question

DavidZemdegs avatar image
0 Votes"
DavidZemdegs asked DavidZemdegs answered

Control Access rights, property sets and powershell

Greetings,

Does anyone know of any examples of how to create a property set in Powershell?
That is:
generating a GUID
creating a control access right object
assigning attributes to be members of the control access right

Thanks
David Z

windows-server-powershell
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

OK - Got the controlaccessright created:

 $newguid = [system.guid]::NewGuid()
 $car = New-ADObject -PassThru -Path 'CN=Extended-Rights,CN=Configuration,<your DC bit>' -Name 'myCustom' -DisplayName 'myCustom' -Type 'controlAccessRight' -OtherAttributes @{'appliesTo' = 'bf967a86-0de6-11d0-a285-00aa003049e2', 'bf967a9c-0de6-11d0-a285-00aa003049e2', 'bf967aba-0de6-11d0-a285-00aa003049e2'; 'rightsGuid' = $newguid.tostring(); 'validAccesses' = 48 }

All that's left is to assign the rightsguid to the AttributeSecurityGUID of the attributes I want to add to the propertyset
Even though I am schema admins it says 'insufficient rights' when I try to run this:

 Set-ADObject -Identity 'CN=MyCustomAtt,CN=Schema,CN=Configuration,<your DC bit>' -Partition 'CN=Schema,CN=Configuration,<your DC bit>' -Add @{'attributeSecurityGUID' = $newguid.tobytearray() }



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

OK - got the first bit - generating a GUID:

[system.guid]::NewGuid()

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered IanXue-MSFT edited

Hi,

To create new a new ACL object you can call the constructor as well

 $acl = [System.Security.AccessControl.FileSecurity]::new()

or use the New-Object cmdlet

 $acl = New-Object -TypeName System.Security.AccessControl.FileSecurity

To add an access rule to the ACL object you can invoke the AddAccessRule method of the object

 $acl.AddAccessRule($SomeRule)

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-object
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesecurity

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

I think you completely misunderstood my question.
I want to create a property set.
This involves creating a controlaccessright object - the one that lives in the configuration container that has vital properties like AppliesTo and rightsGuid.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

Should have run that command to set the AttributeSecurityGUID as administrator!
So now I get the old 'a referral was returned from the server' error code: 0x202b

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

So I found this:
https://docs.microsoft.com/en-us/windows/win32/ad/restrictions-on-schema-extension

however it only refers to category 1 for a classSchema object.
The object I want to change is not a classSchema object nor does it have the systemflags set.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

I suspected that it might be the format of what I am assigning to that attribute.
I have tried:

 ($newguid.tobytearray() | foreach {$_.ToString('x2')}) -join ' '
 ($newguid.tobytearray() | foreach {$_.ToString('x2')}) -join ''
 ($newguid.tobytearray() | foreach {'\' + $_.ToString('x2')}) -join ''

but they all fail as well.
The guid is definitely the guid of the rightsGUID of the controlaccessright object.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

So its definitely a powershell formatting thing.
I just used admod to set the AttributeSecurityGUID and it worked!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidZemdegs avatar image
0 Votes"
DavidZemdegs answered

And here is the format of the admod command to add 'CustomAttribute' as an attribute of your property set:
admod -b CN=Customattribute,CN=Schema,CN=Configuration,<your DC bit> guid##attributeSecurityGUID::a962c88f-43d0-4376-9106-32967db31d03
The GUID above is rightsguid of your new controlaccessright.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.