Get the permissions of an Active Directory schema object - powershell

PS Version: PowerShell 7+
OS Version: Windows Server 2016
Objective: I would like to use PowerShell to get the permissions of an AD schema object without the need of the Active Directory PsDrive / PsProvider.
The Active Directory PsProvider that comes with the AD Module does not work with PowerShell 7+ on Windows Server 2016 from my testing. This MS documentation also touches on that. Because that PsProvider is needed to create/use an Active Directory PsDrive, you can't access AD objects like this AD:\. Using this method is typically what I prefer. Below is an example of exactly what I need except I'm using Windows PowerShell and not PowerShell 7+.
This gets the configuration schema permissions:
(Get-Acl "AD:$((Get-ADRootDSE).schemaNamingContext)").Access
An example of the distinguished name for that object:
CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
With the limitations outlined, what other options within PowerShell 7+ can I use to access those permissions?

• According to the command that you have run on powershell in Windows Server 2016, it displays the active directory schema permissions of the concerned domain. But when running this command in my environment with Powershell 7.0+ installed as you can see in the image below, I got the same appropriate output as in normal powershell.
• Though you can change the permissions relating to schema objects by using the query as given below: -
Add ACL rule for the right "Read-write all properties/this object and all descendants" –
$rootdse = Get-ADRootDSE
$extendedrightsmap = #{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties
displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
$extendedrightsmap
Please find the below link for more information: -
https://social.technet.microsoft.com/wiki/contents/articles/51121.active-directory-schema-update-and-custom-attribute.aspx

Related

Create and configuring Application Pool on IIS w10 and powershell 7.2

I'm trying to create a pool of applications with specific parameters using this code:
$currentAppPool = New-WebAppPool -Name myNeyAppPool
# Set pool specifications
$currentAppPool.AutoStart = "true"
$currentAppPool.ManagedRuntimeVersion = "No Managed Code"
$currentAppPool | Set-Item
I have several errors because setitem asks me for a path variable that it doesn't recognize. Set-Item: The input object cannot be bound because it did not contain the information required to bind all mandatory parameters: Path
I tried to give it the parameter -path IIS:\AppPools\myNeyAppPool but I get the message
Set-Item: Cannot find drive. A drive with the name 'IIS' does not exist
There are quite a few changes concerning the management of IIS in w10 via powershell 7, but little documentation seems to exist on the subject.
Is there anything help ?
Thks,
The provider "IIS:" is loaded when importing the webadministration module.
Providers before and after to load webadministration module
Do you have IIS role enabled in windows 10?
You can check the following link:
https://community.lansweeper.com/t5/installation/how-to-install-iis-internet-information-services/ta-p/64422
Which providers appear if you run the "Get-PSProvider" command?
First try running PowerShell as an administrator, and then the drive is provided by the WebAdministration module, so you need make sure install that module, you can install the module with the following PowerShell commands:
Import-Module ServerManager
Add-WindowsFeature Web-Scripting-Tools

Why would $env:username and [environment]::username return different users?

