PowerShell: Copy Security Role Assignments/Scope to New Role

Question

Hello,

We have a complex multi-domain environment where the Help Desk (and other groups) is assigned variety of rights over certain OUs within a given per-customer OU structure. We have implemented this by using multiple Security Roles to assign Trustees over various OUs that contain groups or users.

We now have a need to introduce a new group with a lesser level of rights. To do this we have created new security roles with the appropriate rights. Given the size and complexity of the environment it would be time consuming and unreliable to create the assignments by hand. We would like to use PowerShell to copy every Scope (Assigned Over) in a given Security Role for our original Help Desk group into a NEW role with the NEW group as the Trustee.

I've made a few passes at the code but I cannot seem to pull the assignments for a role in a way that will let me loop over them and to filter for the appropriate group and then create the new assignment in the new Role for the new AD group.

Any assistance with this would be greatly appreciated.

Thanks

Comments

Hello,

If the new Security Roles for the group with lesser permissions are somehow linked to the Security Roles assigned to the Help Desk group (for example, they have the same name, but have a certain suffix / prefix or they have the Help Desk's Roles as Parent Roles), it will be possible to automatically find the roles that the restricted group needs to be assigned to and assign them with the same Assignment Scopes. This will need a PowerShell script to accomplish.

If you can extend in more detail on how we can establish the relationship between the Security Roles of the help desk group and those of the restricted group programmatically, we can come up with a script that would allow you to assign the roles automatically.

---

Thanks for the response.

Ideally the script would be run against a given role and Trustee combination. This would provide flexibility further down the road and let me copy specific Trustee/Assignment combinations to certain roles. Here is an example of where I was headed.

# My 'TEMPLATE'  role and group
$sourceRole    = "Help Desk - User Control"
$sourceGroupDN = "CN=Help Desk,OU=Groups,OU=Something,DC=domain,DC=com"

# My destination role ( already created and rights provisioned ) and group
$destRole      = "Help Desk - Limited - Unlock/Reset"
$destGroupDN   = "CN=Help Desk,OU=Groups,OU=Something,DC=domain,DC=com"

Function GrantRights { $targetGroup, $targetRole, $targetOU, ... }   # I already have this

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to the user
$user = $admService.OpenObject("Adaxes://$sourceGroupDN", $NULL, $NULL, 0)

# Get DNs of the role assigmnents for the user
$roleAssignmentDNs = $user.Get("adm-AssignedRoleAssignments")

foreach($roleAssignmentDN in $roleAssignmentDNs) {

  # Bind to the assignment object
  $assignment = $admService.OpenObject("Adaxes://$roleAssignmentDN", $NULL, $NULL, 0)

  # Pseudocode-ish - Trustee isn't right here
  If $assignment.Trustee =  $sourceGroupDN {

    Get assignment BaseObject
    Get assignment Exclude
    Get assignment Inheriticance
    Get assignment Type

    GrantRights { appropriate data }

  }
}

Thanks

Answer 1

Hello,

Our script guys have come up with the following script. It is based upon 3 functions:

1. GetRolePath - resolves a Security Role name into the ADS path of the directory object that represents the role;
2. GetGroupSid - resolves a Distinguished Name (DN) of a group into the group SID;
3. CopyRoleAssignment - the core function that Copies the Assignment Scope of an AD group specified by $sourceGroupDN over Security Role $sourceRoleName and assigns the Security Role specified by $destinationRoleName to a security group specified by $destinationGroupDN within the copied Assignment Scope.

At the very end you can find an example of how to use the function.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

function GetRolePath($name, $securityRolesPath)
{
    # Search Security Roles
    $searcher = $admService.OpenObject($securityRolesPath, $NULL, $NULL, 0)
    $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("name", $name)
    $searcher.SearchFilter = "(&(objectCategory=adm-Role)$filterPart)"
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $objects = $searchResult.FetchAll()

        if ($objects.Count -eq 0)
        {
            Write-Warning "Role $name could not be found"
            return $NULL
        }
        elseif($objects.Count -gt 1)
        {
            Write-Warning "Found more than one Security Role with name '$name'."
            return $NULL
        }

        return $objects[0].AdsPath
    }
    finally
    {
        $searchResult.Dispose()
    }
}

function GetGroupSid ($dn)
{
    $group = $admService.OpenObject("Adaxes://$dn", $NULL, $NULL, 0)
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($group.Get("objectSID"), 0)

    return $sid
}

function CopyRoleAssignment($sourceRoleName, $sourceGroupDN, $destinationRoleName, $destinationGroupDN)
{
    # Connect to Adaxes service
    $admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
    $admService = $admNS.GetServiceDirectly("localhost")

    # Get source role and destination role paths
    $securityRolesPath = $admService.Backend.GetConfigurationContainerPath("AccessControlRoles")
    $sourceRolePath = GetRolePath $sourceRoleName $securityRolesPath
    $destinationRolePath = GetRolePath $destinationRoleName $securityRolesPath
    if (($sourceRolePath -eq $NULL) -or ($destinationRolePath -eq $NULL))
    {
        return
    }

    # Copy source Security Role Assignment

    # Bind to the source Security Role
    $sourceRole = $admService.OpenObject($sourceRolePath, $NULL, $NULL, 0)
    # Bind to the destination Security Role
    $destinationRole = $admService.OpenObject($destinationRolePath, $NULL, $NULL, 0)

    # Get the source and destination group SIDs
    $sourceGroupSid = GetGroupSid $sourceGroupDN
    $destinationGroupSid = GetGroupSid $destinationGroupDN

    foreach ($sourceAssignment in $sourceRole.Assignments)
    {
        if ($sourceAssignment.Trustee -ne $sourceGroupSid)
        {
            continue
        }

        $assignment = $destinationRole.Assignments.Create()
        $assignment.Trustee = $destinationGroupSid
        $assignment.SetInfo()
        $destinationRole.Assignments.Add($assignment)

        foreach ($item in $sourceAssignment.ActivityScopeItems)
        {
            $scopeItem = $assignment.ActivityScopeItems.Create()
            $scopeItem.BaseObject = $item.BaseObject
            $scopeItem.Type = $item.Type
            $scopeItem.Inheritance = $item.Inheritance

            $scopeItem.Exclude = $item.Exclude
            $scopeItem.SetInfo()

            $assignment.ActivityScopeItems.Add($scopeItem)
        }
    }
}

CopyRoleAssignment "Help Desk - User Control" "CN=Help Desk,OU=Groups,OU=Something,DC=domain,DC=com" "Help Desk - Limited - Unlock/Reset" "CN=Help Desk,OU=Groups,OU=Something,DC=domain,DC=com"

Comments

The code worked perfectly. Thank you very much for your help.