combine several AccessRules into one single one - ACL of User Object in Active Directory

Question

combine several AccessRules into one single one - ACL of User Object in Active Directory

Wolfgang-2637 0

Hi,

I want to set a new ACL for one specific AD Group to an OU. This works fine but my solution now generates for each "New-Obejct..." one seperate AccessRule. That's logical but I don't want this.

The main code looks like this:

$ACL = Get-Acl -Path $TargetOU

$RuleLockoutTime = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID,"WriteProperty","Allow",$GUID_1,"Descendents",$User)
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID,"ExtendedRight","Allow",$GUID_2","Descendents",$User)
$Rule....... = New-Object System.DirectoryServices.ActiveDirectoryAccessRule (........

$ACL.AddAccessRule($RuleLockoutTime)
$ACL.AddAccessRule($RuleResetPassword)
$ACL.AddAccessRule($Rule......

Set-Acl -Path $TargetOU -AclObject $ACL

How can I put all together in one single AcccesRule? I already tried a lot but I never reached the right syntax.

Thanks in advance,

Wolfgang

Rich Matheisen 47,786 Reputation points

2023-08-16T14:49:56.6133333+00:00

The 1st two ActiveDirectoryAccessRules modify different objects in the schema ($GUID1 and $GUID2). How would (or could) they be "combined"?
Wolfgang-2637 0 Reputation points

2023-08-16T15:09:43.42+00:00

Hi Rich,

the reason is that I have almost 40 AccessRules which I'd like to combine in just a few rules.

Isn't it possible to make one AccessRule in which several properties are chosen?

Thanks Wolfgang
Rich Matheisen 47,786 Reputation points

2023-08-16T18:29:31.4666667+00:00

When you say "properties", do you mean "rights"?

If so, the answer is "yes". You can combine a number of rights in the constructor of the ActiveDirectoryAccessRule (see link below). But a rule is applied to only a single AD object (represented by its GUID). Inheritance may cause the rule to be applied to other child objects, but there'd only be a single rule for the parent object.

https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.8.1

Wolfgang-2637 0

Now we are on the same page - that's what I want.

The link you provided my I already know but it did not yet help me. I need a short snipped to get it.

Here these lines should end in one single right entry of a user object. It's not the full script it's just he main part:

$ACL = Get-Acl -Path $TargetOU

$1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_1,"Descendents",$guidmap["user"]
$2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_2,"Descendents",$guidmap["user"]
$3 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_3,"Descendents",$guidmap["user"]
$4 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_4,"Descendents",$guidmap["user"]
$5 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_5,"Descendents",$guidmap["user"]

$ACL.AddAccessRule($1)
$ACL.AddAccessRule($2)
$ACL.AddAccessRule($3)
$ACL.AddAccessRule($4)
$ACL.AddAccessRule($5)

Set-Acl -Path $TargetOU -AclObject $ACL

Could you please help me. I already tried Add-Member and other things but I do not get the right way :(

Your answer

Rich Matheisen 47,786 Reputation points

2023-08-16T14:49:56.6133333+00:00

The 1st two ActiveDirectoryAccessRules modify different objects in the schema ($GUID1 and $GUID2). How would (or could) they be "combined"?
Wolfgang-2637 0 Reputation points

2023-08-16T15:09:43.42+00:00

Hi Rich,

the reason is that I have almost 40 AccessRules which I'd like to combine in just a few rules.

Isn't it possible to make one AccessRule in which several properties are chosen?

Thanks Wolfgang
Rich Matheisen 47,786 Reputation points

2023-08-16T18:29:31.4666667+00:00

When you say "properties", do you mean "rights"?

If so, the answer is "yes". You can combine a number of rights in the constructor of the ActiveDirectoryAccessRule (see link below). But a rule is applied to only a single AD object (represented by its GUID). Inheritance may cause the rule to be applied to other child objects, but there'd only be a single rule for the parent object.

https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.8.1
Wolfgang-2637 0 Reputation points

2023-08-17T06:11:21.53+00:00

Now we are on the same page - that's what I want.

The link you provided my I already know but it did not yet help me. I need a short snipped to get it.

Here these lines should end in one single right entry of a user object. It's not the full script it's just he main part:

$ACL = Get-Acl -Path $TargetOU $1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_1,"Descendents",$guidmap["user"] $2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_2,"Descendents",$guidmap["user"] $3 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_3,"Descendents",$guidmap["user"] $4 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_4,"Descendents",$guidmap["user"] $5 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,"WriteProperty","Allow",$guid_5,"Descendents",$guidmap["user"] $ACL.AddAccessRule($1) $ACL.AddAccessRule($2) $ACL.AddAccessRule($3) $ACL.AddAccessRule($4) $ACL.AddAccessRule($5) Set-Acl -Path $TargetOU -AclObject $ACL

Could you please help me. I already tried Add-Member and other things but I do not get the right way :(

Share via

combine several AccessRules into one single one - ACL of User Object in Active Directory

Your answer