| Author | Messages | |
aansari
Posts:28
 | | 05/26/2010 3:28 PM |
| Hi AD Gurus,
Is there a tool that can take a template DACL from an OU and copy it
to other OU?
Adeel
| | | |
| RickSheikh
Posts:296
| | 05/26/2010 3:42 PM |
| Oops..here it is.
http://blogs.msdn.com/b/powershell/archive/2009/05/11/copy-acl.aspx
On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
> See this COPY-ACL PoSH script from Jeff Snover. I haven't tested it, but
> someone from comments confirms that it works on AD objects as well.
>
>
> On Wed, May 26, 2010 at 9:26 AM, Adeel Ansari <adeelsansari@gmail.com>wrote:
>
>> Hi AD Gurus,
>>
>> Is there a tool that can take a template DACL from an OU and copy it
>> to other OU?
>>
>> Adeel
>>
>>
>
| | | |
| aansari
Posts:28
| | 05/26/2010 5:53 PM |
| Rick,
This works great for files but not for OU since the PS script is
leveraging the Get-Acl cmdlet which only works on the file and
registry.
PS D:\Scripts\Delegation> help get-acl
NAME
Get-Acl
SYNOPSIS
Gets the security descriptor for a resource, such as a file or registry key
DESCRIPTION
The Get-Acl cmdlet gets objects that represent the security descriptor of a
file or resource. The security descriptor contains the access control list
s (ACLs) of the resource. The ACL specifies the permissions that users and
user groups have to access the resource.
There is another way to get the AD ACL
http://bsonposh.com/archives/289 , perhaps that can be combined with
this to make a copyACL for AD 
On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
> Oops..here it is.
> http://blogs.msdn.com/b/powershell/archive/2009/05/11/copy-acl.aspx
>
> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>
>> See this COPY-ACL PoSH script from Jeff Snover. I haven't tested it, but
>> someone from comments confirms that it works on AD objects as well.
>>
>> On Wed, May 26, 2010 at 9:26 AM, Adeel Ansari <adeelsansari@gmail.com>
>> wrote:
>>>
>>> Hi AD Gurus,
>>>
>>> Is there a tool that can take a template DACL from an OU and copy it
>>> to other OU?
>>>
>>> Adeel
>>>
>>
>
>
--
Adeel Ansari
| | | |
| aansari
Posts:28
| | 05/26/2010 7:04 PM |
| Resolved
1. Copy both getacl.ps1 and setacl.ps1 from
http://bsonposh.com/archives/289#comment-32125
2. Create new powershell file called copyadacls.ps1 withe following contents:
Param ($SrcOUDN, $TargetOUDN)
$SrcAcl = .\getacl.ps1 $SrcOUDN
.\setacls.ps1 $TargetOUDN $SrcAcl
3. Call the file, ./getacl.ps1 "<Source OU DN>" "<Target OU DN>"
Regards,
Adeel
On Wed, May 26, 2010 at 11:51 AM, Adeel Ansari <adeelsansari@gmail.com> wrote:
> Rick,
>
> This works great for files but not for OU since the PS script is
> leveraging the Get-Acl cmdlet which only works on the file and
> registry.
>
> PS D:\Scripts\Delegation> help get-acl
>
> NAME
> Get-Acl
>
> SYNOPSIS
> Gets the security descriptor for a resource, such as a file or registry key
>
>
> DESCRIPTION
> The Get-Acl cmdlet gets objects that represent the security descriptor of a
> file or resource. The security descriptor contains the access control list
> s (ACLs) of the resource. The ACL specifies the permissions that users and
> user groups have to access the resource.
>
>
> There is another way to get the AD ACL
> http://bsonposh.com/archives/289 , perhaps that can be combined with
> this to make a copyACL for AD
>
>
> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>> Oops..here it is.
>> http://blogs.msdn.com/b/powershell/archive/2009/05/11/copy-acl.aspx
>>
>> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>>
>>> See this COPY-ACL PoSH script from Jeff Snover. I haven't tested it, but
>>> someone from comments confirms that it works on AD objects as well.
