Databases
StackOverflow2013
Postsdbo
POPowershell access lists in Active Directory
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POPowershell access lists in Active Directory
    text
    copied!<p>I have a function <code>GrantGenericRead</code> that works when I create an object <code>$ouUnixGroups</code> in the same run. I'm trying to figure out how to get an object out of AD that I can run <code>GrantGenericRead</code> on, but it seems when I try this every way I know how (adsi, lookup using .Path), I can't access some property of the object to set it. I would love for someone to tell me what I'm doing wrong. </p> <p>This code works when it's all run at the same time:</p> <pre><code>function CreateADGroup([string] $server, [string] $name, [string] $container, [string] $gtype) { $objClass = "group"; $strCn = GetCn -name $name -objClass $objClass; $objDsGroup = CreateDsObject -server $server -container $container -name $name -objClass $objClass [Void] $objDsGroup.Put("sAMAccountName", $name) if ($gtype -eq "global") { # Global Distribution Group [Void] $objDsGroup.Put("groupType", 0x80000002) } elseif ($gtype -eq "dlg") { # Domain Local Distribution Group [Void] $objDsGroup.Put("groupType", 0x80000004) } elseif ($gtype -eq "uni") { # Universal Security Group [Void] $objDsGroup.Put("groupType", 0x80000008) } else { Write-Host("Invalid group type {0}" -f $gtype) } [Void]$objDsGroup.SetInfo() return $objDsGroup } function CreateDsObject([string] $server, [string] $container, [string] $name, [string] $objClass) { $strConatinerPath = GetLdapPath -server $server -dn $container $objContainer = [adsi] $strConatinerPath $strChildCn = GetCn -name $name -objClass $objClass $strChildDn = "{0},{1}" -f $strChildCn, $container $strChildPath = GetLdapPath -server $server -dn $strChildDn $objChildEntry = $objContainer.Create($objClass, $strChildCn) [Void]$objChildEntry.SetInfo() return $objChildEntry } function GrantGenericRead($dsTrustee, $dsResources) { $strSid = GetSid -dsObj $dsTrustee $objSid = New-Object Security.Principal.SecurityIdentifier($strSid) $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule($objSid, $AD_RIGHT::GenericRead, $AC_TYPE::Allow) [Void] $dsResources.psbase.ObjectSecurity.AddAccessRule($ace) [Void] $dsResources.psbase.CommitChanges() } function GetSid($dsObj) { $dn = $dsObj.distinguishedName.Value $binary = $dsObj.psbase.Properties["objectSid"].Value $sid = New-Object Security.Principal.SecurityIdentifier($binary, 0) return $sid.ToString() } $adminContainerDn = "OU=Zone Administration,{0}" -f $adminContainer.Get("distinguishedName") #returns OU=Zone Administration,OU=asdfasdf,DC=baldur,DC=vm $ouUnixGroups = CreateDsObject -server $server -container $ouDN -name $strOuUnixGroups -objClass "OrganizationalUnit" $joinOps = CreateADGroup -server $server -name "Join Operators" -container $adminContainerDn -gtype "global" GrantGenericRead -dsTrustee $joinOps -dsResources $ouUnixGroups </code></pre> <p>What I'm trying to accomplish is being able to modify <code>$joinOps</code> and <code>$ouUnixGroups</code> from scripts that don't create them. How do I access them? I can get the sid, but that doesn't seem to help me, unless I'm missing something really key here. </p> <pre><code>GrantGenericRead -dsTrustee $joinOps -dsResources [adsi]$ouUnixGroups.Path </code></pre> <p>I'm pulling some of these lines out of an installer script that I have posted on <a href="http://pastebin.com/uF3nrDuw" rel="nofollow">http://pastebin.com/uF3nrDuw</a> if anyone would like to have a look. u</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload