Transfering ACLs from Old to New Structure

Hollander, Zachary D 1 Reputation point
2022-04-04T18:51:44.927+00:00

I am reconstructing a clients On-Prem active directory (AD). There are multiple levels that are being condensed into a single level. Running a Get/Set-ACL script worked for the first level of the old structure. I was able to add all the groups and permissions to the new structure's object units (OUs). When I ran the script again moving the old second level OU's ACLs to the new structure the script made the new structure's ACLs look identical to the second level. I thought the script would append. It did not. I did my research and could not find a PowerShell append ACL cmdlet. I am currently setting all the ACLs manually by comparing the old structure to the new one, adding groups and setting permissions, one by one. Is there a way that I can speed this up?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,067 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,431 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,461 Reputation points
    2022-04-07T14:14:13.83+00:00

    Hi @Hollander, Zachary D

    There is no fix all for this but the following powershell commands may be useful:

    Use SetAccessRuleProtection() to disable inheritance and remove inherited ACEs:

    $acl.SetAccessRuleProtection($true, $false)
    Use RemoveAccessRule() to remove existing (non-inherited) ACEs:

    $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) | Out-Null }
    Use AddAccessRule() to add new ACEs:

    $ace = New-Object Security.AccessControl.FileSystemAccessRule "user", ...
    $acl.AddAccessRule($ace)
    ...
    Do this only for the topmost folder. Leave inheritance enabled everywhere below, so your changes are propagated automatically.

    I hope this answers your question.

    Thanks.

    --
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments