Add-QADPermission
From PowerGUI Wiki
Add access control entries (ACEs) to the discretionary access control list (DACL) of a certain directory object or objects.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Add-QADPermission -InputPermission <ArsPermission> [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Proxy] [-Service <string>] [-UseGlobalCatalog] [-Confirm] [-WhatIf] [<CommonParameters>]
Add-QADPermission [-Identity] <IdentityParameter> -Account <IdentityParameter[]> [-ApplyTo <ArsSecurityInheritance>] [-ApplyToType <string[]>] [-ChildType <string[]>] [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Deny] [-ExtendedRight <string[]>] [-Property <string[]>] [-PropertySet <string[]>] [-Proxy] [-Rights {CreateChild | DeleteChild | ListChildren | Self | ReadProperty | WriteProperty | DeleteTree | ListObject | ExtendedRight | Delete | ReadControl | GenericExecute | GenericWrite | GenericRead | WriteDacl | WriteOwner | GenericAll | Synchronize | AccessSystemSecurity}] [-Service <string>] [-UseGlobalCatalog] [-ValidatedWrite <string[]>] [-Confirm] [-WhatIf] [<CommonParameters>]
Detailed Description
Use this cmdlet to add access control entries (ACEs) to the discretionary access control list (DACL) of a given object or objects in the directory (directory objects).
The directory objects can be specified using the Identity parameter. Another option is to use pipelining: pass the output of the appropriate Get-QAD cmdlet to this cmdlet, with the -SecurityMask Dacl parameter supplied for the Get- cmdlet (see examples).
The objects representing ACEs to add can be either passed to this cmdlet through the pipeline or created by the cmdlet itself. In the latter case you use cmdlet parameters to configure the ACEs that you want the cmdlet to add. If you opt to use pipelining, you can have Get-QADPermission retrieve ACEs and then pass the output of that cmdlet to the Add-QADPermission cmdlet so as to copy certain ACEs from one directory object to another directory object (see examples).
The cmdlet has optional parameters that determine the server and the security context for the operation. The connection parameters could be omitted since a connection to a server is normally established prior to using this cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Account | Supply the identity (such as name, distinguished name, domain\name, SID, etc.) of a security principal (user, group, computer account, enc.). The cmdlet will add ACEs that determine access rights of that account on the directory objects specified. You can supply identities of multiple accounts. | true | false | |
| ApplyTo | Supply this parameter if you want the cmdlet to add ACEs that have a certain inheritance type set (other than 'All', which is the default setting). Valid parameter values are:
'ThisObjectOnly' - Indicates no inheritance. The ACE information is only used on the object
on which the ACE is set.
ACE information is not inherited by any descendents of the object.
'All' - Indicates inheritance that includes the object on which the ACE is set,
the object's immediate children, and the descendents of the object's children.
'ChildObjects' - Indicates inheritance that includes the object's immediate children
and the descendants of the object's children, but not the object itself.
'ThisObjectAndImmediateChildObjects' - Indicates inheritance that includes the object itself
and its immediate children.
It does not include the descendents of its children.
'ImmediateChildObjectsOnly' - Indicates inheritance that includes the object's immediate children only,
not the object itself or the descendents of its children.
If you do not supply this parameter, the cmdlet configures ACEs with the inheritance type set to 'All'. | false | false | |
| ApplyToType | Supply this parameter if you want the cmdlet to add ACEs that can be inherited by objects of specific classes (rather than all classes). Parameter value is a string array of LDAP display names, each of which identifies the classSchema object for the object class you want. If you do not supply this parameter, the cmdlet configures ACEs that can be inherited by objects of any class. (This parameter causes the cmdlet to search by the InheritedObjectType setting on the ACEs.) | false | false | |
| ChildType | Supply this parameter if you want the cmdlet to add ACEs that control the right to create or delete child objects of specific classes (rather than all classes). Parameter value is a string array of LDAP display names, each of which identifies the classSchema object for a child object's class you want. If you do not supply this parameter, the cmdlet configures ACEs to control the right to create or delete child objects of any class. (This parameter causes the cmdlet to configure the ObjectType setting on the ACEs). | false | false | |
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Deny | Supply this parameter if you want the cmdlet to add ACEs that deny (rather than allow) access. If you do not supply this parameter, the cmdlet configures ACEs to allow access. | false | false | |
| ExtendedRight | Supply this parameter if you want the cmdlet to add ACEs that determine specific extended rights on the directory objects. Parameter value is a string array of the names of the extended rights you want. For a list of possible extended rights, see the topic "Extended Rights" in the MSDN Library at http://msdn.microsoft.com. For more information about extended rights, see the topic "Control Access Rights" in the MSDN Library. | false | false | |
| Identity | Specify the identity (such as name, distinguished name, domain\name, etc.) of a directory object you want. The cmdlet will add access control entries (ACEs) to the discretionary access control list (DACL) in the security descriptor of that object.
