Calling all PowerShell Gurus

L

Lothy

New member
Im not entirely sure where to put this, so hardware seemed the best option. If the admins feel it needs to be moved, please do so.

K so problem at hand.

I need to remove specific explicitly assigned permissions on an OU.

Now Quest has some nifty PowerShell commands, 1 of them being Get-QADPermissions.

So my initial command is:

Get-QADPermission -Identity 'ou=test1,dc=training,dc=com' -Account 'User1'

Now the output is as follows:

Ctrl Account Rights Source AppliesTo
---- ------- ------ ------ ---------
TRAINING\User1 Special Not inherited This object only

If i add | FL ill get the full breakdown of "Rights":

Rights : CreateChild, DeleteChild, ListChildren, ReadProperty, GenericWrite

Now my issue is i only want to remove the GenericWrite but for the life of me i cant seem to work out a way.

My initial try was:

Get-QADPermission -Identity 'ou=test1,dc=training,dc=com' -Account 'User1' | Remove-QADPermission

But that remove all explicitly assigned permissions for that User1 account

I was goin as far as using ADSISearcher, but again not sure how to select a specific ACE.

Import-Module activedirectory

$OU = [adsi]([adsisearcher]'(&(objectclass=organizationalunit)(name=Test1))').FindOne().Path
$AccessRule = $OU.psbase.ObjectSecurity.access
$ACEToBeRemoved = $OU.psbase.ObjectSecurity.RemoveAccess[0]


$AccessRule |
ForEach-Object{
if($AccessRule.IdentityReference -eq 'TRAINING\User1)
{$OU.psbase.ObjectSecurity.RemoveAccessRule($ACEToBeRemoved)}
$OU.psbase.commitchanges()


If there are any gurus out there I could really use some help...
 
Lothy said:
Im not entirely sure where to put this, so hardware seemed the best option. If the admins feel it needs to be moved, please do so.
Click to expand...

LIZA may be able to help you better than quest for this. Quest is great for

-QADPermission is more focused around delegation and i don't think will drill down to individual rights removal ( i may be incorrect with that statement so don't hold me to it ) as I have had very limited Quest usage


have a look at this link below and check out LIZA

http://social.technet.microsoft.com...e-active-directory-delegated-permissions.aspx
 
Thanks for the reply!

The problem iv got is i need to make changes to about 100 000 various permissions, so i need to be able to make a ton of changes with very little manual clicking. So I have generated the CSV file of all the ACEs i want to change and its properly formatted, just stuck on the correct command to use...
 
Nice thread, I'd like to see this continually grow as I'm looking to evolve my PowerShell knowledge.
 
BeoTeK said:
Nice thread, I'd like to see this continually grow as I'm looking to evolve my PowerShell knowledge.
Click to expand...

SAME!

I started a project and basically due to the size of the infrastructure (80 000 users) i was forced to start learning PowerShell.

Here is a great place to start learning:

https://www.youtube.com/channel/UCqPxcTs1F2k-NeZ-igDHvnQ

Also if ever u needed help with PS, let me know.

Here is a sample of a script i wrote for a client. It was early days so im sure it could be cleaned up.

Import-Module ActiveDirectory

$username = $env:username

Get-ADUser -filter * | Select SamAccountName | Export-Csv -NoTypeInformation -Path "c:\users\$username\desktop\SamAccountNames.csv"

$user = Import-Csv "c:\users\$username\desktop\SamAccountNames.csv"

foreach ($SAN in $User)
{
Get-ADUser -Identity $SAN.SamAccountName -Properties * |
Select Name, SamAccountName, Enabled, LastLogonDate, Created, @{ n="memberof"; e={ $_.memberof }} |
Export-Csv -NoTypeInformation -Path "c:\users\$username\desktop\ExtendedUserInfo.csv" -Append
}
u can basically run this as is on any machine in ur domain. It will make 2 files on ur desktop.
the 2nd one called ExtendedUserInfo is the final report, this will tell u:

1. The name of the user
2. His/her account
3. If its enabled
4. The last time they logged on
5. When the account was created
6. Which other groups they are a memberof
 
Last edited:
Lothy said:
Thanks for the reply!

The problem iv got is i need to make changes to about 100 000 various permissions, so i need to be able to make a ton of changes with very little manual clicking. So I have generated the CSV file of all the ACEs i want to change and its properly formatted, just stuck on the correct command to use...
Click to expand...

Ah that changes it a bit, Let me play around and see what i can come up with while you do the same :P
 
Lothy said:
Thanks for the reply!
Click to expand...


Man i am opening a can of worms on this.. Let me see if i can get some Dell engineers to help as Quest is theirs right ?


sorry about the double post i was trying to link these together
 
Last edited:
Lothy said:
I know this site well, very cool site! But again this is an odd issue...

I have found what I feel is the right set of commands, but the commands want to remove all ACEs explicitly assigned to a user, instead of only removing specific ACEs.

Oh and thanks for the help Thadin!
Click to expand...

Just ask him (the scripting guy) he has helped me before and tends to be quite helpful
 
fry-can-t-tell-meme-generator-not-sure-if-sarcasm-or-serious-e14739.jpg
 
lol im serious, honestly didn't even consider that.

I have sent him a mail, lets hope he gets back to me.
 
You must log in or register to reply here.
Back
Top