Set-QADObjectSecurity
From PowerGUI Wiki
Update security information on a directory object or objects. You can change the owner of an object or change the option that governs protection of an object from the effects of inherited rights.
Contents |
Syntax
Set-QADObjectSecurity [-Identity] <IdentityParameter> -Owner <IdentityParameter> [-Proxy] [-Service <String>] [-ConnectionAccount <String>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Connection <ArsConnection>] [-UseGlobalCatalog] [-WhatIf] [-Confirm] [<CommonParameters>]
Set-QADObjectSecurity [-Identity] <IdentityParameter> -LockInheritance [-Remove] [-Proxy] [-Service <String>] [-ConnectionAccount <String>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Connection <ArsConnection>] [-UseGlobalCatalog] [-WhatIf] [-Confirm] [<CommonParameters>]
Set-QADObjectSecurity [-Identity] <IdentityParameter> -UnlockInheritance [-Proxy] [-Service <String>] [-ConnectionAccount <String>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Connection <ArsConnection>] [-UseGlobalCatalog] [-WhatIf] [-Confirm] [<CommonParameters>]
Detailed Description
You can use this cmdlet to perform any of the following tasks on a given directory object (each of these tasks implies certain changes to the security descriptor of the directory object):
- Set a given security principal to be the owner of that object.
- Specify whether access control entries (ACEs) that are set on the discretionary access control list (DACL) of the parent container, and any objects above the parent container in the directory hierarchy, are applied to the object's DACL.
With the latter task, consider that ACEs can be set on a container object, such as an organizationalUnit, domainDNS, container, and so on, and propagated to child objects based on the inheritance flags set on those ACEs. If you want to explicitly control the ACEs on a certain sensitive object, such as a private OU or a special user, you can prevent ACEs from being propagated to the object by its parent container or its parent container's predecessors.
The cmdlet has optional parameters that determine the server and the security context for the operation. The connection parameters could be omitted since a connection to a server is normally established prior to using this cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Related Commands
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Identity | Specify the identity (such as name, distinguished name, domain\name, etc.) of a directory object you want. The cmdlet will update security information on that object.
You can use pipelining to identify a directory object: pass the output of the appropriate Get- cmdlet to this cmdlet. If you do so, the Identity parameter is not to be supplied on the command line. See examples. | true | true (ByValue) | |
| Owner | Specify the identity (name, distinguished name, domain\name. etc.) of the security principal that you want the cmdlet to set as the owner of the given directory object. Another option is to get an object representing the owner you want, save the object in a variable, and supply that variable as a value for this parameter. | true | false | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | true (ByValue) | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| WhatIf | Describes what would happen if you executed the command, without actually executing the command. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false | |
| LockInheritance | Supply this parameter for the cmdlet to configure the security descriptor on the given directory object so that access control entries (ACEs) that are set on the discretionary access control list (DACL) of the parent container, and any objects above the parent container in the directory hierarchy, are not applied to the DACL of that directory object. | true | false | |
| Remove | This parameter can be used in conjunction with the LockInheritance parameter to remove the inherited ACEs from the directory object.
If you supply this parameter on the command line, the cmdlet removes the ACEs that were previously applied (inherited) from the parent and keeps only those ACEs that are explicitly defined on the directory object. If you do not supply this parameter, the cmdlet copies the ACEs that were previously applied from the parent, merging them with the ACEs that are explicitly defined on the directory object. | false | false | |
| UnlockInheritance | Supply this parameter for the cmdlet to configure the security descriptor on the given directory object so that access control entries (ACEs) originating from the parent container are applied to the DACL of that directory object in accord with the inheritance flags set on those ACEs. | true | false |
Examples
Example 1
Set-QADObjectSecurity 'DistinguishedNameOfTheObject' -Owner 'domainName\userName'
For a given directory object, set a certain group as the owner of the object.
Example 2
Set-QADObjectSecurity 'domainName\userName' -LockInheritance -Remove
Prevent a certain user account from inheriting ACEs from the parent object and remove the ACEs that were previously applied from the parent object or its ancestors. As a result, access to the user account is controlled by only those ACEs that are explicitly set on the account.
Example 3
Set-QADObjectSecurity 'domain\user' -UnlockInheritance
Configure security settings on a given user account to allow inheritable ACEs from the parent container to propagate to that user account, merging them with those ACEs that are explicitly set on the user account.
Example 4
Get-QADComputer -SearchRoot 'DistinguishedNameOfTheOU' –SecurityMask 'Owner' | Set-QADObjectSecurity –Owner 'domainName\administrators'
For every computer object held in a given organizational unit (OU), set the owner of the computer object to the Administrators domain local group.
