Setting ACLs on OU in AD

Users or groups access and permissions to an AD object is controlled by its Access Control List (ACL). Just like ACLs control access on a file present at an SMB share. This can apply to an individual object or apply to AD Site/Domain/OU and then inherit to lower-level objects.

Recently i was given a csv containing list of OUs with group names present 2nd column and asked to set deny to these groups over respective OU. The permissions once set should look like as shown in below image.

I started first with listing all properties available in set/get-acl, which are as follows.

Then i set up the desired ACL manually and then extracted the ACLs using get-acl cmdlet to see how various properties specific permissions look like. I used command (Get-Acl -Path “ad:\OUDN”).access | ? isinherited -ne ‘true’ to extract the permissions i delegated. The two ACLs in which I was interested looked like below

  • ActiveDirectoryRights : Delete
    InheritanceType : Descendents
    ObjectType : 00000000-0000-0000-0000-000000000000
    InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
    ObjectFlags : InheritedObjectAceTypePresent
    AccessControlType : Deny
    IdentityReference : Domain\XYZ
    IsInherited : False
    InheritanceFlags : ContainerInherit
    PropagationFlags : InheritOnly
  • ActiveDirectoryRights : DeleteChild
    InheritanceType : All
    ObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
    InheritedObjectType : 00000000-0000-0000-0000-000000000000
    ObjectFlags : ObjectAceTypePresent
    AccessControlType : Deny
    IdentityReference : Domain\XYZ
    IsInherited : False
    InheritanceFlags : ContainerInherit
    PropagationFlags : None

Property specific permissions can be used in combination with object-specific inheritance to provide the powerful and detailed delegation of administration. You can set a property specific object-inheritable ACE to allow a specified user or group to read and/or write a specific attribute on a specified class of child objects in a container. “ObjectType” and “ObjectInheritanceType” contain GUID values that decide where the permissions apply. Below are the most commonly used GUID values.

    ‘All’                                        = [guid]’00000000-0000-0000-0000-000000000000′
    ‘CN’                                         = [guid]’bf96793f-0de6-11d0-a285-00aa003049e2′
    ‘Computer’                                   = [guid]’bf967a86-0de6-11d0-a285-00aa003049e2′
    ‘Contact’                                    = [guid]’5cb41ed0-0e4c-11d0-a286-00aa003049e2′
    ‘distinguishedName’                          = [guid]’bf9679e4-0de6-11d0-a285-00aa003049e2′
    ‘dNSHostName’                                = [guid]’72e39547-7b18-11d1-adef-00c04fd8d5cd’
    ‘DNS Host Name Attributes’                 = [guid]’72e39547-7b18-11d1-adef-00c04fd8d5cd’
    ‘gPLink’                                     = [guid]’f30e3bbe-9ff0-11d1-b603-0000f80367c1′
    ‘Group’                                      = [guid]’bf967a9c-0de6-11d0-a285-00aa003049e2′
    ‘GroupManagedServiceAccount’           = [guid]’7b8b558a-93a5-4af7-adca-c017e67f1057′
    ‘ManagedServiceAccount’                     = [guid]’ce206244-5827-4a86-ba1c-1c0c386c1b64′
    ‘member’                                     = [guid]’bf9679c0-0de6-11d0-a285-00aa003049e2′
    ‘name’                                       = [guid]’bf967a0e-0de6-11d0-a285-00aa003049e2′
    ‘OrganizationalUnit’                         = [guid]’bf967aa5-0de6-11d0-a285-00aa003049e2′
    ‘PwdLastSet’                                 = [guid]’bf967a0a-0de6-11d0-a285-00aa003049e2′
    ‘ResetPassword’                              = [guid]’00299570-246d-11d0-a768-00aa006e0529′
    ‘sAMAccountName’                             = [guid]’3e0abfd0-126a-11d0-a060-00aa006c33ed’
    ‘self-membership’                            = [guid]’bf9679c0-0de6-11d0-a285-00aa003049e2′
    ‘servicePrincipalName’                       = [guid]’f3a64788-5306-11d1-a9c5-0000f80367c1′
    ‘User’                                       = [guid]’bf967aba-0de6-11d0-a285-00aa003049e2′
    ‘userParameters’                             = [guid]’bf967a6d-0de6-11d0-a285-00aa003049e2′
    ‘Validated write to DNS host name’       = [guid]’72e39547-7b18-11d1-adef-00c04fd8d5cd’
    ‘Validated write to service principal name’ = [guid]’f3a64788-5306-11d1-a9c5-0000f80367c1′

Finally, use the template written below to commit ACL changes you want on the OU. I came up with below script which sets the ACL on unique OUs for unique AD groups. This confirms we can manage permissions for AD management in granular level using powershell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$List = import-csv C:\temp\OUs1.csv
foreach ($line in $list){

$OU = (Get-ADOrganizationalUnit -Identity $line.OU).DistinguishedName
$ACL = (get-acl -path "ad:\$OU").Access
$group = Get-ADGroup -Identity "Group or Account Name"
$sid = [System.Security.Principal.SecurityIdentifier] $group.SID
$Identity = [System.Security.Principal.IdentityReference] $SID
$ActiveDirectoryRights = [System.DirectoryServices.ActiveDirectoryRights] "Delete"
$AccessControlType = [System.Security.AccessControl.AccessControlType] "Deny"
$ObjectType = [guid] "00000000-0000-0000-0000-000000000000"
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$InheritedObjectType = [guid] "bf967aba-0de6-11d0-a285-00aa003049e2"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ActiveDirectoryRights, $AccessControlType, $ObjectType, $InheritanceType, $InheritedObjectType

$Object = [adsi]"LDAP://$OU"
$modified = $false
$Object.PSBase.ObjectSecurity.ModifyAccessRule([System.Security.AccessControl.AccessControlModification]::Add,$ace,[ref]$modified)
$Object.PSBase.CommitChanges()



$OU = (Get-ADOrganizationalUnit -Identity $line.OU).DistinguishedName
$ACL = (get-acl -path "ad:\$OU").Access
$group = Get-ADGroup $line.group
$sid = [System.Security.Principal.SecurityIdentifier] $group.SID
$Identity = [System.Security.Principal.IdentityReference] $SID
$ActiveDirectoryRights = [System.DirectoryServices.ActiveDirectoryRights] "DeleteChild"
$AccessControlType = [System.Security.AccessControl.AccessControlType] "Deny"
$ObjectType = [guid] "bf967aba-0de6-11d0-a285-00aa003049e2"
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$InheritedObjectType = [guid] "00000000-0000-0000-0000-000000000000"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ActiveDirectoryRights, $AccessControlType, $ObjectType, $InheritanceType, $InheritedObjectType

$Object = [adsi]"LDAP://$OU"
$modified = $false
$Object.PSBase.ObjectSecurity.ModifyAccessRule([System.Security.AccessControl.AccessControlModification]::Add,$ace,[ref]$modified)
$Object.PSBase.CommitChanges()
}

In the end, I just want to mention that I was not able to set ACLs using the set-acl cmdlet, I kept getting an error that “[System.DirectoryServices.ActiveDirectoryAccessRule] does not contain a method named ‘AddAccessRule'”. So I used the ADSI method to commit ACL changes on AD object. similarly, for removing the ACLs we can use “Remove” instead of “Add” in line 18. If anyone of you figures out a way to write ACL using set-acl cmdlt please let me know in the comments section.

Be the first to comment

Leave a Reply

Your email address will not be published.


*