Rights guid (#32)

jcwalker · regedit32 · commit c5f10d2e88df · 2018-02-09T14:15:02.000-05:00
* Updated ActiveDirectoryAccessEntry example with a valid ADRights value
Refactored Get-SchemaGuidId helper function to
Get-DelegationRightsGuid so it returns schemaGuids and rightsGuids

* typo corrections

* Update Get-SchemaObjectName to resolve SchemaGuids and RightsGuids

* Added $guidmap to Get-SchemaObjectName

* Added $rootDse to Get-SchemaObjectName
diff --git a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1
@@ -124,7 +124,8 @@ function Assert-Module
     [CmdletBinding()]
     param
     (
-        [Parameter()] [ValidateNotNullOrEmpty()]
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
         [System.String]
         $ModuleName
     )
@@ -137,7 +138,7 @@ function Assert-Module
     }
 } 
 
-Function Get-SchemaIdGuid
+function Get-DelegationRightsGuid
 {
     Param 
     (
@@ -148,31 +149,48 @@ Function Get-SchemaIdGuid
 
     if($ObjectName)
     {
-        $value = Get-ADObject -filter {name -eq $ObjectName} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID
-        return [system.guid]$value.schemaIDGUID 
+        # Create a hashtable to store the GUID value of each schemaGuids and rightsGuids
+        $guidmap = @{}
+        $rootdse = Get-ADRootDSE
+        Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | 
+            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }
+
+        Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | 
+            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid }
+
+        return [system.guid]$guidmap[$ObjectName]
     }
     else
     {
         return [system.guid]"00000000-0000-0000-0000-000000000000"
     }
 }
 
-Function Get-SchemaObjectName
+function Get-SchemaObjectName
 {
-    Param 
+    Param
     (
         [Parameter()]
         [guid]
         $SchemaIdGuid
     )
 
-    If($SchemaIdGuid)
+    if($SchemaIdGuid)
     {
-        $value = Get-ADObject -filter {schemaIDGUID  -eq $SchemaIdGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID
-        return $value.name
+        $guidmap = @{}
+        $rootdse = Get-ADRootDSE
+        Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | 
+            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }
+
+        Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | 
+            Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid }
+
+        # This is to address the edge case where one guid resolves to multiple names ex. f3a64788-5306-11d1-a9c5-0000f80367c1 resolves to Service-Principal-Name,Validated-SPN
+        $names = ( $guidmap.GetEnumerator() | Where-Object -FilterScript { $_.Value -eq $SchemaIdGuid } ).Name
+        return $names -join ','
     }
     else
     {
         return "none"
-    } 
+    }
 }
diff --git a/DscResources/ActiveDirectoryAccessEntry/ActiveDirectoryAccessEntry.psm1 b/DscResources/ActiveDirectoryAccessEntry/ActiveDirectoryAccessEntry.psm1
@@ -361,8 +361,8 @@ Function ConvertTo-ActiveDirectoryAccessRule
 
     foreach($ace in $AccessControlList.AccessControlEntry)
     {
-        $inheritedObjectType = Get-SchemaIdGuid -ObjectName $ace.InheritedObjectType
-        $objectType = Get-SchemaIdGuid -ObjectName $ace.ObjectType
+        $inheritedObjectType = Get-DelegationRightsGuid -ObjectName $ace.InheritedObjectType
+        $objectType = Get-DelegationRightsGuid -ObjectName $ace.ObjectType
         $rule = [PSCustomObject]@{
             Rules = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityRef, $ace.ActiveDirectoryRights, $ace.AccessControlType, $objectType, $ace.InheritanceType, $inheritedObjectType)
             Ensure = $ace.Ensure
diff --git a/DscResources/ActiveDirectoryAuditRuleEntry/ActiveDirectoryAuditRuleEntry.psm1 b/DscResources/ActiveDirectoryAuditRuleEntry/ActiveDirectoryAuditRuleEntry.psm1
@@ -406,7 +406,7 @@ Function ConvertTo-ActiveDirectoryAuditRule
 
