Delegate "Move Object" in Active Directory using Powershell

Question

Delegate "Move Object" in Active Directory using Powershell

Helmut-72 66

Hi,

I want to delegate the task "Move Object" in Active Directory. As far as I found in the Internet I need

delete object
create object
write CN, DN and RDN

I'm using

$aceAccessControlType = 'Allow'  
$aceActiveDirectoryRights = @('CreateChild', 'Delete')  
$aceInheritanceType = 'All'  
  
$aceObject.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $delegateObjectSid,$aceActiveDirectoryRights,$aceAccessControlType,$objectType,$aceInheritanceType,$inheritedObjectType))

to create the permissions on the OU:

Get-ACL AD:\'OU=Test OU Helmut,OU=IT,DC=domain,DC=local' | select -ExpandProperty Access | where { $PSItem.IdentityReference -eq 'DOMAIN\Move Computer Objects' }  
  
ActiveDirectoryRights : CreateChild, Delete  
InheritanceType       : Descendents  
ObjectType            : 00000000-0000-0000-0000-000000000000  
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2  
ObjectFlags           : InheritedObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : DOMAIN\Move Computer Objects  
IsInherited           : True  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : InheritOnly  
  
[...]

I am able to create objects in the OU but not in sub OUs. If I delegate using the GUI the Properties look slightly different:

ActiveDirectoryRights : CreateChild, DeleteChild  
InheritanceType       : All  
ObjectType            : bf967a86-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : DOMAIN\Move Computer Objects  
IsInherited           : True  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None

ObjectFlags and PropagationFlags differ and even though I set "InheritanceType = All'" it results in "Descendants".

I found https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectaccessrule which has an construtor for both but I cannot create it:

New-Object : A constructor was not found. Cannot find an appropriate constructor for type System.Security.AccessControl.ObjectAccessRule

What am I doing wrong, how can I set PropagationFlags and ObjectFlags? Do I at all?

Thank you!

3 answers

Your answer

Answer 1

Hi @HelmutRitter-5914

Can you share how you have defined $objectType and $inheritedObjectType?

The reason the object and inheritance ID are different is because they are different permissions being assigned.

The permission you set provides these permissions:

As there is no ObjectType set, then the permissions is defined for all child objects, and only applies to

Where the delegated permission set by the GUI provides this permission:

This permission will be inherited by all descendants but only apply to computer objects.

Gary.

Answer 2

$aceAccessControlType = 'Allow'  
$aceActiveDirectoryRights = @('CreateChild', 'Delete')  
$aceInheritanceType = 'All'  
$objectType = '00000000-0000-0000-0000-000000000000'  
$aceInheritedObjectType = 'bf967a86-0de6-11d0-a285-00aa003049e2'

This results in

Get-ACL AD:\'OU=Test OU Helmut,OU=IT,DC=contoso,DC=com' | select -ExpandProperty Access | where { $PSItem.IdentityReference -eq 'CONTOSO\Move User Objects' }  
  
ActiveDirectoryRights : CreateChild, Delete  
InheritanceType       : All  
ObjectType            : 00000000-0000-0000-0000-000000000000  
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2  
ObjectFlags           : InheritedObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : False  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None  
  
Get-ACL AD:\'OU=SUB,OU=Test OU Helmut,OU=IT,DC=contoso,DC=com' | select -ExpandProperty Access | where { $PSItem.IdentityReference -eq 'CONTOSO\Move User Objects' }  
  
ActiveDirectoryRights : CreateChild, Delete  
InheritanceType       : Descendents  
ObjectType            : 00000000-0000-0000-0000-000000000000  
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2  
ObjectFlags           : InheritedObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : True  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : InheritOnly

I'm able to create / delete in the main OU but not in the sub OU.

Gary Reynolds 9,621 Reputation points

2022-07-31T09:51:11.48+00:00

The reason why you are not able to delete computer objects in the child OU, is because the inheritance of the permissions only applies to computers objects, so it's not applied to the child OU, this is why the inheritance on the child OU is descendents only.

I would suggest that you change the $objectType and $aceInheritedObjectType around which will create the permission to allow the creation\deletion of computer objects in the parent and child OUs i.e.

$objectType = 'bf967a86-0de6-11d0-a285-00aa003049e2'
$aceInheritedObjectType = '00000000-0000-0000-0000-000000000000'

In reality you need this new one and the original permissions, as they covers the deletion\creation of computer object in the OU, and previous one covers the creation\deletion of child objects of the computer object,

This screenshot is an example of the some of the possible child objects that can exist under a computer object:

Gary.

Answer 3

Both permissions together work, thank you. Even assigning your suggestion itself does what I need. I misunderstood the intercation of "ObjectType" and "InheritedObjectType". Thank you!

Parent:

ActiveDirectoryRights : ReadProperty, WriteProperty  
InheritanceType       : All  
ObjectType            : bf9679e4-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : False  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None  
  
ActiveDirectoryRights : ReadProperty, WriteProperty  
InheritanceType       : All  
ObjectType            : bf96793f-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : False  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None  
  
ActiveDirectoryRights : ReadProperty, WriteProperty  
InheritanceType       : All  
ObjectType            : bf967a0e-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : False  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None  
  
ActiveDirectoryRights : CreateChild, DeleteChild  
InheritanceType       : All  
ObjectType            : bf967a86-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : False  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None

Child:

ActiveDirectoryRights : CreateChild, DeleteChild  
InheritanceType       : All  
ObjectType            : bf967a86-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : True  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None  
  
ActiveDirectoryRights : ReadProperty, WriteProperty  
InheritanceType       : All  
ObjectType            : bf967a0e-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : True  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None  
  
ActiveDirectoryRights : ReadProperty, WriteProperty  
InheritanceType       : All  
ObjectType            : bf96793f-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : True  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None  
  
ActiveDirectoryRights : ReadProperty, WriteProperty  
InheritanceType       : All  
ObjectType            : bf9679e4-0de6-11d0-a285-00aa003049e2  
InheritedObjectType   : 00000000-0000-0000-0000-000000000000  
ObjectFlags           : ObjectAceTypePresent  
AccessControlType     : Allow  
IdentityReference     : CONTOSO\Move User Objects  
IsInherited           : True  
InheritanceFlags      : ContainerInherit  
PropagationFlags      : None

Share via

Delegate "Move Object" in Active Directory using Powershell

3 answers

Your answer