Playing with ACL on the Active Directory objects

Playing with ACL on the Active Directory objects

Understanding the ACL and how to play with it can be useful to delegate permissions or restrict access on a specific AD object, for example.

The following script will show you how to set different kind of permissions on an organizational unit in the Active Directory

You can go further with AD ACL by using the following default GUIDs:

  • AD Schema GUIDs
    • Computer Object > bf967a86-0de6-11d0-a285-00aa003049e2
    • Group Object > bf967a9c-0de6-11d0-a285-00aa003049e2
    • OU Object > bf967aa5-0de6-11d0-a285-00aa003049e2
    • SPN Object > f3a64788-5306-11d1-a9c5-0000f80367c1
    • User Object > bf967aba-0de6-11d0-a285-00aa003049e2
    • Printer Object > bf967aa8-0de6-11d0-a285-00aa003049e2
    • GPO Container Object > f30e3bc2-9ff0-11d1-b603-0000f80367c1

    To get the full list of the Schema GUIDS, you can run this script

  • AD Property GUIDs
    • DomainLockOut > C7407360-20BF-11D0-A768-00AA006E0529
    • GeneralInformation > 59BA2F42-79A2-11D0-9020-00C04FC2D3CF
    • AccountRestrictions > 4C164200-20C0-11D0-A768-00AA006E0529
    • LogonInformation > 5F202010-79A5-11D0-9020-00C04FC2D4CF
    • GroupMembership > bc0ac240-79a9-11d0-9020-00c04fc2d4cf
    • PhoneMail > E45795B2-9455-11D1-AEBD-0000F80367C1
    • PersonalInformation > 77B5B886-944A-11d1-AEBD-0000F80367C1
    • WebInformation > E45795B3-9455-11D1-AEBD-0000F80367C1
    • PublicInformation > e48d0154-bcf8-11d1-8702-00c04fb96050
    • RemoteAccess > 037088F8-0AE1-11D2-B422-00A0C968F939
    • OtherDomain > B8119FD0-04F6-4762-AB7A-4986C76B3F9A
    • DNSHostName > 72E39547-7B18-11D1-ADEF-00C04FD8D5CD
    • TSGateWayAccess > FFA6F046-CA4B-4FEB-B40D-04DFEE722543
    • PrivateInformation > 91E647DE-D96F-4B70-9557-D63FF4F3CCD8
    • TSLicenseServer > 5805BC62-BDC9-4428-A5E2-856A0F4C185E
    • ResetPassword > 00299570-246d-11d0-a768-00aa006e0529
    • ChangePassword > ab721a53-1e2f-11d0-9819-00aa0040529b
    • PwdLastSet > bf967a0a-0de6-11d0-a285-00aa003049e2
    • UserAccountControl > bf967a68-0de6-11d0-a285-00aa003049e2

One more script to get extended right GUIDs :

Have fun !

<>

My Powershell script categories

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Social Media Auto Publish Powered By : XYZScripts.com
%d bloggers like this: