Control Access rights, property sets and powershell

David Zemdegs 1,381 Reputation points
2021-03-23T21:45:04.393+00:00

Greetings,

Does anyone know of any examples of how to create a property set in Powershell?
That is:
generating a GUID
creating a control access right object
assigning attributes to be members of the control access right

Thanks
David Z

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,619 questions
No comments
{count} votes

Accepted answer
  1. David Zemdegs 1,381 Reputation points
    2021-03-25T01:05:16.237+00:00

    OK - Got the controlaccessright created:

    $newguid = [system.guid]::NewGuid()  
    $car = New-ADObject -PassThru -Path 'CN=Extended-Rights,CN=Configuration,<your DC bit>' -Name 'myCustom' -DisplayName 'myCustom' -Type 'controlAccessRight' -OtherAttributes @{'appliesTo' = 'bf967a86-0de6-11d0-a285-00aa003049e2', 'bf967a9c-0de6-11d0-a285-00aa003049e2', 'bf967aba-0de6-11d0-a285-00aa003049e2'; 'rightsGuid' = $newguid.tostring(); 'validAccesses' = 48 }  
    

    All that's left is to assign the rightsguid to the AttributeSecurityGUID of the attributes I want to add to the propertyset
    Even though I am schema admins it says 'insufficient rights' when I try to run this:

    Set-ADObject -Identity 'CN=MyCustomAtt,CN=Schema,CN=Configuration,<your DC bit>' -Partition 'CN=Schema,CN=Configuration,<your DC bit>' -Add @{'attributeSecurityGUID' = $newguid.tobytearray() }  
    
      
    
    No comments

8 additional answers

Sort by: Most helpful
  1. David Zemdegs 1,381 Reputation points
    2021-03-23T23:41:34.863+00:00

    OK - got the first bit - generating a GUID:

    No comments

  2. Ian Xue (Shanghai Wicresoft Co., Ltd.) 18,351 Reputation points Microsoft Employee
    2021-03-24T06:59:37.073+00:00

    Hi,

    To create new a new ACL object you can call the constructor as well

    $acl = [System.Security.AccessControl.FileSecurity]::new()  
    

    or use the New-Object cmdlet

    $acl = New-Object -TypeName System.Security.AccessControl.FileSecurity  
    

    To add an access rule to the ACL object you can invoke the AddAccessRule method of the object

    $acl.AddAccessRule($SomeRule)  
    

    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-object
    https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesecurity

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  3. David Zemdegs 1,381 Reputation points
    2021-03-24T08:29:01.757+00:00

    I think you completely misunderstood my question.
    I want to create a property set.
    This involves creating a controlaccessright object - the one that lives in the configuration container that has vital properties like AppliesTo and rightsGuid.

    No comments

  4. David Zemdegs 1,381 Reputation points
    2021-03-25T02:08:20.49+00:00

    Should have run that command to set the AttributeSecurityGUID as administrator!
    So now I get the old 'a referral was returned from the server' error code: 0x202b

    No comments