TechQA.

Active Directory delegation in PowerShell

163 views Asked by At

I'm trying to delegate permissions 'Create all child objects' and 'Delete all child objects' on 'All descendant object'. When giving the permissions in GUI, the ACL looks like this:

ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType : All
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : DOMAINGROUP
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None

I've been trying to replicate that ACL with System.DirectoryServices.ActiveDirectoryAccessRule

Any help would be much appreciated

Tried:

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", '00000000-0000-0000-0000-000000000000'

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", "00000000-0000-0000-0000-000000000000"

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "Descendents", '00000000-0000-0000-0000-000000000000'

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", '00000000-0000-0000-0000-000000000000', "Allow", "All", '00000000-0000-0000-0000-000000000000'

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", '00000000-0000-0000-0000-000000000000'

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($GroupSID, "CreateChild, DeleteChild", "Allow", '00000000-0000-0000-0000-000000000000', "Descendents")

Got:

New-Object : Multiple ambiguous overloads found for "ActiveDirectoryAccessRule" and the argument count: "5".
    At line:1 char:9
    + $ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ...
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
        + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
powershell active-directory delegation
Original Q&A
1

There are 1 answers

0
Mathias R. Jessen On

Your 5 string arguments don't match any overload signature for the rule constructor exactly, but might match 2 of them if the arguments were converted to the correct argument type.

Providing arguments of the correct type will allow PowerShell to pick the right one:

$ace2 = [System.DirectoryServices.ActiveDirectoryAccessRule]::new(
  [System.Security.Principal.SecurityIdentifier]$GroupSID, 
  [System.DirectoryServices.ActiveDirectoryRights]"CreateChild, DeleteChild",
  [System.Security.AccessControl.AccessControlType]::Allow, 
  [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All, 
  [guid]::Empty)

Related Questions in POWERSHELL

Related Questions in ACTIVE-DIRECTORY

Related Questions in DELEGATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions