Control Access rights, property sets and powershell

David Zemdegs 1,381 Reputation points


Does anyone know of any examples of how to create a property set in Powershell?
That is:
generating a GUID
creating a control access right object
assigning attributes to be members of the control access right

David Z

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,619 questions
No comments
{count} votes

Accepted answer
  1. David Zemdegs 1,381 Reputation points

    OK - Got the controlaccessright created:

    $newguid = [system.guid]::NewGuid()  
    $car = New-ADObject -PassThru -Path 'CN=Extended-Rights,CN=Configuration,<your DC bit>' -Name 'myCustom' -DisplayName 'myCustom' -Type 'controlAccessRight' -OtherAttributes @{'appliesTo' = 'bf967a86-0de6-11d0-a285-00aa003049e2', 'bf967a9c-0de6-11d0-a285-00aa003049e2', 'bf967aba-0de6-11d0-a285-00aa003049e2'; 'rightsGuid' = $newguid.tostring(); 'validAccesses' = 48 }  

    All that's left is to assign the rightsguid to the AttributeSecurityGUID of the attributes I want to add to the propertyset
    Even though I am schema admins it says 'insufficient rights' when I try to run this:

    Set-ADObject -Identity 'CN=MyCustomAtt,CN=Schema,CN=Configuration,<your DC bit>' -Partition 'CN=Schema,CN=Configuration,<your DC bit>' -Add @{'attributeSecurityGUID' = $newguid.tobytearray() }  
    No comments

8 additional answers

Sort by: Most helpful
  1. David Zemdegs 1,381 Reputation points

    OK - got the first bit - generating a GUID:

    No comments

  2. Ian Xue (Shanghai Wicresoft Co., Ltd.) 18,351 Reputation points Microsoft Employee


    To create new a new ACL object you can call the constructor as well

    $acl = [System.Security.AccessControl.FileSecurity]::new()  

    or use the New-Object cmdlet

    $acl = New-Object -TypeName System.Security.AccessControl.FileSecurity  

    To add an access rule to the ACL object you can invoke the AddAccessRule method of the object


    Best Regards,
    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  3. David Zemdegs 1,381 Reputation points

    I think you completely misunderstood my question.
    I want to create a property set.
    This involves creating a controlaccessright object - the one that lives in the configuration container that has vital properties like AppliesTo and rightsGuid.

    No comments

  4. David Zemdegs 1,381 Reputation points

    Should have run that command to set the AttributeSecurityGUID as administrator!
    So now I get the old 'a referral was returned from the server' error code: 0x202b

    No comments