Set-ACL on AD Computer Object - powershell

I am attempting to Set-Acl on a Computer Object in AD. Firstly I get the ACL using:
$acl = (Get-Acl AD:\'CN=Tester1,OU=Ou1,OU=OU2,OU=OU3,DC=Contoso,DC=com').Access
Which gives me all the ACL for that computer object. I then use:
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Computername","FullControl")))
Any pointers in the right direction would be helpful. My aim is to add a computer object to the computer object 'Tester1' and give it Full Access permissions.


ActiveDirectory isn't a filesystem. You must create a new ACE for an AD object as an ActiveDirectoryAccessRule.
$path = "AD:\CN=Tester1,OU=Ou1,OU=OU2,OU=OU3,DC=Contoso,DC=com"
$acl = Get-Acl -Path $path
$ace = New-Object Security.AccessControl.ActiveDirectoryAccessRule('DOMAIN\Computername','FullControl')
$acl.AddAccessRule($ace)
Set-Acl -Path $path -AclObject $acl


ACE for AD objects you must create with System.DirectoryServices.ActiveDirectoryAccessRule object instead of System.Security.AccessControl.FileSystemAccessRule.
Good description and example is here: Add Object Specific ACEs using Active Directory Powershell

Related

Home Drive Creation Issue

I have PowerShell a script to create a new user's home drive and I am using below command:
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath
It's creating the home drive for the user but the user isn't able to access it.
One more thing, I can copying the created home drive manually from AD console and again pasting it and clicking on apply then it works fine.

Set-ADUser will only modify the user object in ActiveDirectory; security permissions on the folder itself is an additional step.
FileSystemRights Enumeration: MSDN
It is not sufficient to simply use Set-ADUser, expecting full end to end creation of a fully functioning home directory; we must set permissions on the folder in question, including any inheritance flags.
There's a few steps to accomplish this, but simply stated:
We need to get the current access control list (ACL)
We need to add our desired permissions to said ACL
We need to write the new ACL, combining both the pre-existing and new permissions.
As you may have guessed:
Get-ACL
Set-ACL
We can so something like this:
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath -ea Stop
$homeShare = New-Item -path $fullPath -ItemType Directory -force -ea Stop
$acl = Get-Acl $homeShare
$FileSystemRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow
$InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlags = [System.Security.AccessControl.PropagationFlags]"InheritOnly"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType)
$acl.AddAccessRule($AccessRule)
Set-Acl -Path $homeShare -AclObject $acl -ea Stop
If you're feeling creative, you can also combine some of the flags into an array:
$InheritanceFlag = #('ContainerInherit','ObjectInherit')
Please note this code is NOT tested and to validate before executing in any environment.

Cannot access folder after modifying ACL with Powershell

I am trying to modify folder ACL through Powershell with following code. First i want to clear ACL and stop inheritance and then add only specific users to it.
This seem working fine, but if i trying to open that folder it gives following error.
What is wrong with the script?
$acl = Get-ACL -Path "c:\mydata"
$acl.SetAccessRuleProtection($True, $False)
$acl | Set-Acl -Path "c:\mydata"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$acl | Set-Acl -Path "c:\mydata"

You are setting an empty ACL, then trying to make changes when you no longer have permissions. Normally, you should be getting an error on the second Set-ACL
$acl | Set-Acl $path
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
Instead, try setting the ACL only once:
$path = 'c:\mydata'
$acl = Get-ACL $path
$rule1 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$rule2 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$acl.AddAccessRule($rule1)
$acl.AddAccessRule($rule2)
# Flush the inherited permissions, and protect your new rules from overwriting by inheritance
$acl.SetAccessRuleProtection($True, $False)
# Output what the new access rules actually look like:
$acl.Access | ft
$acl | Set-Acl $path
If you need to keep the existing permissions, then use $acl.SetAccessRuleProtection($True, $True) instead.
Finally, make sure you're actually logged in as either DBUSER or ADMIN when testing access to the folder.

Powershell Help: Add "Domain Admins" to NTFS Full Control Permission to all File Shares?

I am trying to the Domain Admins group to all the file shares on our server with Full Control NTFS permissions, but it seems to lock up and cant proceed at the "$Acl.SetAccessRule($Ar)" line.
This is the code that I have so far:
$shares = Get-SmbShare
foreach($share in $shares) {
$Acl = get-acl $share.Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $share.Path $Acl
}
Does anyone have any ideas why this isnt working? I was able to add Domain Admins to File Share Permissions but cant seem to do the same with NTFS permissions following the same algorithm.
Thanks!

To set special permission for registry key of HKCU for SID user in powershell

I need to set special permissions for all logged in users using SID.user of
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\ .png\Userchoice.
I tried the below code snippet but it doesnt seem to work
$path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice"
$Acl = Get-ACL $path
$AccessRule= New-Object System.Security.AccessControl.RegistryAccessRule("user","SpecialPermissions","Allow") -SID $UserProfile.SID
$Acl.SetAccessRule($AccessRule)
Set-Acl $path $Acl
How can we achieve the permission issue to all users ?

Applying ACL Permissions using PowerShell Set-Acl

New-Item -Type Directory -Path "C:\MyFolder"
$Acl = Get-Acl "C:\MyFolder"
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl -Path "C:\MyFolder" -AclObject $Acl
Hi, when I got the above code and applied it using my own settings - the user account entries are added for the folder but, no Permissions are applied (none ticked)
Can anyone help with why this might be?
Thanks

Your comment describes the following behaviour:
Your PowerShell script succeeds but if you check the permissions with the explorers properties dialog, you will see the following:
This is pretty confusing as a PowerShell query will confirm:
PS> Get-Acl .|fl
Path : Microsoft.PowerShell.Core\FileSystem::D:\temp\myfolder
Owner : clijsters\clijsters
Group : clijsters\Kein
Access : clijsters\NEWUSER Allow FullControl
VORDEFINIERT\Administratoren Allow FullControl
VORDEFINIERT\Administratoren Allow 268435456
NT-AUTORITÄT\SYSTEM Allow FullControl
[...]
Your ACL changed. If you scroll down the list of your checkboxes you will notice, that "Special permissions" is checked and if you click on "Advanced" you will notice, your permissions are set.
EDIT:
As mentioned by #AnsgarWiechers, I missed a part describing why the permissions added with New-Object System.Security.AccessControl.FileSystemAccessRule("username", "FullControl", "Allow") are listed as Special permissions.
Like described on MSDN, FileSystemAccessRule has 4 constructors, where some accept InheritanceFlags and PropagationFlags (e.g. this one fits your needs). If you use them and define inheritance behaviour, the permissions will show up as normal ones.

Today I was trying to compile ILSpy and encountered AL1078: Error signing assembly which is a permissions issue. An amalgamation of answers is shown.
This powershell script assigns $CurUsr to the token for the currently logged in user and $CurTgt as the folder whose permissions are being altered. Change them as required.
Add permission:
$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $CurTgt
Remove permission:
$CurTgt = "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr)
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $CurTgt
References:
Manage ACLs
Inheritance
Current User