What is the difference between PowerShell's $env:username and [environment]::username and why would they potentially return different users? (I understand there are other ways to get the current user as well)
Some background:
I have an Azure Pipeline that runs a PowerShell script on a release target. The pipeline agent is configured to run under a specific service account. Part of that PowerShell script uses $env:username to assign permissions. However, permissions are assigned to the local admin account instead. If I change the script to use [environment]::username the correct service account user is given permissions.
$env:USERNAME, while predefined to reflect the current user's username, is a read-write environment variable, just like any other.
Even though it's obviously inadvisable to do so, a statement such as $env:USERNAME = 'foo' changes the value of environment variable USERNAME for the current process as well as its child processes.
This means that if environment variable USERNAME was modified earlier in the same session or in PowerShell's parent process, possibly via an explicitly specified startup environment, it no longer reflects the true username.
While I don't know why the USERNAME environment variable would differ from the real account in the case of Azure Pipelines, an example of - inadvertently - setting the wrong value is PowerShell's Start-Process cmdlet when given the -UseNewEnvironment switch: due to a bug as of PowerShell Core 7.0.0-preview.5 / Windows PowerShell v5.1, $env:USERNAME unexpectedly always reflects SYSTEM, irrespective of the actual user account - see this GitHub issue.
By contrast, [Environment]::UserName uses a different method for obtaining the current user's username, which does not rely on the value of $env:USERNAME and always reflects the true username[1].
In short: Only [Environment]::UserName reliably reflects the current user account's username.
[1] From the linked docs: "On Windows the UserName property wraps a call to the Windows GetUserName function. The domain account credentials for a user are formatted as the user's domain name, the \ character, and user name. Use the UserDomainName property to obtain the user's domain name and the UserName property to obtain the user name.
On Unix platforms the UserName property wraps a call to the getpwuid_r function.
$env: is looking at your environmental variables. The variable that you're looking at- username- happens to be set to the local username by default. But it doesn't have to be.
[Environment] is a call to the System.Environment class in .NET Framework. This class has a property called UserName that contains the username that is logged into the computer.
Similiar names, but very different things. You could get the path statement by $env:Path, for example, or call [Environment]::Version to get the version of .NET Framework.
Note in this example I deliberately messed with the local environmental variable prior to launching PowerShell to give the wrong username.
C:\WINDOWS\system32>echo %username%
mspow
C:\WINDOWS\system32>set username=bob
C:\WINDOWS\system32>echo %username%
bob
C:\WINDOWS\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> echo $env:username
bob
PS C:\WINDOWS\system32> [Environment]::Username
mspow
PS C:\WINDOWS\system32> echo $env:ProgramFiles
C:\Program Files
PS C:\WINDOWS\system32> echo $env:path
C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\mspow\AppData\Local\Microsoft\WindowsApps
PS C:\WINDOWS\system32> [Environment]::Version
Major Minor Build Revision
----- ----- ----- --------
4 0 30319 42000
You can see all of the available environment variables by using
Get-Item -Path Env:
The only way I know of to see all of the Methods and Properties for [Environment] is the link to the MSDN site. Get-Member doesn't work on it.

What is difference between Azure AD Module and MS Online module

I am trying to understand difference between two modules, Azure AD and MS Online modules. Currently on my windows 10 machine I can use get-azureaccount cmdlet that returns my current Azure account. And there is bunch of cmdlets that I can use right now. Then why I need MS Online module.
Please help me to understand the purpose of these two modules.
Get-AzureAccount / Get-AzureRMAccount is a part of the "Azure" module.
When working with Azure AD (Active directory commands; not a part of the built-in modules) in Azure you will need the MSOnline module - which also happens to be the same module as for working with Office365. Usually MSOnline is referred to as the Azure Active Directory module for Windows Powershell.
Eg. if you install the Azure Active Directory module from example here: Microsoft - Active Directory Module for Windows Powershell 64-bit - you will get the MSOnline module installed on your machine. You can actually inspect / unpack the msi installer and you will see that the package here is Microsoft.Online.Administration.MSOnline.psd1
In order to work with Azure AD from Powershell, you'll then need to import this module (which contains a set of functions to work with Azure AD).
To list commands within this module after installing the module you can do the following:
Get-Command -Module MSOnline
Hope this clears the confusion.
Connect-Azure: allows user to manage Active Directory objects only, [where directory is hosted in Azure].
Connect-Msoline: apart from managing Active Directory allows more administrative tasks such as Domain management, configure single sign-on etc.
Hope this clarifies your doubt.
Reference
https://learn.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0
https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0
In my opinion, it's a matter of selecting the best tool for the job. And the way to select the tool is based on
What you're going to do with it &
what does the tool do
If we take a look at the properties offered by get-msoluser
(get-msoluser)[0] | gm -MemberType Properties
we get a slightly different set than we do when we query get-azureaduser with
(get-azureaduser)[0] | gm -MemberType Properties
and the same can be said when we review the methods available to the objects:
(get-azureaduser)[0] | gm -MemberType Method
or
(get-msoluser)[0] | gm -MemberType Method
Now, since the general idea is to get things done quickly and simply. It then becomes clear to use the one that directly supports what you intend to achieve. And if they both cover the job then I would base my decision of which additional cmdlets in the module support the task I want to achieve without needing to load a whole stack of modules.
So I hope this helps find the right tool for the job.
Have fun,
Porky

