources
Before Request
All expected rule resources
After Request
(Attribute)
Resources Attributes
All Attributes
set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" -option constant
If(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
if($args.count -ne 1) {throw "Missing GUID parameter"}
$objectGUID = $args[0]
$exportObject = export-fimconfig -uri $URI `
–onlyBaseResources `
-customconfig "/ExpectedRuleEntry[ObjectID='$objectGUID']" `
-ErrorVariable Err `
-ErrorAction SilentlyContinue
If($Err){Throw $Err}
If($exportObject -eq $null) {throw "ERE not found"}
$ImportObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$ImportObject.ObjectType = "ExpectedRuleEntry"
$ImportObject.TargetObjectIdentifier = (($exportObject.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
$ImportObject.SourceObjectIdentifier = (($exportObject.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
$ImportObject.State = 2
$ImportObject | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue
If($Err){Throw $Err}
Write-Host "`nCommand completed successfully`n"
trap
Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
Exit 1
Go to the FIM ScriptBox
Markus Vilcinskas, Knowledge Engineer, Microsoft CorporationI am getting error:-
Missing GUID parameterIs there any problem with script? Kindly help -
Using powershell to delete a View
Something happened to a View on our test server. Under Review Activities, the Activities Assigned to Me is broken. Don't know what I did. Probably stared at it too long and it broke. Never worked with a product so fragile. Anyway, when I right click the
View, the only option is Refresh. The View works, I just can't edit or delete it.
I just want to get rid of it. I have already replaced it with another View. Outside of the console commands, how do you remove a View from existence?It's in a Management Pack called "Service Manager Activity Management Configuration Library". There are views that come OOTB that are are in unsealed MP's. I think if you look this MP up in the console you will find that it's unsealed in your SCSM
installation as well? Is it possible that someone exported this MP, made changes to it and reimported it? You can actually change a lot of console behavoir via the Management Packs.
A possible solution for you might be to reimport an original version of this management pack. Just export your current version first and keep as a backup, in case someone stored some important configuration in there (which they should not do btw). -
Hello,
I'm trying to reinstall a deleted user account. I followed the directions given through Macintosh Help, which work fine, up until the point where it says
"click on create user", and then "click on Use Existing Folder".
As soon as I click on Create User, there is no option anymore to click on Use Existing Folder, which means, I have created a new user that can't use the old Deleted User account.
I tried to exchange the new folders within the new user with those from the old deleted user, but it only gets very complicated and I don't succeed.
What to do? How can I reinstall a deleted user account, saved as a dmg in the Deleted User's folder.sorry, that didn't do the job.
I managed to open the new account with the same username and password, but this new user couldn't open the Deleted User's account. It says this new user isn't authorized to open it. So I'm not any further with this. -
How to add multiple users permissions to a calendar using powershell?
I have an organization that was recently setup in Exchange Online and they have unique circumstances in that every user in the organization needs "reviewer"
access to every other users calendars. I cannot change the default permission since new users added after this should not be able to see these calendars details. There are a few I will go back to run a Set command on to change an individual permission
here and there for specific needs, but the main need is below.
I have basic experience with powershell commands and have found how to manually add a single users permissions to a calendar using the command below:
Add-MailboxFolderPermission -Identity alias:\calendar -user alias -AccessRights reviewer
Since it's not realistic to run this command thousands of times changing the user aliases each time, I was hoping someone could help me build a command to run on a single mailbox's calendar that would add every current user in the organization with certain
permissions such as "reviewer" or "availabilityonly".
Thanks for the help!Hi,
A possible solution is to do this via Security Groups.
Add-MailboxFolderPermission -Identity [email protected]:\Calendar -User [email protected] -AccessRights Owner
This way, you simply add users that require access to the CalendarOwnerAccessGroup
You still have to run this on every mailbox that should have this feature, but that could be solved using powershell piping.
http://technet.microsoft.com/en-us/library/ee176927.aspx
/Anders Eide -
Set user inherit permissions check box using powershell
Hi All,
How can I set the the "include inherit permissions from this objects parent" propertiy in Active Directory user object to a list of users using powershell.
This option is not checked for some of my users and I'll like to set it using a powershell script.
