private/add-OUPermission.ps1
|
function Add-OUPermission { [CmdletBinding(DefaultParameterSetName='Normal',SupportsShouldProcess=$true)] Param ( [Parameter(parametersetname="Normal", Mandatory=$false, Position = 0, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Parameter(parametersetname="Extended", Mandatory=$false, Position = 0, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] #[ValidateScript( {get-adorganizationalUnit -identity $_ })] [String[]]$ADPath, [Parameter(parametersetname="Normal", Mandatory=$false, Position = 1, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Parameter(parametersetname="Extended", Mandatory=$false, Position = 1, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [ValidateScript( {get-adobject -filter "SAMAccountname -eq '$_'" })] $Principal = "right-global-test", [Parameter(parametersetname="Normal", Mandatory=$True, Position = 2, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Parameter(parametersetname="Extended", Mandatory=$False, Position = 2, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [System.directoryservices.ActiveDirectoryRights] $ADRight, [Parameter(parametersetname="Extended", Mandatory=$True, Position = 3, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [ArgumentCompleter( {(Get-ADObjectGUIDs | where-object {$_.type -eq "Right"}).name})] [ValidateScript( {(Get-ADObjectGUIDs | where-object {$_.type -eq "Right"}).name})] [String]$ExtendedRight, [Parameter(parametersetname="Normal", Mandatory=$False, Position = 3, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [ArgumentCompleter( {(Get-ADObjectGUIDs | where-object {$_.type -eq "Object"}).name})] [ValidateScript( {(Get-ADObjectGUIDs | where-object {$_.type -eq "Object"}).name})] [String]$TargetObject, [Parameter(parametersetname="Normal", Mandatory=$False, Position = 4, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Parameter(parametersetname="Extended", Mandatory=$False, Position = 4, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [ArgumentCompleter( {(Get-ADObjectGUIDs | where-object {$_.type -eq "Object"}).name})] [ValidateScript( {(Get-ADObjectGUIDs | where-object {$_.type -eq "Object"}).name})] [String]$AppliesTo, [Parameter(parametersetname="Normal", Mandatory=$False, Position = 5, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Parameter(parametersetname="Extended", Mandatory=$False, Position = 5, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Validateset("Allow", "Deny")] [System.security.AccessControl.AccessControlType] $Action = "Allow", [Parameter(parametersetname="Normal", Mandatory=$False, Position = 6, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [Parameter(parametersetname="Extended", Mandatory=$False, Position = 6, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)] [System.DirectoryServices.ActiveDirectorySecurityInheritance] $InheritanceType = "All" ) Begin { #$ObjectGUIDs = get-ADObjectGUIDs } Process { $principalObject = get-adobject -filter "SAMAccountname -eq '$Principal'" -properties objectSID $principalSID = [System.security.Principal.SecurityIdentifier] $principalObject.objectSID $identity = [System.Security.Principal.IdentityReference] $principalSID If ($appliesTo) { $inheritedObjectType = [GUID]($ObjectGUIds | where-object {$_.name -eq $appliesTo -and $_.type -eq "Object"}).GUID } else { $inheritedObjectType = [GUID]"00000000-0000-0000-0000-000000000000" } # Details on permissions: # # ObjectType: Can be either an object, or a "right" retrieved by the get-ADObjectGUIDs. If this is an extended right, it refers to the "right" type # # InheritedObjectType: "Applies to" in the GUI. This is an object GUID. # # ADRight: Generally CreateChild, DeleteChild, GenericAll, or something involving "ExtendedRight". # # try { If ($ExtendedRight -and -not $ADRight) { $ADRight = [System.directoryservices.ActiveDirectoryRights]"ExtendedRight" } if ($extendedRight) { Write-verbose "ObjectType as extended right" $ObjectType = [GUID]($ObjectGUIDs | where-object {$_.type -eq "Right" -and $_.name -eq $extendedRight}).GUID } elseif (-not $targetObject) { write-verbose "Setting null objectType" $objectType = [GUID]"00000000-0000-0000-0000-000000000000" } else { write-verbose "ObjectType as schema class or attribute" $objectType = [GUID]($ObjectGUIds | where-object {$_.name -eq $targetObject -and $_.type -eq "Object"}).GUID } $NewRule = New-object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $ADRight, $Action, $objectType, $InheritanceType, $inheritedObjectType) foreach ($path in $ADPath) { $CurrentACL = get-acl -path "AD:$Path" $CurrentACL.addAccessRule($NewRule) if ($PSCmdlet.ShouldProcess($Path)) { set-ACL -path "AD:$Path" -ACLObject $currentACL } } } catch { $_ | format-list * -force Write-warning "WHOOPS" } } } |