DSCResources/MSFT_ADObjectPermissionEntry/en-US/about_ADObjectPermissionEntry.help.txt

.NAME
    ADObjectPermissionEntry
 
.DESCRIPTION
    The ADObjectPermissionEntry DSC resource will manage access control lists on Active Directory objects. The resource is
    designed to to manage just one entry in the list of permissios (ACL) for one AD object. It will only interact with the
    one permission and leave all others as they were. The resource can be used multiple times to add multiple entries into
    one ACL.
 
    ## Requirements
 
    * Target machine must be running Windows Server 2008 R2 or later.
 
.PARAMETER Ensure
    Write - String
    Allowed values: Present, Absent
    Indicates if the access will be added (Present) or will be removed (Absent). Default value is 'Present'.
 
.PARAMETER Path
    Key - String
    Active Directory path of the target object to add or remove the permission entry, specified as a Distinguished Name.
 
.PARAMETER IdentityReference
    Key - String
    Indicates the identity of the principal for the ACE. Use the notation DOMAIN\\SamAccountName for the identity.
 
.PARAMETER ActiveDirectoryRights
    Write - String
    Allowed values: AccessSystemSecurity, CreateChild, Delete, DeleteChild, DeleteTree, ExtendedRight, GenericAll, GenericExecute, GenericRead, GenericWrite, ListChildren, ListObject, ReadControl, ReadProperty, Self, Synchronize, WriteDacl, WriteOwner, WriteProperty
    A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule. Default value is 'GenericAll'.
 
.PARAMETER AccessControlType
    Key - String
    Allowed values: Allow, Deny
    Indicates whether to Allow or Deny access to the target object.
 
.PARAMETER ObjectType
    Key - String
    The schema GUID of the object to which the access rule applies. If the permission entry shouldn't be restricted to a specific object type, use the zero guid (00000000-0000-0000-0000-000000000000).
 
.PARAMETER ActiveDirectorySecurityInheritance
    Key - String
    Allowed values: All, Children, Descendents, None, SelfAndChildren
    One of the 'ActiveDirectorySecurityInheritance' enumeration values that specifies the inheritance type of the access rule.
 
.PARAMETER InheritedObjectType
    Key - String
    The schema GUID of the child object type that can inherit this access rule. If the permission entry shouldn't be restricted to a specific inherited object type, use the zero guid (00000000-0000-0000-0000-000000000000).
 
.EXAMPLE 1
 
This configuration will add full control (GenericAll) permissions to
the virtual computer object (VCO) ROLE01 for a cluster name object (CNO)
CONTOSO\CLUSTER01$. This is used so that the Windows Failover Cluster
can control the roles AD objects.
 
Configuration ADObjectPermissionEntry_DelegateFullControl_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADObjectPermissionEntry 'ADObjectPermissionEntry'
        {
            Ensure = 'Present'
            Path = 'CN=ROLE01,CN=Computers,DC=contoso,DC=com'
            IdentityReference = 'CONTOSO\CLUSTER01$'
            ActiveDirectoryRights = 'GenericAll'
            AccessControlType = 'Allow'
            ObjectType = '00000000-0000-0000-0000-000000000000'
            ActiveDirectorySecurityInheritance = 'None'
            InheritedObjectType = '00000000-0000-0000-0000-000000000000'
        }
    }
}
 
.EXAMPLE 2
 
This configuration will add a group permission to create and delete
(CreateChild,DeleteChild) computer objects in an OU and any sub-OUs that
may get created.
 
Configuration ADObjectPermissionEntry_CreateDeleteComputerObject_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADObjectPermissionEntry 'ADObjectPermissionEntry'
        {
            Ensure = 'Present'
            Path = 'OU=ContosoComputers,DC=contoso,DC=com'
            IdentityReference = 'CONTOSO\ComputerAdminGroup'
            ActiveDirectoryRights = 'CreateChild', 'DeleteChild'
            AccessControlType = 'Allow'
            ObjectType = 'bf967a86-0de6-11d0-a285-00aa003049e2' # Computer objects
            ActiveDirectorySecurityInheritance = 'All'
            InheritedObjectType = '00000000-0000-0000-0000-000000000000'
        }
    }
}
 
.EXAMPLE 3
 
This configuration will add a group permission to allow read and write
(ReadProperty, WriteProperty) of all properties of computer objects in
an OU and any sub-OUs that may get created.
 
Configuration ADObjectPermissionEntry_ReadWriteComputerObjectProperties_Config
{
    Import-DscResource -Module ActiveDirectoryDsc
 
    Node localhost
    {
        ADObjectPermissionEntry 'ADObjectPermissionEntry'
        {
            Ensure = 'Present'
            Path = 'OU=ContosoComputers,DC=contoso,DC=com'
            IdentityReference = 'CONTOSO\ComputerAdminGroup'
            ActiveDirectoryRights = 'ReadProperty', 'WriteProperty'
            AccessControlType = 'Allow'
            ObjectType = '00000000-0000-0000-0000-000000000000'
            ActiveDirectorySecurityInheritance = 'Descendents'
            InheritedObjectType = 'bf967a86-0de6-11d0-a285-00aa003049e2' # Computer objects
        }
    }
}