>>>
>>> On Wed, May 26, 2010 at 9:26 AM, Adeel Ansari <adeelsansari@gmail.com>
>>> wrote:
>>>>
>>>> Hi AD Gurus,
>>>>
>>>> Is there a tool that can take a template DACL from an OU and copy it
>>>> to other OU?
>>>>
>>>> Adeel
>>>>
>>>
>>
>>
>
>
>
> --
> Adeel Ansari
>
--
Adeel Ansari
| | | |
| RickSheikh
Posts:296
| | 05/26/2010 7:06 PM |
| Great.
On Wed, May 26, 2010 at 1:01 PM, Adeel Ansari <adeelsansari@gmail.com>wrote:
> Resolved
>
> 1. Copy both getacl.ps1 and setacl.ps1 from
> http://bsonposh.com/archives/289#comment-32125
> 2. Create new powershell file called copyadacls.ps1 withe following
> contents:
>
> Param ($SrcOUDN, $TargetOUDN)
> $SrcAcl = .\getacl.ps1 $SrcOUDN
> .\setacls.ps1 $TargetOUDN $SrcAcl
>
>
> 3. Call the file, ./getacl.ps1 "<Source OU DN>" "<Target OU DN>"
>
> Regards,
> Adeel
>
>
>
>
> On Wed, May 26, 2010 at 11:51 AM, Adeel Ansari <adeelsansari@gmail.com>
> wrote:
> > Rick,
> >
> > This works great for files but not for OU since the PS script is
> > leveraging the Get-Acl cmdlet which only works on the file and
> > registry.
> >
> > PS D:\Scripts\Delegation> help get-acl
> >
> > NAME
> > Get-Acl
> >
> > SYNOPSIS
> > Gets the security descriptor for a resource, such as a file or
> registry key
> >
> >
> > DESCRIPTION
> > The Get-Acl cmdlet gets objects that represent the security descriptor
> of a
> > file or resource. The security descriptor contains the access control
> list
> > s (ACLs) of the resource. The ACL specifies the permissions that users
> and
> > user groups have to access the resource.
> >
> >
> > There is another way to get the AD ACL
> > http://bsonposh.com/archives/289 , perhaps that can be combined with
> > this to make a copyACL for AD
> >
> >
> > On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com>
> wrote:
> >> Oops..here it is.
> >> http://blogs.msdn.com/b/powershell/archive/2009/05/11/copy-acl.aspx
> >>
> >> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com>
> wrote:
> >>>
> >>> See this COPY-ACL PoSH script from Jeff Snover. I haven't tested it,
> but
> >>> someone from comments confirms that it works on AD objects as well.
> >>>
> >>> On Wed, May 26, 2010 at 9:26 AM, Adeel Ansari <adeelsansari@gmail.com>
> >>> wrote:
> >>>>
> >>>> Hi AD Gurus,
> >>>>
> >>>> Is there a tool that can take a template DACL from an OU and copy it
> >>>> to other OU?
> >>>>
> >>>> Adeel
> >>>>
> >>>
> >>
> >>
> >
> >
> >
> > --
> > Adeel Ansari
> >
>
>
>
> --
> Adeel Ansari
>
>
| | | |
| decrosby
Posts:66
| | 05/26/2010 7:10 PM |
| How would you do this for every object say in a OU?
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adeel Ansari
Sent: 26 May 2010 19:02
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Automated Delegation
Resolved
1. Copy both getacl.ps1 and setacl.ps1 from
http://bsonposh.com/archives/289#comment-32125
2. Create new powershell file called copyadacls.ps1 withe following contents:
Param ($SrcOUDN, $TargetOUDN)
$SrcAcl = .\getacl.ps1 $SrcOUDN
.\setacls.ps1 $TargetOUDN $SrcAcl
3. Call the file, ./getacl.ps1 "<Source OU DN>" "<Target OU DN>"
Regards,
Adeel
On Wed, May 26, 2010 at 11:51 AM, Adeel Ansari <adeelsansari@gmail.com> wrote:
> Rick,
>
> This works great for files but not for OU since the PS script is
> leveraging the Get-Acl cmdlet which only works on the file and
> registry.
