I’ve recently blogged about retrieving AD security with PowerShell, as you can probably guess for every Get-* there is a Set-* and AD cmdlets 1.1 provide you an easy way to change the permissions set on any AD object.
Add-QADPermission and Remove-QADPermission are your biggest friends here.
Well, obviously and the power of the PowerShell pipeline. My favorite example is copying permissions from one object to another with that simple oneliner:
Get-QADPermission “Dmitry Sotnikov” | Add-QADPermission “Evil Tween”
This simple line is incredibly powerful. It takes all permissions directly set on the first objects and adds them onto the second one. Of course you could put where in the middle to do some filtering if you need.
Of course you can explicitly grant specific rights on specific objects. Suppose you want to give Administrator full control over an OU and everything in it. Easy:
Add-QADPermission ‘OU=Demo,DC=mydomain,DC=local‘ -Account Administrator -Rights ‘GenericAll‘
You can use the -Deny parameter to deny access, -PropertySet to work with property sets 
and -ApplyTo to select whether you want to give rights only to this object or its children or any possible combination. So for example you could do:
Add-QADPermission dirObjectIdentity -Deny -Account trusteeIdentity -Rights ‘WriteProperty‘ -PropertySet (‘General-Information‘,‘Web-Information‘) -Property ‘samAccountName‘ -ApplyTo ThisObjectOnly
You can also pipe any AD object into these cmdlets (similar to reading the objects) for bulk operations:
Get-QADUser -City Orlando -SecurityMask Dacl | Add-QADPermission -Account ‘Dmitry Sotnikov‘ -Rights ‘ReadProperty‘
And, as you can easily guess Remove-QADPermission can delete any ACE in much the same way. For example, let’s remove all the Deny ACEs from a particular object:
Get-QADPermission objectIdentity -Deny | Remove-QADPermission
You can find more information and examples in the user’s guide and by typing get-help for any of these cmdlets.
Download the cmdlets and give us your feedback at the AD PowerShell discussion forums.
Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, Security, cmdlets, one-liner, oneliner
Subscribe by email
I installed the 1.1.2 version of Qwest AD Management Shell, which was supposed to fix the -ApplyToType switch. After running the following command
add-qadpermission $Service -Account $ctradmins -Rights ‘GenericAll’ -ApplyToType ‘user’
it now shows Full Control but in the Apply onto field it is listing “Special” instead of “User objects”. Is this another bug in the -ApplyToType switch?
Janusz,
I see that there is a troubleshooting thread going on in the forums: http://www.powergui.org/thread.jspa?messageID=23220 – let’s hope you guys can find out the root cause of the issue there.
Dmitry
Thanks Dmitry. Hopefully we can get to the bottom of this.