All About AD Permission TasksSummary: This talks about ADPermission tasks. Get-ADPermission Usages:
Get-ADPermission -id foo -user bar will show the aces that are granted to user bar on foo.
Get-ADPermission -id foo -owner will show who's the owner of this object. This is the same as the Owner tab on Security property page in Active Directory Users and Computers. Pipeline scenarios:
You should be able to pipe any AD object to this task, for example,
get-exchangeserver | get-adpermission
get-sendconnector | get-adpermission -user "AU"
get-receiveconnector | get-adpermission -owner Add-ADPermission Usages:
Add-ADPermission -id foo -user bar -accessrights genericall -inheritancetype All
Add-adpermission -id foo -user bar -accessrights genericread, genericwrite
add-adpermission -id foo -owner bar Pipeline Scenarios:
You should be able to pipe any AD object to this task, or from get-adpermission.
get-exchangeserver | add-adpermission -user "au" -accessrights genericread
get-adpermission server1 | add-adpermission server2
get-receiveconnector | add-adpermission -owner administrator More on parameters: User - this is mandatory parameter. It takes the following formats:
*Whatever RecipientIdParameter takes, that means the DN of the user/group, CN, the smtp address
*It takes a Sid format, for example, S-1-5-21-1735003083-3997753816-947906650-500
*It takes a local user account only on edge machine, for example, edge1\administrator
*For WellKnownSids, the string listed in the following website is always supported. If the sid is an account sid, you can use other formats too. For example, "Authenticated Users" will also be taken, but "Anonymous" won't because this is not an account. InheritanceType - this is optional parameter, and if it's not present, the code will use ActiveDirectorySecurityInheritance.All. For whole list of available enumerations, please see "ActiveDirectorySecurityInheritance". AccessRights - this is mandatory parameter, for ActiveDirectoryRights enumeration, see here. ExtendedRights - this is optional parameter, this takes many formats for extended rights, it takes the whole DN to the extended rights or cn or DisplayName or rightsGuid. For example, all 4 of the following should work and they're equal:
add-adpermission -id foo -user bar -extendedrights "send-as"
add-adpermission -id foo -user bar -extendedrights "send as"
add-adpermission -id foo -user bar -extendedrights "CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com"
add-adpermission -id foo -user bar -extendedrights "ab721a54-1e2f-11d0-9819-00aa0040529b" By the way, there're two ways to specify extendedrights and the following are equal:
add-adpermission -id foo -user bar -extendedrights "send-as"
add-adpermission -id foo -user bar -accessrights extendedright -extendedrights "send-as" ChildObjectTypes - this is optional parameter, this can only be specified when you specify -accessrights that includes CreateChild or DeleteChild permission. This also takes four formats for the objectClass. It takes the whole DN, CN, ldapDisPlayname and SchemaIDGUID. For example, all 4 of the following should work and they're equal:
add-adpermission -id foo -user bar -accessrights createchild -childobjecttype "CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com"
add-adpermission -id foo -user bar -accessrights createchild -childobjecttype "ms-Exch-Dynamic-Distribution-List"
add-adpermission -id foo -user bar -accessrights createchild -childobjecttype msExchDynamicDistributionList
add-adpermission -id foo -user bar -accessrights createchild -childobjecttype "018849b0-a981-11d2-a9ff-00c04f8eedd8" Properties - this is optional parameter, this can only be specified when you specify -accessrights that includes ReadProperty or WriteProperty or Self. Properties are schema objects, so that they take the same format as ChildObjectTypes, but for propertySets, they live inside ExtendedRights container, so this parameter will search under Schema container first and then will search under ExtendedRights container.
add-adpermission -id foo -user bar -accessrights genericread -properties "ms-exch-dynamic-dl-BaseDN"
add-adpermission -id foo -user bar -accessrights genericread -properties "Exchange-Information" Remove-ADPermission
Very similiar to Add-ADPermission, except it doesn't support -owner parameter. This is the only difference. Appendix:
Definition of the cmdlets in online help: Get-Adpermission Remove-AdPermission Add-AdPermission Dump of an extended right using ldp.
CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com
2> objectClass: top; controlAccessRight;
1> cn: Send-As;
1> distinguishedName: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com;
1> instanceType: 4;
1> whenCreated: 8/14/2006 9:44:12 Pacific Standard Time Pacific Daylight Time;
1> whenChanged: 8/14/2006 12:1:44 Pacific Standard Time Pacific Daylight Time;
1> displayName: Send As;
1> uSNCreated: 4141;
1> uSNChanged: 20589;
1> showInAdvancedViewOnly: TRUE;
1> name: Send-As;
1> objectGUID: ab6cd5ab-f9cd-40cb-bbb2-8fdac2daa4bd;
1> rightsGuid: ab721a54-1e2f-11d0-9819-00aa0040529b;
15> appliesTo: 346e5cba-a982-11d2-a9ff-00c04f8eedd8; 3568b3a4-a982-11d2-a9ff-00c04f8eedd8; f0f8ffac-1191-11d0-a060-00aa006c33ed; 3378ca84-a982-11d2-a9ff-00c04f8eedd8; 36145cf4-a982-11d2-a9ff-00c04f8eedd8; 366a319c-a982-11d2-a9ff-00c04f8eedd8; a8df74a7-c5ea-11d1-bbcb-0080c76670c0; 01a9aa9c-a981-11d2-a9ff-00c04f8eedd8; e7a44058-a980-11d2-a9ff-00c04f8eedd8; e768a58e-a980-11d2-a9ff-00c04f8eedd8; bf967a9c-0de6-11d0-a285-00aa003049e2; 5cb41ed0-0e4c-11d0-a286-00aa003049e2; 4828CC14-1437-45bc-9B07-AD6F015E5F28; bf967a86-0de6-11d0-a285-00aa003049e2; bf967aba-0de6-11d0-a285-00aa003049e2;
1> objectCategory: CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com;
1> localizationDisplayId: 4;
1> validAccesses: 256; Dump of ms-Exch-Dynamic-Distribution-List right using ldp
CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com
2> objectClass: top; classSchema;
1> cn: ms-Exch-Dynamic-Distribution-List;
1> distinguishedName: CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com;
1> instanceType: 4;
1> whenCreated: 8/14/2006 11:59:28 Pacific Standard Time Pacific Daylight Time;
1> whenChanged: 8/14/2006 11:59:28 Pacific Standard Time Pacific Daylight Time;
4> possSuperiors: organizationalUnit; domainDNS; builtinDomain; container;
1> uSNCreated: 19607;
1> subClassOf: top;
1> governsID: 1.2.840.113556.1.5.7000.62.12006;
13> mayContain: msExchQueryFilterMetadata; msExchQueryFilter; msExchPurportedSearchUI; msExchDynamicDLFilter; msExchDynamicDLBaseDN; managedBy; reportToOwner; reportToOriginator; oOFReplyToOriginator; msExchMemberFilter; msExchMemberBaseDN; hideDLMembership; mail;
1> rDNAttID: cn;
1> uSNChanged: 19607;
1> showInAdvancedViewOnly: TRUE;
1> adminDisplayName: ms-Exch-Dynamic-Distribution-List;
1> adminDescription: ms-Exch-Dynamic-Distribution-List;
3> auxiliaryClass: msExchCustomAttributes; msExchBaseClass; mailRecipient;
1> objectClassCategory: 1;
1> lDAPDisplayName: msExchDynamicDistributionList;
1> name: ms-Exch-Dynamic-Distribution-List;
1> objectGUID: 81a3a843-dd78-4cb9-8088-a953e16bcb52;
1> schemaIDGUID: 018849b0-a981-11d2-a9ff-00c04f8eedd8;
1> systemOnly: FALSE;
1> defaultSecurityDescriptor: D:(A;;RP;;;AU);
1> defaultHidingValue: FALSE;
1> objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com;
1> defaultObjectCategory: CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configuration,DC=CASANDARTDOM,DC=extest,DC=microsoft,DC=com; | 
