Changing AD permissions

I’ve recently blogged about retrieving AD security with PowerShell, as you can probably guess for every Get-* there is a Set-* and AD cmdlets 1.1 provide you an easy way to change the permissions set on any AD object.

Add-QADPermission and Remove-QADPermission are your biggest friends here.

Well, obviously and the power of the PowerShell pipeline. My favorite example is copying permissions from one object to another with that simple oneliner:

Get-QADPermission “Dmitry Sotnikov” | Add-QADPermission “Evil Tween”

This simple line is incredibly powerful. It takes all permissions directly set on the first objects and adds them onto the second one. Of course you could put where in the middle to do some filtering if you need.

Of course you can explicitly grant specific rights on specific objects. Suppose you want to give Administrator full control over an OU and everything in it. Easy:

Add-QADPermission OU=Demo,DC=mydomain,DC=local -Account Administrator -Rights GenericAll

You can use the -Deny parameter to deny access, -PropertySet to work with property sets 🙂 and -ApplyTo to select whether you want to give rights only to this object or its children or any possible combination. So for example you could do:

Add-QADPermission dirObjectIdentity -Deny -Account trusteeIdentity -Rights WriteProperty -PropertySet (General-Information,Web-Information) -Property samAccountName -ApplyTo ThisObjectOnly

You can also pipe any AD object into these cmdlets (similar to reading the objects) for bulk operations:

Get-QADUser -City Orlando -SecurityMask Dacl | Add-QADPermission -Account Dmitry Sotnikov -Rights ReadProperty

And, as you can easily guess Remove-QADPermission can delete any ACE in much the same way. For example, let’s remove all the Deny ACEs from a particular object:

Get-QADPermission objectIdentity -Deny | Remove-QADPermission

You can find more information and examples in the user’s guide and by typing get-help for any of these cmdlets.

Download the cmdlets and give us your feedback at the AD PowerShell discussion forums.

Tags: , , , , , , , ,

10 Responses to “Changing AD permissions”

  1. 1 Janusz Romanowski November 7, 2008 at 9:08 pm

    I installed the 1.1.2 version of Qwest AD Management Shell, which was supposed to fix the -ApplyToType switch. After running the following command

    add-qadpermission $Service -Account $ctradmins -Rights ‘GenericAll’ -ApplyToType ‘user’

    it now shows Full Control but in the Apply onto field it is listing “Special” instead of “User objects”. Is this another bug in the -ApplyToType switch?

  2. 2 Dmitry Sotnikov November 10, 2008 at 10:57 am


    I see that there is a troubleshooting thread going on in the forums: – let’s hope you guys can find out the root cause of the issue there.


  3. 3 Janusz Romanowski November 10, 2008 at 1:55 pm

    Thanks Dmitry. Hopefully we can get to the bottom of this.

  4. 4 adeel April 28, 2011 at 6:31 pm

    For me, the Remove-QADPermission isnt working. I can read the ACE fine, but when pipe it to Remove-QADPermission, it shows the ACE to me and nothing, going back into the GUI > Security tab, the ACE are still there.

    • 5 Dmitry Sotnikov April 28, 2011 at 6:41 pm


      I am very sorry to hear about the issue. I assume that you are on the latest version (1.4), right?

      So even something basic like this just shows the ACE but does not remove it:

      Get-QADPermission ‘DistinguishedNameOfObject’ -Deny |

      If so, could you post details to AD and PowerShell forum: – so we can further troubleshoot there?


  5. 6 Andrey June 15, 2011 at 12:18 pm

    Добрый день.
    Можно ли с помощью командлетов дать разрешение на конкретные дочерние объекты, например, компьютеры.
    Что-нибудь в похожее на Add-QADPermission ‘OU=Demo,DC=mydomain,DC=local‘ -Account ‘domain\root’ -Rights ‘GenericAll‘ -ApplyTo ‘descendantComputerObjects’

  6. 9 Tim December 7, 2016 at 2:29 pm


    I find your website very helpful especially with Get-QADPermission and ADD-QADPermission. I currently use this to add join users to computer objects.

    Would you have a Quest PowerShell script to create a computer object and add the join user or group?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

May 2008

%d bloggers like this: