Adaxes

Error adding Extended Rights to a Security Role (PowerShell)

0 votes

I'm using the example from the following SDK page:

http://www.adaxes.com/sdk/ManagingSecurityRoles.html

# Allow: Reset Password -> User
$entry = $role.Permissions.Create()

$userClassGuid = # the GUID of the User object class
    "{bf967aba-0de6-11d0-a285-00aa003049e2}"

$entry.AccessType = "ADM_PERMISSION_TYPE_ALLOW"
$entry.AccessMask = "ADS_RIGHT_DS_CONTROL_ACCESS"
$entry.ObjectType =
    [Softerra.Adaxes.Ldap.ExtendedRights]::UserForceChangePassword
$entry.InheritedObjectType = $userClassGuid

$entry.SetInfo() # save the permission entry
$role.Permissions.Add($entry) # add the permission to the role

I'm adding a couple other rights that are not Extended Rights above this in the script but I'm getting an error: 

Unable to find type [Softerra.Adaxes.Ldap.ExtendedRights]. Make sure that the assembly that contains this type is loaded.
At line:76 char:1
+ $entry.ObjectType =
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Softerra.Adaxes.Ldap.ExtendedRights:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

Which is referring to this line: 

$entry.ObjectType = [Softerra.Adaxes.Ldap.ExtendedRights]::UserForceChangePassword

Which I pulled right from the example. What am I missing here?

Thanks for any help you can provide

by (810 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The thing is that currently the ExtendedRights class is internal and cannot be used in scripts. By the next version, we'll make it public so that it can be called from external code. To workaround the issue for now, you need to specify the GUID of the necessary extended right explicitly. The GUID of the UserForceChangePassword right is {00299570-246d-11d0-a768-00aa006e0529}. The code will look like this:

# Allow: Reset Password -> User
$entry = $role.Permissions.Create()

$userClassGuid = # the GUID of the User object class
      "{bf967aba-0de6-11d0-a285-00aa003049e2}"
$extendedRightGuid = "{00299570-246d-11d0-a768-00aa006e0529}" # reset password

$entry.AccessType = "ADM_PERMISSION_TYPE_ALLOW"
$entry.AccessMask = "ADS_RIGHT_DS_CONTROL_ACCESS"
$entry.ObjectType = $extendedRightGuid
$entry.InheritedObjectType = $userClassGuid

$entry.SetInfo() # save the permission entry
$role.Permissions.Add($entry) # add the permission to the role
0

Thanks! That works perfect.

by (810 points)

Related questions

0 votes
1 answer
Create a Security Role with Read over OUs (PowerShell)

Hello again! I've built a script to make a few Security Roles. I need to set the read permission to OUs in the script and I think I'm having an issue. I went into ... . Did I get the wrong GUID or am I doing something wrong in the script? Thanks again!

asked Nov 18, 2015 by drew.tittle (810 points)
0 votes
1 answer
PowerShell: Copy Security Role Assignments/Scope to New Role

Hello, We have a complex multi-domain environment where the Help Desk (and other groups) is assigned variety of rights over certain OUs within a given per-customer OU ... Role for the new AD group. Any assistance with this would be greatly appreciated. Thanks

asked May 28, 2015 by SomeUser (90 points)
0 votes
1 answer
What specific permission is needed in a security role to grant access to enable a user account?

What specific permission is needed in a security role to grant access to enable a user account?

asked Dec 7, 2023 by mightycabal (1.0k points)
0 votes
1 answer
Is it better to grant access via multiple OU and group assignments in the security role or use a business unit?

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
1 answer
Assign permission other than 'Account Options' to a security role

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6, 2021 by cfrazier (20 points)
3,538 questions
3,229 answers
8,224 comments
547,747 users