Open jiuka opened 1 year ago
jborean93
commented
1 year ago This is something that I was interesting in adding and while it might be nice to have it part of each module using a common set of rules it might potentially overload an already overloaded set of options. The other complications come from how to deal with the object type guids and inherited object type rules. It is certainly doable but it might take some time to come up with a sane solution here.
guyomog78
commented
10 months ago I have done that with powershell previously
New-PSDrive -Name ADNEW -PSProvider ActiveDirectory -Root "" -Server $server
#Chargement Extended Rights
$global:erights = Invoke-Command -ScriptBlock {
$rootDSE = Get-ADRootDSE
$context = $rootDSE.ConfigurationNamingContext
$container = "CN=Extended-Rights"
New-PSDrive -Name ROOT -PSProvider ActiveDirectory -Root $context -Server $server | Out-Null
$path = Join-Path -Path "ROOT:" -ChildPath $container
Get-ChildItem -Path $path -Properties Displayname, RightsGUID, AppliesTo |
Select-Object Name, RightsGUID
}
$global:dicNameToSchemaIDGUIDs = @{"user"="BF967ABA-0DE6-11D0-A285-00AA003049E2";`
"computer" = "BF967A86-0DE6-11D0-A285-00AA003049E2";`
"group" = "BF967A9C-0DE6-11D0-A285-00AA003049E2";`
"volume" = "BF967ABB-0DE6-11D0-A285-00AA003049E2";`
"gPLink" = "F30E3BBE-9FF0-11D1-B603-0000F80367C1";`
"gPOptions" = "F30E3BBF-9FF0-11D1-B603-0000F80367C1";`
"printQueue" = "BF967AA8-0DE6-11D0-A285-00AA003049E2";`
"inetOrgPerson" = "4828CC14-1437-45BC-9B07-AD6F015E5F28";`
"contact" = "5CB41ED0-0E4C-11D0-A286-00AA003049E2";`
"organizationalUnit" = "BF967AA5-0DE6-11D0-A285-00AA003049E2";`
"Null" = "00000000-0000-0000-0000-000000000000";`
"pwdLastSet" = "BF967A0A-0DE6-11D0-A285-00AA003049E2"}
$erights |%{$dicNameToSchemaIDGUIDs.add($_.Name,$_.RightsGUID)}
and another part of the script:
foreach ($Delegation in $Delegations) {
#récupération des ACL
$OURightPath = $Delegation.ObjectToApply + $domainDN
$OUPath=join-path -Path "ADNEW:\" -ChildPath $OURightPath
$acl = Get-ACL -Path $OUPath
#Loop pour toutes les délegations à injecter
foreach ($DelegatedRight in $Delegation.DelegatedRights){
$RightSID = get-SID $DelegatedRight.IdentityReference
$ActiveDirectoryRights = $DelegatedRight.ActiveDirectoryRights
$AccessControlType = $DelegatedRight.AccessControlType
$objectType = $dicNameToSchemaIDGUIDs[$DelegatedRight.ObjectType]
[System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType = $DelegatedRight.InheritanceType
$InheritedObjectType = $dicNameToSchemaIDGUIDs[$DelegatedRight.InheritedObjectType]
try{
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$RightSID,$ActiveDirectoryRights,$AccessControlType,$objectType,$InheritanceType,$InheritedObjectType))
}
catch{
Write-Host "Unable to apply $($DelegatedRight.OuterXml)`n$_"
}
}
Set-Acl -AclObject $acl -Path $OUPath
}It was not reviewed from years, so I guess it's possible to improve this code that permit to discover all GUID for rights and then loop on acl list to set them.
here is example for how passed information
{
"DelegatedRights": {
"ActiveDirectoryRights": "ExtendedRight",
"InheritanceType": "All",
"ObjectType": "DS-Replication-Get-Changes",
"InheritedObjectType": "Null",
"AccessControlType": "Allow",
"IdentityReference": "groupnam@domain.name"
}
}
Also, I suggest to do a module for rights, because all rights are managed with the path first. I have no time for now to help, but maybe next year!
guyomog78
commented
10 months ago Well I just seen the #72 that in a good progress!
SUMMARY
We need to set/modify permissions on OUs and sometimes Groups. It would be nice to do this with ansible too. This includes enabling and disabling permission inheritance as well as add/set/remove of permisions. I am not sure if this should be a new module
microsoft.ad.aclor should be integrated into ADObject.ISSUE TYPE
COMPONENT NAME
microsoft.ad.ou,microsoft.ad.group,microsoft.ad.user,microsoft.ad.object,microsoft.ad.computerADDITIONAL INFORMATION