ADObjectPermissionEntry: Allow Permission updates without using a Domain Admin account

[JasonN3]

Pull Request (PR) description

This pull request is to fix an issue where the DSC module must be run as a Domain Admin in order to update an objects permissions.

This Pull Request (PR) fixes the following issues

• Fixes #575
• Fixes #314

Task list

• [x] Added an entry to the change log under the Unreleased section of the file CHANGELOG.md. Entry should say what was changed and how that affects users (if applicable), and reference the issue being resolved (if applicable).
• [x] Resource documentation added/updated in README.md.
• [x] Resource parameter descriptions added/updated in README.md, schema.mof and comment-based help.
• [x] Comment-based help added/updated.
• [x] Localization strings added/updated in all localization files as appropriate.
• [x] Examples appropriately added/updated.
• [ ] Unit tests added/updated. See DSC Community Testing Guidelines.
• [ ] Integration tests added/updated (where possible). See DSC Community Testing Guidelines.
• [x] New/changed code adheres to DSC Community Style Guidelines.

---

This change is 

[JasonN3]

Tests run using a non-DA account:

Add Access (Result = Access granted)

Set-TargetResource -Ensure Present -ObjectType '00000000-0000-0000-0000-000000000000' -InheritedObjectType '00000000-0000-0000-0000-000000000000' -Path $ObjectDN -IdentityReference "${DOMAIN}\${ACCOUNT}" -ActiveDirectoryRights GenericAll -AccessControlType Allow -ActiveDirectorySecurityInheritance None

Add Access a second time (Result = No action taken)

Set-TargetResource -Ensure Present -ObjectType '00000000-0000-0000-0000-000000000000' -InheritedObjectType '00000000-0000-0000-0000-000000000000' -Path $ObjectDN -IdentityReference "${DOMAIN}\${ACCOUNT}" -ActiveDirectoryRights GenericAll -AccessControlType Allow -ActiveDirectorySecurityInheritance None

$Update Permissions (Result = Access replaced) Set-TargetResource -Ensure Present -ObjectType '00000000-0000-0000-0000-000000000000' -InheritedObjectType '00000000-0000-0000-0000-000000000000' -Path $ObjectDN -IdentityReference "${DOMAIN}\${ACCOUNT}" -ActiveDirectoryRights GenericRead -AccessControlType Allow -ActiveDirectorySecurityInheritance None

Remove Access (Result = Access revoked)

Set-TargetResource -Ensure Absent -ObjectType '00000000-0000-0000-0000-000000000000' -InheritedObjectType '00000000-0000-0000-0000-000000000000' -Path $ObjectDN -IdentityReference "${DOMAIN}\${ACCOUNT}" -ActiveDirectoryRights GenericRead -AccessControlType Allow -ActiveDirectorySecurityInheritance None

Remove Access a second time (Result = No action taken)

Set-TargetResource -Ensure Absent -ObjectType '00000000-0000-0000-0000-000000000000' -InheritedObjectType '00000000-0000-0000-0000-000000000000' -Path $ObjectDN -IdentityReference "${DOMAIN}\${ACCOUNT}" -ActiveDirectoryRights GenericRead -AccessControlType Allow -ActiveDirectorySecurityInheritance None

[JasonN3]

This fix breaks down when you use Invoke-DscResource and it goes through WinRM. I'm looking for another solution.

[X-Guardian]

Hi @J4yD4n, please look at the issue and complete the discussion on that before you end up spending your time on a PR that may not be needed.

[JasonN3]

Apparently DSC gets around Set-Acl trying to rewrite all permissions and failing. I did a test with PsDscCredential and it somehow worked even though it shouldn't have. Sorry for the waste of time. If someone else comes across this problem, make sure PsDscCredential is set.