>
> PS D:\Scripts\Delegation> help get-acl
>
> NAME
> Get-Acl
>
> SYNOPSIS
> Gets the security descriptor for a resource, such as a file or
> registry key
>
>
> DESCRIPTION
> The Get-Acl cmdlet gets objects that represent the security
> descriptor of a
> file or resource. The security descriptor contains the access
> control list
> s (ACLs) of the resource. The ACL specifies the permissions that
> users and
> user groups have to access the resource.
>
>
> There is another way to get the AD ACL
> http://bsonposh.com/archives/289 , perhaps that can be combined with
> this to make a copyACL for AD
>
>
> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>> Oops..here it is.
>> http://blogs.msdn.com/b/powershell/archive/2009/05/11/copy-acl.aspx
>>
>> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>>
>>> See this COPY-ACL PoSH script from Jeff Snover. I haven't tested it,
>>> but someone from comments confirms that it works on AD objects as well.
>>>
>>> On Wed, May 26, 2010 at 9:26 AM, Adeel Ansari
>>> <adeelsansari@gmail.com>
>>> wrote:
>>>>
>>>> Hi AD Gurus,
>>>>
>>>> Is there a tool that can take a template DACL from an OU and copy
>>>> it to other OU?
>>>>
>>>> Adeel
>>>>
>>>
>>
>>
>
>
>
> --
> Adeel Ansari
>
--
Adeel Ansari
--------------------------------------------------------------------------
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| aansari
Posts:28
| | 05/26/2010 7:30 PM |
| I haven't tested the inheritance on the objects within an OU, but I
would think that if the original ACL applies to "This object and all
the child objects" then it will be copied with this flag still active.
Something to test.
-AA
On Wed, May 26, 2010 at 1:09 PM, Crosby, Damian
<Damian.Crosby@morganstanley.com> wrote:
> How would you do this for every object say in a OU?
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adeel Ansari
> Sent: 26 May 2010 19:02
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Automated Delegation
>
> Resolved
>
> 1. Copy both getacl.ps1 and setacl.ps1 from
> http://bsonposh.com/archives/289#comment-32125
> 2. Create new powershell file called copyadacls.ps1 withe following contents:
>
> Param ($SrcOUDN, $TargetOUDN)
> $SrcAcl = .\getacl.ps1 $SrcOUDN
> .\setacls.ps1 $TargetOUDN $SrcAcl
>
>
> 3. Call the file, ./getacl.ps1 "<Source OU DN>" "<Target OU DN>"
>
> Regards,
> Adeel
>
>
>
>
> On Wed, May 26, 2010 at 11:51 AM, Adeel Ansari <adeelsansari@gmail.com> wrote:
>> Rick,
>>
>> This works great for files but not for OU since the PS script is
>> leveraging the Get-Acl cmdlet which only works on the file and
>> registry.
>>
>> PS D:\Scripts\Delegation> help get-acl
>>
>> NAME
>> Get-Acl
>>
>> SYNOPSIS
>> Gets the security descriptor for a resource, such as a file or
>> registry key
>>
>>
>> DESCRIPTION
>> The Get-Acl cmdlet gets objects that represent the security
>> descriptor of a
>> file or resource. The security descriptor contains the access
>> control list
>> s (ACLs) of the resource. The ACL specifies the permissions that
>> users and
>> user groups have to access the resource.
>>
>>
>> There is another way to get the AD ACL
>> http://bsonposh.com/archives/289 , perhaps that can be combined with
>> this to make a copyACL for AD
>>
>>
>> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>> Oops..here it is.
>>> http://blogs.msdn.com/b/powershell/archive/2009/05/11/copy-acl.aspx
>>>
>>> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>>>
>>>> See this COPY-ACL PoSH script from Jeff Snover. I haven't tested it,
>>>> but someone from comments confirms that it works on AD objects as well.
>>>>
>>>> On Wed, May 26, 2010 at 9:26 AM, Adeel Ansari
>>>> <adeelsansari@gmail.com>
>>>> wrote:
>>>>>
>>>>> Hi AD Gurus,
>>>>>
>>>>> Is there a tool that can take a template DACL from an OU and copy
>>>>> it to other OU?
