June 8, 2017 at 12:15 pm #13920June 8, 2017 at 1:56 pm #13922
Are you looking to set more granular permissions than the standard permissions exposed in the Set-GPPermission cmdlet?
DarrenJune 9, 2017 at 5:58 am #13923
Yes, I am attempting to set the “special” permissions that are exposed when you look at the GPO advanced security options.
So far I have tried the below:
Method 1 – XML Report
$xmlReport = $gpo.GenerateReport('xml')
This command only returns the name of the trustee. Also includes some properties that I am uncertain if pertinent.
Method 2 – ADSI/LDAP object
$GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
This method returns the group and the permissions but not in a granular fashion. “FileSystemRights” returned are “FullControl” for ACLs that I know are considered custom/special with granular permissions.
Method 3 – Get-GPPermission
Get-GPPermission $gpoWithAppSpec -all | select -ExpandProperty permission
Returns permissions similar to those available to Set-GPPermission such as “GpoApply”, “GpoEditDeleteModifySecurity”, “GpoRead”. Again, these are not granular permissions.June 9, 2017 at 10:20 am #13924
OK. Yea, that’s not altogether straightforward. You can get the actual SecurityDescriptor using the GPMC COM objects (https://msdn.microsoft.com/en-us/library/aa814216(v=vs.85).aspx). That method returns a COM object of type IADsSecurityDescriptor, which will likely give you the granularity you’re after. The only problem is that it’s not altogether getting access to this from PowerShell.
You must be logged in to reply to this topic.
- Speaking in Chicago Next Month!
- Group Policy Storage Whitepaper Updated!
- Elevating AD Domain Access With Write Access on the Domain NC Head
- Performing a Denial of Service on AD–How Hard Is it Really?
- Protecting Active Directory–Making AD and Group Policy Less “Visible” to Attackers