Insufficient access rights to perform the operation -- Powershell

I am writing a simple script to copy AD group membership from one user to the other. I am doing it using the ActiveDirectory module only.
The script looks like it would work and does work up until I try to ad the groups to the user.
Code:
import-module ActiveDirectory
$templateUser = get-ADUser user1
$targetUser = getADUser user2
$groups =get-adprincipalgroupmembership $templateUser
$groups2 = get-ADPrincipalGroupMembership $targetUser
foreach($group in $groups) {
add-adGroupMember $group $targetUser
}
Error:
Add-ADGroupMember : insufficient access rights to performt the operation
At line:9 char:18
+ FullyQualifiedErrorID : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
Notes/Thoughts:
I am logged in as a normal user, but I ran the powershell as a different user (my admin account). I am not a local admin, but I am an admin on the domain. I am able to add the user to groups if I launch the AD Tools and do it manually (I have permissions to add to those groups).
Edit:
Run the powershell as admin.
Run powershell as administrator.
I hit this today in Server 2012. I was running the powershell as Administrator, I was a domain admin, I was a local admin, I was every kind of admin I could find.
I "fixed" it by using the Active Directory Users and Computers tool, adding myself as the Manager of the AD groups I was trying to add users to, and ticked the box to allow the manager to change membership. I could then run AD-AddGroupMember happily.
I ran into this problem as well using Powershell remoting to connect to a domain controller.
In my case it turned out Include inheritable permissions from this object's parent was turned off for the specific object I couldn't change.
I ran into this issue today where an automated system was using powershell scripts for various things.... It turned out to be executionpolicy.
We were running our script with the ExecutionPolicy Bypass flag, and even running the command directly in powershell outside of a script wouldn't work, but once we set executionpolicy to unrestricted, everything magically worked.
For us we were able to create security groups even, but not add users to groups via powershell, even though we could make the same changes in ADUC.

Weird Quest PowerShell error

"Move-QADObject : 0000202B: RefErr: DSID-031007EF, data 0, 1 access points"
I get this error when I try the following:
Move-QADObject -identity $results_ep.dn -NewParentContainer "OU=Users,OU=AB,DC=domain,DC=local" -Credential $cred_ep
I am running this script from domain A, and the target domain where the object should be moving is domain B (hence the credentials).
Anyone know whats up?
The default tree in Active Directory is not OU=Users,dc=domain,dc=com but rather cn=Users,dc=domain,dc=com ( CN= not the OU= for Users).
Try change OU=Users with CN=Users
EDIT:
Reading better your question I see just now that you want move object to a different domain,
from get-help move-qadobject:
... omissis ...
Use this cmdlet to move an object between containers within an Active Directory domain (the cmdlet cannot move an object to a different domain).
... omissis ...
Read here to do it with Quest.ActiveRoles.ADManagement sanp-in.
If you are in a Windows Server 2008 R2 DC you can move in a different domain using Windows PowerShell module named Active Directory:
Move-ADObject -Identity "CN=Mary Vick,OU=Accounting,DC=SS64,DC=com" -TargetPath "OU=Accounting,DC=Europe,DC=SS64,DC=com" -TargetServer "server64.europe.SS64.com"
Better of all I think is using native Microsoft commandline like ADMT