Set explicit LDAP SecurityMask settings
Changed the LDAP SecurityMasks settings so that you can change the Owner/DACL if you only have WriteOwner/WriteDacl permissions on the object (Default SecurityMasks is "Owner, Group, Dacl")
This commit is contained in:
Lee Christensen
GitHub
parent
bd6fe64316
commit
834a80fef3
|
|
@ -6588,6 +6588,7 @@ Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate cr
|
||||||
try {
|
try {
|
||||||
Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'"
|
Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'"
|
||||||
$Entry = $RawObject.GetDirectoryEntry()
|
$Entry = $RawObject.GetDirectoryEntry()
|
||||||
|
$Entry.PsBase.Options.SecurityMasks = 'Owner'
|
||||||
$Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference)
|
$Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference)
|
||||||
$Entry.PsBase.CommitChanges()
|
$Entry.PsBase.CommitChanges()
|
||||||
}
|
}
|
||||||
|
|
@ -7206,6 +7207,7 @@ https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a
|
||||||
ForEach ($ACE in $ACEs) {
|
ForEach ($ACE in $ACEs) {
|
||||||
Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) rights GUID '$($ACE.ObjectType)' on $($TargetObject.Properties.distinguishedname)"
|
Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) rights GUID '$($ACE.ObjectType)' on $($TargetObject.Properties.distinguishedname)"
|
||||||
$TargetEntry = $TargetObject.GetDirectoryEntry()
|
$TargetEntry = $TargetObject.GetDirectoryEntry()
|
||||||
|
$TargetEntry.PsBase.Options.SecurityMasks = 'Dacl'
|
||||||
$TargetEntry.PsBase.ObjectSecurity.AddAccessRule($ACE)
|
$TargetEntry.PsBase.ObjectSecurity.AddAccessRule($ACE)
|
||||||
$TargetEntry.PsBase.CommitChanges()
|
$TargetEntry.PsBase.CommitChanges()
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue