We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Remove non-existing objects from Security Role Assignments

October 05, 2023 Views: 2130

The script removes non-existing objects from Assignments of all security roles. Both role Trustees and objects comprising Assignment Scopes of security roles are checked. It can be used, for example, to clean up security role Assignments of objects that have been deleted.

To clean up invalid security role Assignments on a regular basis, you can configure a scheduled task for the Domain object type that executes the script.

Edit Remove
PowerShell
function FixRoleAssignments
{
    Param($rolePath)

    $role = $Context.BindToObject($rolePath)

    # Get security role assignments
    $assignments = $role.Assignments
    for ($i = $assignments.Count - 1; $i -ge 0; $i--)
    {
        $assignment = $assignments.GetObject($i)
        
        # Check whether the Trustee exists
        $trusteeSid = $assignment.Trustee
        if (-not([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trusteeSid)) -and
            ([Softerra.Adaxes.Adsi.Sid]::PrimaryOwnerSid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::ManagerSid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::SecretarySid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::AssistantSid -ne $trusteeSid))
        {
            try
            {
                $object = $Context.BindToObject("Adaxes://<SID=$trusteeSid>")
            }
            catch
            {
                $assignments.Remove($assignment)
                continue
            }
        }
        
        # Check Activity Scope Items
        $activityScopeItems = $assignment.ActivityScopeItems

        for ($j = $activityScopeItems.Count - 1; $j -ge 0; $j--)
        {
            $item = $activityScopeItems.GetObject($j)
            if (($item.Type -ne "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY") -and
                ($item.Type -ne "ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION") -and 
                ($item.BaseObject -eq $NULL))
            {
                $assignment.ActivityScopeItems.Remove($item)
            }
        }

        if ($activityScopeItems.Count -eq 0)
        {
            # Remove assignment
            $assignments.Remove($assignment)
        }
    }
}

# Search all security roles
$configurationContainerPath = $Context.GetWellKnownContainerPath("AccessControlRoles")
$configurationContainer = $Context.BindToObject($configurationContainerPath)
$configurationContainer.SearchFilter =  "(objectCategory=adm-Role)"
$configurationContainer.PageSize = 500
$configurationContainer.SearchScope = "ADS_SCOPE_SUBTREE"
$configurationContainer.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    $searcherResultIterator = $configurationContainer.ExecuteSearch()
    $roles = $searcherResultIterator.FetchAll()
    
    foreach ($rolesID in $roles)
    {
        # Check assignments and trustees
        FixRoleAssignments $rolesID.AdsPath
    }
}
finally
{
    # Release resources
    $searcherResultIterator.Dispose()
}
Comments 2
avatar
Mark Monaco Oct 04, 2023
I am unable to locate the "Domain-DNS" object type even when "Show all object types" is selected. I would like to get this script implemented under our Adaxes 2023.2 install.
avatar
Support Oct 05, 2023
Hello Mark,

Sorry for the confusion, the Domain-DNS object type is no longer present. You need to use the Domain object type. We updated the script description accordingly.
Leave a comment
Loading...

Got questions?

Support Questions & Answers