Adaxes

Create a Security Role with Read over OUs (PowerShell)

0 votes

Hello again!

I've built a script to make a few Security Roles. I need to set the read permission to OUs in the script and I think I'm having an issue.

I went into the Adaxes Admin console to find the GUID of an OU.

I found an OU Under the AD section and selected it, then I found the Object GUID in the result pane and right clicked it and went to properties. The GUID I found under the Advanced button is: GUID: {bf9679e7-0de6-11d0-a285-00aa003049e2}

When I use that GUID in the script like this:

# Allow: Read Group and User OUs
$entry = $role.Permissions.Create()

$ouClassGuid = # the GUID of the OU object class
    "{bf9679e7-0de6-11d0-a285-00aa003049e2}"

$entry.AccessType = "ADM_PERMISSION_TYPE_ALLOW"
$entry.AccessMask = "ADS_RIGHT_GENERIC_READ"
$entry.ObjectType = [System.Guid]::Empty.ToString()
$entry.InheritedObjectType = $ouClassGuid

$entry.SetInfo() # save the permission entry
$role.Permissions.Add($entry) # add the permission to the role

It works without errors but when I check the Security Role in the Admin console it shows the GUID I entered under "apply to" rather than "Organizational-Unit" like it does when I create it in the interface.

Did I get the wrong GUID or am I doing something wrong in the script?

Thanks again!

by (810 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Yes, you've got a wrong GUID :)

The thing is that each object in Active Directory has its own object GUID that is used to distinguish it from other objects. You copied the GUID of that specific Organizational Unit that you've selected. However, to set a permission, you need the GUID of the Organizational-Unit object class. You can get the GUID of any class from descriptions of AD object classes provided by Microsoft. In particular, here's a description of the Organizational-Unit class: https://msdn.microsoft.com/en-us/librar ... 85%29.aspx. The GUID you need is the one available in the Schema-Id-Guid section. For example, for OUs the GUID is {bf967aa5-0de6-11d0-a285-00aa003049e2}.

0

Perfect! I was wondering where I could find those GUIDs in the Microsoft documentation!

I tested it out with that GUID and it works perfect. Thanks again!

by (810 points)

Related questions

0 votes
1 answer
Copy Security Role Permission with Powershell

Hello Forum, in our Adaxes environment we have a lot of security roles (one Security Role per Department). This allows the management of the Department to modify their Users / ... copy it to my newly created Role in powershell? Thanks a lot for your help.

asked Apr 30, 2015 by esoAdxAdmin (650 points)
0 votes
1 answer
Error adding Extended Rights to a Security Role (PowerShell)

I'm using the example from the following SDK page: http://www.adaxes.com/sdk/ManagingSecurityRoles.html # Allow: Reset Password -> User $entry = $role.Permissions.Create() ... from the example. What am I missing here? Thanks for any help you can provide

asked Nov 16, 2015 by drew.tittle (810 points)
0 votes
1 answer
Security Role to allow moving computer objects between OUs?

Hello all, I'm sure this is possible, but I'm confused on a few points. I'm trying to set up the security role and matching homepage action that will allow a user ... I'd like to use the least amount of permissions possible, just for security's sake. Thanks!

asked Jan 18, 2017 by ctdhelpdesk (190 points)
0 votes
1 answer
Security Role for Read Only Configuration Items

How can I grant read only rights for Configuration items in the Adaxes Admin Console?

asked Jan 26 by mark.it.admin (2.3k points)
0 votes
1 answer
PowerShell: Copy Security Role Assignments/Scope to New Role

Hello, We have a complex multi-domain environment where the Help Desk (and other groups) is assigned variety of rights over certain OUs within a given per-customer OU ... Role for the new AD group. Any assistance with this would be greatly appreciated. Thanks

asked May 28, 2015 by SomeUser (90 points)
3,541 questions
3,232 answers
8,225 comments
547,805 users