>>>>>
>>>>> Adeel
>>>>>
>>>>
>>>
>>>
>>
>>
>>
>> --
>> Adeel Ansari
>>
>
>
>
> --
> Adeel Ansari
>
>
> --------------------------------------------------------------------------
> NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
>
>
--
Adeel Ansari
| | | |
| decrosby
Posts:66
| | 05/26/2010 7:41 PM |
| But its what happens when you create a new object that inherits the defaultsecuritydescriptor that's the challenge. If you wish to overwrite that for N objects how would you pipe or control get and set then?
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adeel Ansari
Sent: 26 May 2010 19:30
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Automated Delegation
I haven't tested the inheritance on the objects within an OU, but I would think that if the original ACL applies to "This object and all the child objects" then it will be copied with this flag still active.
Something to test.
-AA
On Wed, May 26, 2010 at 1:09 PM, Crosby, Damian <Damian.Crosby@morganstanley.com> wrote:
> How would you do this for every object say in a OU?
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adeel Ansari
> Sent: 26 May 2010 19:02
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Automated Delegation
>
> Resolved
>
> 1. Copy both getacl.ps1 and setacl.ps1 from
> http://bsonposh.com/archives/289#comment-32125
> 2. Create new powershell file called copyadacls.ps1 withe following contents:
>
> Param ($SrcOUDN, $TargetOUDN)
> $SrcAcl = .\getacl.ps1 $SrcOUDN
> .\setacls.ps1 $TargetOUDN $SrcAcl
>
>
> 3. Call the file, ./getacl.ps1 "<Source OU DN>" "<Target OU DN>"
>
> Regards,
> Adeel
>
>
>
>
> On Wed, May 26, 2010 at 11:51 AM, Adeel Ansari <adeelsansari@gmail.com> wrote:
>> Rick,
>>
>> This works great for files but not for OU since the PS script is
>> leveraging the Get-Acl cmdlet which only works on the file and
>> registry.
>>
>> PS D:\Scripts\Delegation> help get-acl
>>
>> NAME
>> Get-Acl
>>
>> SYNOPSIS
>> Gets the security descriptor for a resource, such as a file or
>> registry key
>>
>>
>> DESCRIPTION
>> The Get-Acl cmdlet gets objects that represent the security
>> descriptor of a
>> file or resource. The security descriptor contains the access
>> control list
>> s (ACLs) of the resource. The ACL specifies the permissions that
>> users and
>> user groups have to access the resource.
>>
>>
>> There is another way to get the AD ACL
>> http://bsonposh.com/archives/289 , perhaps that can be combined with
>> this to make a copyACL for AD
>>
>>
>> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>> Oops..here it is.
>>> http://blogs.msdn.com/b/powershell/archive/2009/05/11/copy-acl.aspx
>>>
>>> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com> wrote:
>>>>
>>>> See this COPY-ACL PoSH script from Jeff Snover. I haven't tested
>>>> it, but someone from comments confirms that it works on AD objects as well.
>>>>
>>>> On Wed, May 26, 2010 at 9:26 AM, Adeel Ansari
>>>> <adeelsansari@gmail.com>
>>>> wrote:
>>>>>
>>>>> Hi AD Gurus,
>>>>>
>>>>> Is there a tool that can take a template DACL from an OU and copy
>>>>> it to other OU?
>>>>>
>>>>> Adeel
>>>>>
>>>>
>>>
>>>
>>
>>
>>
>> --
>> Adeel Ansari
>>
>
>
>
> --
> Adeel Ansari
>
>
> ----------------------------------------------------------------------
> ----
> NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
>
>
--
Adeel Ansari
--------------------------------------------------------------------------
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| aansari
Posts:28
| | 06/15/2010 9:42 PM |
| You could use Quest's AD Powershell cmdlets, and do something like this:
$myacl = $get-acl <source OU>
QAD-GetUser -SearchRoot <OU where users are> | set-acl $myacl
I havent tested it but something to test and verify.
On Wed, May 26, 2010 at 1:37 PM, Crosby, Damian <
Damian.Crosby@morganstanley.com> wrote:
> But its what happens when you create a new object that inherits the
> defaultsecuritydescriptor that's the challenge. If you wish to overwrite
> that for N objects how would you pipe or control get and set then?
