Add Object Specific ACEs using Active Directory Powershell

Active Directory Powershell implements two Powershell Provider cmdlets specifically for access control management in Active Directory: Get-ACL and Set-ACL. This blog series is to give a few examples on how to use them. Note that it is not intended for a detailed explanation of access control and delegation in Active Directory and with an assumption that the readers have had basic knowledge. Additional information on Active Directory access control and delegation can be found in the Best Practices for Delegating ActiveDirectory Administration and related topics in MSDN.

One of the unique aspects in access control management in Active Directory is the introduction of object specific ACEs which allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by setting ObjectType field in an object specific ACE to the rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the InheritedObjectType field to the schemaIDGuid of the class. For more information on how to retrieve the rightsGuid or schemaIDGuid using Active Directory Powershell, please refer to Swami’s blog How to find extended rights that apply to a schema class. In the example below, we are going to create two object specific ACEs with one granting the group “myGroup” the extended right “Reset Password” for all users and the other giving it permission to delete computer objects, all under the organizationUnit “myOU”.

 ## Load Active Directory Powershell Module

PS C:\> cd ad:

PS AD:\> 

## Create myOU

PS AD:\> $ou = new-adorganizationalunit -name myOU -passthru

## Create myGroup and obtain its SID 

PS AD:\> $group = new-adgroup myGroup -groupscope global -passthru

PS AD:\> $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID

## Get the DACL of myOU

PS AD:\> $acl = get-acl $ou

## The following object specific ACE is to grant myGroup permission to create computer objects under myOU.

## Note that bf967a86-0de6-11d0-a285-00aa003049e2 is the schemaIDGuid for the computer class.

PS AD:\> $objectguid = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2                          

PS AD:\> $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild","Allow",$objectguid

## The following object specific ACE is to grant myGroup permission to change user password on all user objects 

## under myOU. 00299570-246d-11d0-a768-00aa006e0529 is the rightsGuid for the extended right 

## User-Force-Change-Password (“Reset Password”). bf967aba-0de6-11d0-a285-00aa003049e2 is the schemaIDGuid 

## for the user class. 

PS AD:\> $objectguid = new-object Guid  00299570-246d-11d0-a768-00aa006e0529

PS AD:\> $inheritedobjectguid = new-object Guid  bf967aba-0de6-11d0-a285-00aa003049e2

$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"ExtendedRight",$objectGuid,"Descendents",$inheritedobjectguid

## Add the ACE in the ACL and set the ACL on the object 

PS AD:\> $acl.AddAccessRule($ace1)

PS AD:\> $acl.AddAccessRule($ace2)

PS AD:\> set-acl -aclobject $acl $ou

Thanks,

David

Comments

  • Anonymous
    December 24, 2009
    Awesome and very useful post!Is there some definitive list of all the object GUIDs one could use? Where are the ones you note here documented best?Thomas
  • Anonymous
    December 24, 2009
    Hi Thomas,In order to get a list of extended rights Guid that apply to a given schema class, read: http://blogs.msdn.com/adpowershell/archive/2009/09/22/how-to-find-extended-rights-that-apply-to-a-schema-class-object.aspxThe same post also contains information on how to get SchemaIDGuid of a given class object.HTH,Swami [MSFT]
  • Anonymous
    August 27, 2010
    I am looking for a script to delegate an OU to a specific group?  I have found a script that will copy an OUs rights to another OU, that would be good but I want those rights assigned to a different group.  Do you have or know of anything like that?Thanks,David
  • Anonymous
    September 17, 2010
    Good to know it can be done however the Quest add-QADPermission commnad makes this a lot easier... To see how to perform some of the common delegation of security tasks you can do in ADUC check out my blog post www.grouppolicy.biz/.../how-to-delegate-ad-permission-to-organisational-units-using-the-powershell-command-add-qadpermissionAlan BurchillGroup Policy (MVP)
  • Anonymous
    February 21, 2012
    Does anybody know whether powershell 2.0 has made this easier? I know there is no "add-adpermission", to replace the Quest tools. I am trying to delegate the "Send-as" to a group, on a user for a resource account. I think this can be done on an exchange machine with the exchange powershell extentions, but I don't have that available to me.
  • Anonymous
    May 04, 2012
    Wayne, send-as is ab721a54-1e2f-11d0-9819-00aa0040529b
  • Anonymous
    May 04, 2012
    The extended rights guids are easy to find in ADSIedit as well. see: http://imgur.com/cfAfj