You can use pipelining to identify a directory object: pass the output of the appropriate Get- cmdlet to this cmdlet. If you do so, the Identity parameter is not to be supplied on the command line. See examples. | true | true (ByValue) | |
| InputPermission | This parameter is used to identify the object or objects representing ACEs to add. The parameter accepts parameter values from the pipeline. Thus, when you use pipelining to pass to this cmdlet the objects returned by the Get-QADPermission cmdlet, you should not supply this parameter on the command line. Another option is to save the object in a variable and then supply that variable as a parameter value. | true | true (ByValue) | |
| Property | Supply this parameter if want the cmdlet to add ACEs that determine access to specific properties of the directory objects (rather than all properties). Parameter value is a string array of the LDAP display names of the properties you want.
If you supply neither this parameter nor the PropertySet parameter, the cmdlet configures ACEs to determine access to all properties. | false | false | |
| PropertySet | Supply this parameter if want the cmdlet to add ACEs that determine access to specific property sets of the directory objects (rather than all properties). Parameter value is a string array of the names of the property sets you want. For a list of possible property sets, see the topic "Property Sets" in the MSDN Library at http://msdn.microsoft.com.
If you supply neither this parameter nor the Property parameter, the cmdlet configures ACEs to determine access to all properties. | false | false | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Rights | Add ACEs with certain access rights set. Valid parameter values are (for descriptions of these access rights see the topic "ActiveDirectoryRights Enumeration" in the MSDN Library at http://msdn.microsoft.com):
'ReadProperty' 'WriteProperty' 'GenericRead' 'GenericWrite' 'GenericExecute' 'GenericAll' 'CreateChild' 'Delete' 'DeleteChild' 'DeleteTree' 'ReadControl' 'WriteDacl' 'WriteOwner' 'Synchronize' 'AccessSystemSecurity' 'ListChildren' 'ListObject' 'ExtendedRight' 'Self' Parameter value can be any combination of the listed values, separated by commas. For example, the parameter value of 'ReadProperty,WriteProperty' causes the cmdlet to add ACEs that have both the ReadProperty and WriteProperty access rights set. The following values are permitted for this object type. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ValidatedWrite | Supply this parameter if you want the cmdlet to add ACEs that determine specific validated writes on the directory objects. Parameter value is a string array of the names of the validated writes you want. For a list of possible validated writes, see the topic "Validated Writes" in the MSDN Library at http://msdn.microsoft.com. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false | |
| WhatIf | Describes what would happen if you executed the command without actually executing the command. | false | false |
Examples
EXAMPLE 1
Add-QADPermission 'DistinguishedNameOfTheOU' -Account 'domainName\groupName' -Rights 'GenericAll'
Description
Give a certain group full access to a certain organizational unit (OU) and all objects in that OU.
EXAMPLE 2
Add-QADPermission 'domainName\userName' -Deny -Account 'domainName\groupName' -Rights 'WriteProperty' -PropertySet ('General-Information','Web-Information') -Property 'sAMAccountName' -ApplyTo 'ThisObjectOnly'
Description
Deny a certain group permission to modify the sAMAccountName property as well as the properties that are part of the General Information or Web Information property set on a certain user account.
EXAMPLE 3
Add-QADPermission 'DistinguishedNameOfTheOU' -Account 'domainName\groupName' -Rights 'CreateChild' -ChildType 'user' -ApplyTo 'ThisObjectAndImmediateChildObjects' -ApplyToType 'organizationalUnit'
Description
Authorize a given group to create user accounts in a given organizational unit (OU) or in organizational units that are immediate children of that OU.
EXAMPLE 4
Add-QADPermission 'DistinguishedNameOfTheOU' -Account 'domainName\groupName' -Rights 'ReadProperty,WriteProperty' -Property 'member' -ApplyToType 'group'
Description
Authorize a given group to view or modify the group membership list of any group in a given organizational unit (OU).
EXAMPLE 5
Get-QADGroup -SearchRoot 'DistinguishedNameOfTheOU' -SecurityMask 'Dacl' | Add-QADPermission -Account 'domainName\UserName' -Deny -Rights 'WriteProperty' -Property 'member'
Description
Deny a given user account permission to modify the group membership list of any group in a given organizational unit (OU).
EXAMPLE 6
Add-QADPermission 'DistinguishedNameOfTheOU' -Account 'domainName\groupName' -Rights 'ReadProperty,WriteProperty' -PropertySet 'Personal-Information' -ApplyTo 'ChildObjects' -ApplyToType 'user'
Description
Authorize a given group to view or modify any property that is part of the Personal Information property set on any user account in a given organizational unit (OU).
EXAMPLE 7
Get-QADPermission 'DistinguishedNameOfSourceObject' | Add-QADPermission 'DistinguishedNameOfDestinationObject'
Description
Copy the ACEs that are configured on a given directory object (not including the inherited ACEs or the schema default ACEs) to another directory object.
