0 votes

I need to replace one Active Directory security group that has been given rights over many OUs within several Security Roles. There are likely ~300 entries that need to be updated.

I am looking for some advice on how to handle the following task via PowerShell:

On a Security Role, enumerate each assignment of a Trustee over an object, if the Trustee is a specific group then delete the entry and add a new entry for a different Trustee over the same object.

My primary problem is that I cannot seem to enumerate the values for Trustee and objects.

Any advice would be appreciated.

Thank you.

EDIT: FYI the link to the script repository that is referenced in the SDK documentation appears to be broken - http://adaxes.com/scriptrepository

by (90 points)

1 Answer

0 votes
by (18.0k points)

Hello,

  1. To get a list of role assignments, you need to use the Assignments property of the role object. You can use the IAdmCollection interface to enumerate all assignments.

  2. Each assignment object implements the IAdmRoleAssignment and IADs interfaces. To get the SID of the trustee, you can use the IADs::Get method:

     $trusteeSidBytes = $role.Assignments.GetObject($i).Get("adm-TrusteeSid")
     $sid = New-Object System.Security.Principal.SecurityIdentifier($trusteeSidBytes, 0)
    

    Then you can compare the SID of the trustee with the SID of your group. Or you can bind to the trustee, get its distinguished name (DN), and then compare DNs.

     $trustee = $Context.BindToObject("Adaxes://<SID=$sid>")
     $trusteeDN = $trustee.Get("distinguishedName")
    

For more details, please see Managing Security Roles.

Related questions

0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
1 answer

Hi We're running 2018.1 (3.9.15631.0) and I am modifying our security role assignments to use new AD groups. When looking at the role assignments, some are displaying the ... the information. Is there another way to get the full path to the OU? Thanks Matt

asked Aug 28, 2018 by chappers77 (2.0k points)
0 votes
1 answer

Hallo @All, I have a special question. I think I have tonns of unassigned Security Role assignments and I want to Identify this objects to delete them. I wrote a ... eleven secounds. :-( Do anybody know how to identify the zombie assignments? Thanks Arne

asked Sep 17, 2015 by ATiedemann (360 points)
0 votes
1 answer

Hello, We have a complex multi-domain environment where the Help Desk (and other groups) is assigned variety of rights over certain OUs within a given per-customer OU ... Role for the new AD group. Any assistance with this would be greatly appreciated. Thanks

asked May 28, 2015 by SomeUser (90 points)
0 votes
1 answer

I have an OU structure as follows: Computers |- Servers |- A |- B |- C Groups |- Computers | |- A Phase 1 | |- A Phase 2 | |- A Phase 3 | |- B Phase 1 | ... as the naming scheme is fairly standard. Is this doable, and if so, can you guide me on the right path?

asked Nov 17, 2023 by bennett.blodinger (60 points)
3,588 questions
3,277 answers
8,303 comments
548,100 users