Greetings,
Does anyone know of any examples of how to create a property set in Powershell?
That is:
generating a GUID
creating a control access right object
assigning attributes to be members of the control access right
Thanks
David Z
Greetings,
Does anyone know of any examples of how to create a property set in Powershell?
That is:
generating a GUID
creating a control access right object
assigning attributes to be members of the control access right
Thanks
David Z
OK - Got the controlaccessright created:
$newguid = [system.guid]::NewGuid()
$car = New-ADObject -PassThru -Path 'CN=Extended-Rights,CN=Configuration,<your DC bit>' -Name 'myCustom' -DisplayName 'myCustom' -Type 'controlAccessRight' -OtherAttributes @{'appliesTo' = 'bf967a86-0de6-11d0-a285-00aa003049e2', 'bf967a9c-0de6-11d0-a285-00aa003049e2', 'bf967aba-0de6-11d0-a285-00aa003049e2'; 'rightsGuid' = $newguid.tostring(); 'validAccesses' = 48 }
All that's left is to assign the rightsguid to the AttributeSecurityGUID of the attributes I want to add to the propertyset
Even though I am schema admins it says 'insufficient rights' when I try to run this:
Set-ADObject -Identity 'CN=MyCustomAtt,CN=Schema,CN=Configuration,<your DC bit>' -Partition 'CN=Schema,CN=Configuration,<your DC bit>' -Add @{'attributeSecurityGUID' = $newguid.tobytearray() }
Hi,
To create new a new ACL object you can call the constructor as well
$acl = [System.Security.AccessControl.FileSecurity]::new()
or use the New-Object cmdlet
$acl = New-Object -TypeName System.Security.AccessControl.FileSecurity
To add an access rule to the ACL object you can invoke the AddAccessRule method of the object
$acl.AddAccessRule($SomeRule)
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-object
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesecurity
Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I think you completely misunderstood my question.
I want to create a property set.
This involves creating a controlaccessright object - the one that lives in the configuration container that has vital properties like AppliesTo and rightsGuid.
Should have run that command to set the AttributeSecurityGUID as administrator!
So now I get the old 'a referral was returned from the server' error code: 0x202b
So I found this:
https://docs.microsoft.com/en-us/windows/win32/ad/restrictions-on-schema-extension
however it only refers to category 1 for a classSchema object.
The object I want to change is not a classSchema object nor does it have the systemflags set.
I suspected that it might be the format of what I am assigning to that attribute.
I have tried:
($newguid.tobytearray() | foreach {$_.ToString('x2')}) -join ' '
($newguid.tobytearray() | foreach {$_.ToString('x2')}) -join ''
($newguid.tobytearray() | foreach {'\' + $_.ToString('x2')}) -join ''
but they all fail as well.
The guid is definitely the guid of the rightsGUID of the controlaccessright object.
So its definitely a powershell formatting thing.
I just used admod to set the AttributeSecurityGUID and it worked!
And here is the format of the admod command to add 'CustomAttribute' as an attribute of your property set:
admod -b CN=Customattribute,CN=Schema,CN=Configuration,<your DC bit> guid##attributeSecurityGUID::a962c88f-43d0-4376-9106-32967db31d03
The GUID above is rightsguid of your new controlaccessright.
11 people are following this question.