-
Notifications
You must be signed in to change notification settings - Fork 139
ADObjectPermissionEntry
dscbot edited this page Aug 24, 2023
·
4 revisions
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Ensure | Write | String | Indicates if the access will be added (Present) or will be removed (Absent). Default value is 'Present'. |
Present, Absent
|
| Path | Key | String | Active Directory path of the target object to add or remove the permission entry, specified as a Distinguished Name. | |
| IdentityReference | Key | String | Indicates the identity of the principal for the ACE. Use the notation DOMAIN\SamAccountName for the identity. | |
| ActiveDirectoryRights | Write | StringArray[] | A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule. Default value is 'GenericAll'. |
AccessSystemSecurity, CreateChild, Delete, DeleteChild, DeleteTree, ExtendedRight, GenericAll, GenericExecute, GenericRead, GenericWrite, ListChildren, ListObject, ReadControl, ReadProperty, Self, Synchronize, WriteDacl, WriteOwner, WriteProperty
|
| AccessControlType | Key | String | Indicates whether to Allow or Deny access to the target object. |
Allow, Deny
|
| ObjectType | Key | String | The schema GUID of the object to which the access rule applies. If the permission entry shouldn't be restricted to a specific object type, use the zero guid (00000000-0000-0000-0000-000000000000). | |
| ActiveDirectorySecurityInheritance | Key | String | One of the 'ActiveDirectorySecurityInheritance' enumeration values that specifies the inheritance type of the access rule. |
All, Children, Descendents, None, SelfAndChildren
|
| InheritedObjectType | Key | String | The schema GUID of the child object type that can inherit this access rule. If the permission entry shouldn't be restricted to a specific inherited object type, use the zero guid (00000000-0000-0000-0000-000000000000). |
The ADObjectPermissionEntry DSC resource will manage access control lists on Active Directory objects. The resource is designed to to manage just one entry in the list of permissios (ACL) for one AD object. It will only interact with the one permission and leave all others as they were. The resource can be used multiple times to add multiple entries into one ACL.
- Target machine must be running Windows Server 2008 R2 or later.
This configuration will add full control (GenericAll) permissions to the virtual computer object (VCO) ROLE01 for a cluster name object (CNO) CONTOSO\CLUSTER01$. This is used so that the Windows Failover Cluster can control the roles AD objects.
Configuration ADObjectPermissionEntry_DelegateFullControl_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADObjectPermissionEntry 'ADObjectPermissionEntry'
{
Ensure = 'Present'
Path = 'CN=ROLE01,CN=Computers,DC=contoso,DC=com'
IdentityReference = 'CONTOSO\CLUSTER01$'
ActiveDirectoryRights = 'GenericAll'
AccessControlType = 'Allow'
ObjectType = '00000000-0000-0000-0000-000000000000'
ActiveDirectorySecurityInheritance = 'None'
InheritedObjectType = '00000000-0000-0000-0000-000000000000'
}
}
}This configuration will add a group permission to create and delete (CreateChild,DeleteChild) computer objects in an OU and any sub-OUs that may get created.
Configuration ADObjectPermissionEntry_CreateDeleteComputerObject_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADObjectPermissionEntry 'ADObjectPermissionEntry'
{
Ensure = 'Present'
Path = 'OU=ContosoComputers,DC=contoso,DC=com'
IdentityReference = 'CONTOSO\ComputerAdminGroup'
ActiveDirectoryRights = 'CreateChild', 'DeleteChild'
AccessControlType = 'Allow'
ObjectType = 'bf967a86-0de6-11d0-a285-00aa003049e2' # Computer objects
ActiveDirectorySecurityInheritance = 'All'
InheritedObjectType = '00000000-0000-0000-0000-000000000000'
}
}
}This configuration will add a group permission to allow read and write (ReadProperty, WriteProperty) of all properties of computer objects in an OU and any sub-OUs that may get created.
Configuration ADObjectPermissionEntry_ReadWriteComputerObjectProperties_Config
{
Import-DscResource -Module ActiveDirectoryDsc
Node localhost
{
ADObjectPermissionEntry 'ADObjectPermissionEntry'
{
Ensure = 'Present'
Path = 'OU=ContosoComputers,DC=contoso,DC=com'
IdentityReference = 'CONTOSO\ComputerAdminGroup'
ActiveDirectoryRights = 'ReadProperty', 'WriteProperty'
AccessControlType = 'Allow'
ObjectType = '00000000-0000-0000-0000-000000000000'
ActiveDirectorySecurityInheritance = 'Descendents'
InheritedObjectType = 'bf967a86-0de6-11d0-a285-00aa003049e2' # Computer objects
}
}
}- ADComputer
- ADDomain
- ADDomainController
- ADDomainControllerProperties
- ADDomainDefaultPasswordPolicy
- ADDomainFunctionalLevel
- ADDomainTrust
- ADFineGrainedPasswordPolicy
- ADForestFunctionalLevel
- ADForestProperties
- ADGroup
- ADKDSKey
- ADManagedServiceAccount
- ADObjectEnabledState
- ADObjectPermissionEntry
- ADOptionalFeature
- ADOrganizationalUnit
- ADReplicationSite
- ADReplicationSiteLink
- ADReplicationSubnet
- ADServicePrincipalName
- ADUser
- Home
- WaitForADDomain