Thanks
Simon
MCSA, MCSE, MCITP:SA, MCITP:EA, MCITP:Enterprise Messaging Administrator 2010, CCNAdownload Quest Active Directory:
Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance
or
Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance
or
$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity
$isProtected = $false # allows inheritance
$preserveInheritance = $true # preserve inherited rules
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()
I had this issue and using both of Kazun's methods worked. A mod should mark this as the answer.Paul Frankovich -
How can I capture delete user event in Active Directory 2008 using Powershell command
Hi,
In my Active Directory every user have own home drive in the file server. When I delete user I also need to delete folder from the server.
My target is make the process automated, so that when I delete user account form AD, the folder associate with user also delete.
Can I write any power shell script to grep the delete event and remove folder from file server.
Thanks
Tamim KhanYou can setup event viewer to provide alerts (email alerts) for event id 630.
Find an existing Event ID 630 entry, right click on it and "Attach Task To This Event...."
Follow the wizard.
** Event ID Sample **
Event ID: 630
Type: Success Audit
Description: User Account Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7
- Chris Ream -
**Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.** -
How to use Powershell to set delegate for user mailbox in Exchange 2010 and Office 365
Hello,
Can you please tell me if I can set delegate for user mailbox in Exchange 2010 or Office 365 using Powershell?
If I can, then how can I do that? (which Powershell commands for setting the delegate?)
Many thanks, and have a good day!Hi,
If you wanted to add a delegate to possiblly a large number of users or you do this during mailbox provisioning. So the following script will use
impersonation to access another users mailbox and add a delegate.
$mbtoDelegate = "[email protected]"
$delegatetoAdd = "[email protected]"
$dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\1.0\Microsoft.Exchange.WebServices.dll"
[void][Reflection.Assembly]::LoadFile($dllpath)
$service = new-object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1)
$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$sidbind = "LDAP://<SID=" + $windowsIdentity.user.Value.ToString() + ">"
$aceuser = [ADSI]$sidbind
$service.AutodiscoverUrl($aceuser.mail.ToString())
$service.ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress,
$mbtoDelegate);
$mbMailbox = new-object Microsoft.Exchange.WebServices.Data.Mailbox($mbtoDelegate)
$dgUser = new-object Microsoft.Exchange.WebServices.Data.DelegateUser($delegatetoAdd)
$dgUser.ViewPrivateItems = $false
$dgUser.ReceiveCopiesOfMeetingMessages = $false
$dgUser.Permissions.CalendarFolderPermissionLevel = [Microsoft.Exchange.WebServices.Data.DelegateFolderPermissionLevel]::Editor
$dgUser.Permissions.InboxFolderPermissionLevel = [Microsoft.Exchange.WebServices.Data.DelegateFolderPermissionLevel]::Reviewer
$dgArray = new-object Microsoft.Exchange.WebServices.Data.DelegateUser[] 1
$dgArray[0] = $dgUser
$service.AddDelegates($mbMailbox, [Microsoft.Exchange.WebServices.Data.MeetingRequestsDeliveryScope]::DelegatesAndMe, $dgArray);
Hope this helps. -
[Forum FAQ] Using PowerShell to assign permissions on Active Directory objects
As we all know, the
ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
System.DirectoryServices.ActiveDirectoryAccessRule class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
System.DirectoryServices.ActiveDirectoryRights
class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
System.Security.AccessControl.AccessControlType class:
http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
System.DirectoryServices.ActiveDirectorySecurityInheritance class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
we use Active Directory Service Interfaces (ADSI) or
Active Directory module cmdlets
with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
more complex permission settings.
Method 1: Using ADSI
1. Get current permissions of an organization unit (OU)
We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
$Name = "OU=xxx,DC=com"
$ADObject = [ADSI]"LDAP://$Name"
$aclObject = $ADObject.psbase.ObjectSecurity
$aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$output=@()
foreach($acl in $aclList)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
$info = @{
'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
'InheritanceType' = $acl.InheritanceType;
'ObjectType' = $acl.ObjectType;
'InheritedObjectType' = $acl.InheritedObjectType;
'ObjectFlags' = $acl.ObjectFlags;
'AccessControlType' = $acl.AccessControlType;
'IdentityReference' = $acl.IdentityReference;
'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
'IsInherited' = $acl.IsInherited;
'InheritanceFlags' = $acl.InheritanceFlags;
'PropagationFlags' = $acl.PropagationFlags;
$obj = New-Object -TypeName PSObject -Property $info
$output+=$obj}
$output
In the figure below, you can see the results of running the script above:
Figure 1.
2. Assign a computer object with Full Control permission on an OU
We can use the script below to delegate Full Control permission to the computer objects within an OU:
$SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
$computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
$SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
$SysManObj.psbase.commitchanges()
After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
You can use the script below to get and assign Full Control permission to a computer object on an OU:
$acl = get-acl "ad:OU=xxx,DC=com"
$acl.access #to get access right of the OU
$computer = get-adcomputer "COMPUTERNAME"
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
Method 3: Using GUID setting
The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
that.
The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
setting ObjectType field in an object specific ACE to the
rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
InheritedObjectType field to the schemaIDGuid of the class.
We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
You can use the script below to
assign the group object with the permission to change user password on all user objects within an OU.
$acl = get-acl "ad:OU=xxx,DC=com"
$group = Get-ADgroup xxx
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid
00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”)
class
$inheritedobjectguid = new-object Guid
bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType]
"Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
The figure below shows the result of running the script above:
Figure 2.
In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
$guidChangePassword
= new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
$guidLockoutTime
= new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
$guidPwdLastSet
= new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
$guidComputerObject
= new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$guidUserObject
= new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidLinkGroupPolicy
= new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
$guidGroupPolicyOptions
= new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
$guidResetPassword
= new-object Guid 00299570-246d-11d0-a768-00aa006e0529
$guidGroupObject
= new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
$guidContactObject
= new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
$guidOUObject
= new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
$guidPrinterObject
= new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
$guidWriteMembers
= new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
$guidNull
= new-object Guid 00000000-0000-0000-0000-000000000000
$guidPublicInformation
= new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
$guidGeneralInformation
= new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
$guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
$guidGroupMembership
= new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
More information:
Add Object Specific ACEs using Active Directory Powershell
http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
If you've got time, check out
this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
Sample version 3.0:
# This is going to be kind of slow, and it will take a few seconds the first time
# you run it because it has to build the list of GUID <--> Property/Class/etc objects
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
# Same as the previous command, except limit it to access granted to GroupX
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
Get-ADGroup GroupY |
Get-AccessControlEntry
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
# You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
-
How to create sharepoint Group with read only permissions using powershell for entire site ?
How to create sharepoint Group with read only permissions using powershell for entire site (including subsites and top level site)
Hi
using (SPSite site = new SPSite(url))
using (SPWeb web = site.OpenWeb())
SPUserCollection users = Web.AllUsers;
SPUser owner = users[string.Format("{0}{1}", "Domain", "Owner Username")];
SPMember member = users[string.Format("{0}{1}", "Domain", "Default Member Username")];
SPGroupCollection groups = Web.SiteGroups;
string GroupName = “Super Exclusive”;//your group name
string GroupDescription = “Super exclusive group description.”;
groups.Add(GroupName, owner, member, GroupDescription);
SPGroup NewSPGroup = groups[GroupName];
SPRoleDefinition role = Web.RoleDefinitions["Read"];
SPRoleAssignment roleAssignment = new SPRoleAssignment(NewSPGroup);
roleAssignment.RoleDefinitionBindings.Add(role);
Web.RoleAssignments.Add(roleAssignment);
Web.Update();
Please 'propose
as answer' if it helped you, also 'vote
helpful' if you like this reply.
Maybe you are looking for
-
Cant able to do UD for Goods Receipt Inspection against Purchase Order
Hi Experts, I am facing problem while doing UD for Goods Receipt Inspection against Purchase Order. The Problem is, "Selected set code does not exist, or data entered is incomplete Message no. QV121 Diagnosis Code in code group * (selected set 1000
-
Hi Experts, I have question regarding ABAP Reports, SAP Query, and Transaction with variant. How are we securing one the above reports that we assign them through pfcg. We can secure custom program by custom transaction or define the auth group in
-
Skype for business in Office365 cloud
can you install Skype for business in Office365 cloud ? without server Lync 2015 ?
-
Please help me with Adobe Muse!!!
I want to make an airplane ticket, hotel and car booking website. But i do not know any method in Adobe Muse to connect, get price, and book directly to the airplane companies(Airfrance, Emirates, Airasia,...) Could you help me? thanks very much!
-
How can I sync my iPhone to my Mac so I can remove a few but no all audiobooks from my iPhone?
I have lots of audiobooks on my iphone but not all are from iTunes. Today the genius bar guy showed me how to add my purchased audiobooks on my Mac. The problem is it's all or nothing. I can't pick and choose the books I want to take off my iPhone