Playing with ACL on the Active Directory objects
Playing with ACL on the Active Directory objects

Understanding the ACL and how to play with it can be useful to delegate permissions or restrict access on a specific AD object, for example.

The following script will show you how to set different kind of permissions on an organizational unit in the Active Directory

#Permission will be set in the following OU DistinguishedName
$OU_dn = "OU=Groups,DC=domain,DC=local"

#Group DistinguishedNames used for ACL permissions
$group_listcontents = "CN=Group1,OU=ACL,DC=domain,DC=local"
$group_readwrite = "CN=Group2,OU=ACL,DC=domain,DC=local"
$group_fullcontrol = "CN=Group3,OU=ACL,DC=domain,DC=local"
$group_unlockresetpw = "CN=Group4,OU=ACL,DC=domain,DC=local"

#Get OU ACL
$acl = Get-ACL "AD:\"$OU_dn

#Get the Group SIDs
$s_group_listcontents = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Server "domain.local" $group_listcontents).SID
$s_group_readwrite = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Server "domain.local" $group_readwrite).SID
$s_group_fullcontrol = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Server "domain.local" $group_fullcontrol).SID
$s_group_unlockresetpw = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup -Server "domain.local" $group_unlockresetpw).SID

#Add ACL rule for the right "List contents/this object"
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s_group_listcontents,"ListChildren","ALLOW"))

#Add ACL rule for the right "Read-write all properties/this object and all descendants"	
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s_group_readwrite,"ReadProperty, WriteProperty","ALLOW",([GUID]("00000000-0000-0000-0000-000000000000")).guid,"All"))

#Add ACL rule for the right "Full Control/this object and all descendants"
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s_group_fullcontrol,"GenericAll","ALLOW",([GUID]("00000000-0000-0000-0000-000000000000")).guid,"All",([GUID]("00000000-0000-0000-0000-000000000000")).guid))

#Add ACL rule for the right "Unlock user account"	
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s_group_unlockresetpw,"ReadProperty, WriteProperty","ALLOW",([GUID]("00299570-246d-11d0-a768-00aa006e0529")).guid,"Descendents",([GUID]("bf967aba-0de6-11d0-a285-00aa003049e2")).guid))
				
#Apply above ACL rules	
Set-ACL "AD:\"$OU_dn $acl

You can go further with AD ACL by using the following default GUIDs:

  • AD Schema GUIDs
    • Computer Object > bf967a86-0de6-11d0-a285-00aa003049e2
    • Group Object > bf967a9c-0de6-11d0-a285-00aa003049e2
    • OU Object > bf967aa5-0de6-11d0-a285-00aa003049e2
    • SPN Object > f3a64788-5306-11d1-a9c5-0000f80367c1
    • User Object > bf967aba-0de6-11d0-a285-00aa003049e2
    • Printer Object > bf967aa8-0de6-11d0-a285-00aa003049e2
    • GPO Container Object > f30e3bc2-9ff0-11d1-b603-0000f80367c1

    To get the full list of the Schema GUIDS, you can run this script

    $rootdse = Get-ADRootDSE
    $guidmap = @{}
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
    "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
    % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
     
    $guidmap | ft -AutoSize
  • AD Property GUIDs
    • DomainLockOut > C7407360-20BF-11D0-A768-00AA006E0529
    • GeneralInformation > 59BA2F42-79A2-11D0-9020-00C04FC2D3CF
    • AccountRestrictions > 4C164200-20C0-11D0-A768-00AA006E0529
    • LogonInformation > 5F202010-79A5-11D0-9020-00C04FC2D4CF
    • GroupMembership > bc0ac240-79a9-11d0-9020-00c04fc2d4cf
    • PhoneMail > E45795B2-9455-11D1-AEBD-0000F80367C1
    • PersonalInformation > 77B5B886-944A-11d1-AEBD-0000F80367C1
    • WebInformation > E45795B3-9455-11D1-AEBD-0000F80367C1
    • PublicInformation > e48d0154-bcf8-11d1-8702-00c04fb96050
    • RemoteAccess > 037088F8-0AE1-11D2-B422-00A0C968F939
    • OtherDomain > B8119FD0-04F6-4762-AB7A-4986C76B3F9A
    • DNSHostName > 72E39547-7B18-11D1-ADEF-00C04FD8D5CD
    • TSGateWayAccess > FFA6F046-CA4B-4FEB-B40D-04DFEE722543
    • PrivateInformation > 91E647DE-D96F-4B70-9557-D63FF4F3CCD8
    • TSLicenseServer > 5805BC62-BDC9-4428-A5E2-856A0F4C185E
    • ResetPassword > 00299570-246d-11d0-a768-00aa006e0529
    • ChangePassword > ab721a53-1e2f-11d0-9819-00aa0040529b
    • PwdLastSet > bf967a0a-0de6-11d0-a285-00aa003049e2
    • UserAccountControl > bf967a68-0de6-11d0-a285-00aa003049e2

One more script to get extended right GUIDs :

$rootdse = Get-ADRootDSE
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
 
$extendedrightsmap

Have fun !

<>

My Powershell script categories

Playing with ACL on the Active Directory objects

Leave a Reply

Your email address will not be published. Required fields are marked *