I’ve recently blogged about retrieving AD security with PowerShell, as you can probably guess for every Get-* there is a Set-* and AD cmdlets 1.1 provide you an easy way to change the permissions set on any AD object.
Remove-QADPermission are your biggest friends here.
Well, obviously and the power of the PowerShell pipeline. My favorite example is copying permissions from one object to another with that simple oneliner:
Get-QADPermission “Dmitry Sotnikov” | Add-QADPermission “Evil Tween”
This simple line is incredibly powerful. It takes all permissions directly set on the first objects and adds them onto the second one. Of course you could put
where in the middle to do some filtering if you need.
Of course you can explicitly grant specific rights on specific objects. Suppose you want to give Administrator full control over an OU and everything in it. Easy:
Add-QADPermission ‘OU=Demo,DC=mydomain,DC=local‘ -Account Administrator -Rights ‘GenericAll‘
You can use the
-Deny parameter to deny access, -PropertySet to work with property sets🙂 and
-ApplyTo to select whether you want to give rights only to this object or its children or any possible combination. So for example you could do:
Add-QADPermission dirObjectIdentity -Deny -Account trusteeIdentity -Rights ‘WriteProperty‘ -PropertySet (‘General-Information‘,‘Web-Information‘) -Property ‘samAccountName‘ -ApplyTo ThisObjectOnly
You can also pipe any AD object into these cmdlets (similar to reading the objects) for bulk operations:
Get-QADUser -City Orlando -SecurityMask Dacl | Add-QADPermission -Account ‘Dmitry Sotnikov‘ -Rights ‘ReadProperty‘
And, as you can easily guess
Remove-QADPermission can delete any ACE in much the same way. For example, let’s remove all the Deny ACEs from a particular object:
Get-QADPermission objectIdentity -Deny | Remove-QADPermission
You can find more information and examples in the user’s guide and by typing
get-help for any of these cmdlets.