Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, May 12, 2016 3:52 PM
I've seen a number of examples on the net on adding ace's but I can't get any of them to work.
$Sid = (Get-ADgroup dnsadmins -Properties ObjectSID).ObjectSID.Value
$AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Sid,‘Modify’,‘Allow’)
I can't get past this error and frankly don't understand how any of the examples are working as I've copied them word for word.
New-Object : Cannot find an overload for "ActiveDirectoryAccessRule" and the argument count: "3".
At line:1 char:15
What is it expecting for the arguments?
Dan
All replies (8)
Friday, May 13, 2016 2:39 PM ✅Answered
For three arguments we need an NTPrincipal:
$identity=[System.Security.Principal.NTAccount]'domain\ntaccount'
This should work with three arguments. The type of the argument decides which constructor is being used.
\(ツ)_/
Thursday, May 12, 2016 4:22 PM
Look it up in the docs or look at the definition:
PS D:\scripts> [System.DirectoryServices.ActiveDirectoryAccessRule]::new
OverloadDefinitions
System.DirectoryServices.ActiveDirectoryAccessRule new(System.Security.Principal.IdentityReference identity,
System.DirectoryServices.ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type)
System.DirectoryServices.ActiveDirectoryAccessRule new(System.Security.Principal.IdentityReference identity,
System.DirectoryServices.ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type, guid
objectType)
System.DirectoryServices.ActiveDirectoryAccessRule new(System.Security.Principal.IdentityReference identity,
System.DirectoryServices.ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type,
System.DirectoryServices.ActiveDirectorySecurityInheritance inheritanceType)
System.DirectoryServices.ActiveDirectoryAccessRule new(System.Security.Principal.IdentityReference identity,
System.DirectoryServices.ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type, guid
objectType, System.DirectoryServices.ActiveDirectorySecurityInheritance inheritanceType)
System.DirectoryServices.ActiveDirectoryAccessRule new(System.Security.Principal.IdentityReference identity,
System.DirectoryServices.ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type,
System.DirectoryServices.ActiveDirectorySecurityInheritance inheritanceType, guid inheritedObjectType)
System.DirectoryServices.ActiveDirectoryAccessRule new(System.Security.Principal.IdentityReference identity,
System.DirectoryServices.ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type, guid
objectType, System.DirectoryServices.ActiveDirectorySecurityInheritance inheritanceType, guid inheritedObjectType)
\(ツ)_/
Thursday, May 12, 2016 4:46 PM
I got it with this.
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$sourceacl.IdentityReference,
$sourceacl.ActiveDirectoryRights,
$sourceacl.AccessControlType,
$sourceacl.ObjectType,
"All",
$sourceacl.InheritedObjectType
)
Just utterly confused how any of the internet examples could have worked without the required arguments.
Dan
Thursday, May 12, 2016 4:56 PM
But everyone knows that the Internet is never wrong.
Siddaway has a blog. It is dated but will help you to understand how this works:
https://richardspowershellblog.wordpress.com/2011/06/29/setting-security-permissions-on-an-ad-group/
\(ツ)_/
Friday, May 13, 2016 2:07 PM
Even in that link it only shows three arguments.
Dan
Friday, May 13, 2016 2:36 PM
Even in that link it only shows three arguments.
Dan
Yes but they are the correct three arguments.
\(ツ)_/
Wednesday, August 28, 2019 8:15 AM
For anyone else coming across this issue, it seems like the problem is that you can no longer define the arguments for a System.DirectoryServices.ActiveDirectoryAccessRule with simple strings. You need to specify the object classes for each of the overload definitions.
Previously, you could construct your ACE as follows (this is for granting Full Control on an object):
$sid = [System.Security.Principal.IdentityReference] (get-aduser JoeB).SID
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "All"
Now it seems you have to qualify the overload definition classes.
$sid = [System.Security.Principal.IdentityReference] (get-aduser JoeB).SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,$adRights,$type,$inherit
Obviously, if you have additional arguments to the access rule, such as ObjectType, you'll need to do some testing and probably get the correct class for that as well, per the doco that @jrv linked.
I don't know when or how this changed - .NET version >4.5, OS version (I've found it on Server 2012 R2 and Server 2016), security policy on the box...? But it's a pain in the butt.
Wednesday, August 28, 2019 8:31 AM
It works if you do it correctly:
[System.DirectoryServices.ActiveDirectoryAccessRule]::New($sid, 'GenericAll', 'Allow')
Please do not add new questions to other users topics. You must start your own question.
\(ツ)_/