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] On Behalf Of Adeel Ansari
> Sent: 26 May 2010 19:30
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Automated Delegation
>
> I haven't tested the inheritance on the objects within an OU, but I would
> think that if the original ACL applies to "This object and all the child
> objects" then it will be copied with this flag still active.
> Something to test.
>
> -AA
>
> On Wed, May 26, 2010 at 1:09 PM, Crosby, Damian <
> Damian.Crosby@morganstanley.com> wrote:
> > How would you do this for every object say in a OU?
> >
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Adeel Ansari
> > Sent: 26 May 2010 19:02
> > To: activedir@mail.activedir.org
> > Subject: Re: [ActiveDir] Automated Delegation
> >
> > Resolved
> >
> > 1. Copy both getacl.ps1 and setacl.ps1 from
> > http://bsonposh.com/archives/289#comment-32125
> > 2. Create new powershell file called copyadacls.ps1 withe following
> contents:
> >
> > Param ($SrcOUDN, $TargetOUDN)
> > $SrcAcl = .\getacl.ps1 $SrcOUDN
> > .\setacls.ps1 $TargetOUDN $SrcAcl
> >
> >
> > 3. Call the file, ./getacl.ps1 "<Source OU DN>" "<Target OU DN>"
> >
> > Regards,
> > Adeel
> >
> >
> >
> >
> > On Wed, May 26, 2010 at 11:51 AM, Adeel Ansari <adeelsansari@gmail.com>
> wrote:
> >> Rick,
> >>
> >> This works great for files but not for OU since the PS script is
> >> leveraging the Get-Acl cmdlet which only works on the file and
> >> registry.
> >>
> >> PS D:\Scripts\Delegation> help get-acl
> >>
> >> NAME
> >> Get-Acl
> >>
> >> SYNOPSIS
> >> Gets the security descriptor for a resource, such as a file or
> >> registry key
> >>
> >>
> >> DESCRIPTION
> >> The Get-Acl cmdlet gets objects that represent the security
> >> descriptor of a
> >> file or resource. The security descriptor contains the access
> >> control list
> >> s (ACLs) of the resource. The ACL specifies the permissions that
> >> users and
> >> user groups have to access the resource.
> >>
> >>
> >> There is another way to get the AD ACL
> >> http://bsonposh.com/archives/289 , perhaps that can be combined with
> >> this to make a copyACL for AD
> >>
> >>
> >> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com>
> wrote:
> >>> Oops..here it is.
> >>> http://blogs.msdn.com/b/powershell/archive/2009/05/11/copy-acl.aspx
> >>>
> >>> On Wed, May 26, 2010 at 9:39 AM, Rick Sheikh <ricksheikh@gmail.com>
> wrote:
> >>>>
> >>>> See this COPY-ACL PoSH script from Jeff Snover. I haven't tested
> >>>> it, but someone from comments confirms that it works on AD objects as
> well.
> >>>>
> >>>> On Wed, May 26, 2010 at 9:26 AM, Adeel Ansari
> >>>> <adeelsansari@gmail.com>
> >>>> wrote:
> >>>>>
> >>>>> Hi AD Gurus,
> >>>>>
> >>>>> Is there a tool that can take a template DACL from an OU and copy
> >>>>> it to other OU?
> >>>>>
> >>>>> Adeel
> >>>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >>
> >> --
> >> Adeel Ansari
> >>
> >
> >
> >
> > --
> > Adeel Ansari
> >
> >
> > ----------------------------------------------------------------------
> > ----
> > NOTICE: If received in error, please destroy, and notify sender. Sender
> does not intend to waive confidentiality or privilege. Use of this email is
> prohibited when received in error. We may monitor and store emails to the
> extent permitted by applicable law.
> >
> >
>
>
>
> --
> Adeel Ansari
>
>
> --------------------------------------------------------------------------
> NOTICE: If received in error, please destroy, and notify sender. Sender
> does not intend to waive confidentiality or privilege. Use of this email is
> prohibited when received in error. We may monitor and store emails to the
> extent permitted by applicable law.
>
>
--
Adeel Ansari
| | | |
|
|