     foreach($ace in $AccessControlList.AccessControlEntry)
     {
-        $InheritedObjectType = Get-SchemaIdGuid -ObjectName $ace.InheritedObjectType
+        $InheritedObjectType = Get-DelegationRightsGuid -ObjectName $ace.InheritedObjectType
         $rule = [PSCustomObject]@{
             Rules = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityRef, $ace.ActiveDirectoryRights, $ace.AuditFlags, $ace.InheritanceType, $InheritedObjectType)
             Ensure = $ace.Ensure
diff --git a/Examples/ActiveDirectoryAccessEntry_example.ps1 b/Examples/ActiveDirectoryAccessEntry_example.ps1
@@ -15,11 +15,11 @@ configuration Sample_ADAccessControl
                         ActiveDirectoryAccessRule
                         {
                             AccessControlType = 'Allow'
-                            ActiveDirectoryRights = 'FullControl'
+                            ActiveDirectoryRights = 'GenericAll'
                             InheritanceType = 'Descendents'
                             Ensure = 'Present'
                         }
-                    )               
+                    )
                 }
             )
         }
@@ -40,7 +40,7 @@ configuration Sample_ADAccessControl
                             InheritedObjectType = 'organizational-unit'
                             Ensure = 'Present'
                         }
-                    )               
+                    )
                 }
                 ActiveDirectoryAccessControlList
                 {
@@ -55,7 +55,7 @@ configuration Sample_ADAccessControl
                             ObjectType = 'computer'
                             Ensure = 'Present'
                         }
-                    )               
+                    )
                 }
             )
         }
diff --git a/Tests/Unit/ActiveDirectoryAccessEntry.Tests.ps1 b/Tests/Unit/ActiveDirectoryAccessEntry.Tests.ps1
@@ -111,7 +111,7 @@ InModuleScope ActiveDirectoryAccessEntry {
         Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName
         Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName
         Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$name -eq 'ActiveDirectory'}-ModuleName $DSCResourceName 
-        Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
+        Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
         Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName
 
         Mock -CommandName Get-Acl -MockWith {
@@ -218,7 +218,7 @@ InModuleScope ActiveDirectoryAccessEntry {
         Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName
         Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName
         Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$name -eq 'ActiveDirectory'} -ModuleName $DSCResourceName
-        Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
+        Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
         Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName
 
         $identity = Resolve-Identity -Identity "Everyone"
diff --git a/Tests/Unit/ActiveDirectoryAuditRuleEntry.Tests.ps1 b/Tests/Unit/ActiveDirectoryAuditRuleEntry.Tests.ps1
@@ -111,7 +111,7 @@ Import-Module "$($PSScriptRoot)\..\TestHelper.psm1" -Force
         Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName
         Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName
         Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$Name -eq 'ActiveDirectory'}-ModuleName $DSCResourceName 
-        Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
+        Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
         Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName
 
         Mock -CommandName Get-Acl -MockWith {
@@ -261,7 +261,7 @@ Import-Module "$($PSScriptRoot)\..\TestHelper.psm1" -Force
         Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName
         Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName
         Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$Name -eq 'ActiveDirectory'} -ModuleName $DSCResourceName
-        Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
+        Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName
         Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName
 
         $Identity = Resolve-Identity -Identity "Everyone"

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,8 @@ function Assert-Module`
`124`	`124`	`[CmdletBinding()]`
`125`	`125`	`param`
`126`	`126`	`(`
`127`		`- [Parameter()] [ValidateNotNullOrEmpty()]`
	`127`	`+ [Parameter()]`
	`128`	`+ [ValidateNotNullOrEmpty()]`
`128`	`129`	`[System.String]`
`129`	`130`	`$ModuleName`
`130`	`131`	`)`
`@@ -137,7 +138,7 @@ function Assert-Module`
`137`	`138`	`}`
`138`	`139`	`}`
`139`	`140`
`140`		`-Function Get-SchemaIdGuid`
	`141`	`+function Get-DelegationRightsGuid`
`141`	`142`	`{`
`142`	`143`	`Param`
`143`	`144`	`(`
`@@ -148,31 +149,48 @@ Function Get-SchemaIdGuid`
`148`	`149`
`149`	`150`	`if($ObjectName)`
`150`	`151`	`{`
`151`		`- $value = Get-ADObject -filter {name -eq $ObjectName} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID`
`152`		`- return [system.guid]$value.schemaIDGUID`
	`152`	`+ # Create a hashtable to store the GUID value of each schemaGuids and rightsGuids`
	`153`	`+ $guidmap = @{}`
	`154`	`+ $rootdse = Get-ADRootDSE`
	`155`	`+ Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID \|`
	`156`	`+ Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }`
	`157`	`+`
	`158`	`+ Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid \|`
	`159`	`+ Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid }`
	`160`	`+`
	`161`	`+ return [system.guid]$guidmap[$ObjectName]`
`153`	`162`	`}`
`154`	`163`	`else`
`155`	`164`	`{`
`156`	`165`	`return [system.guid]"00000000-0000-0000-0000-000000000000"`
`157`	`166`	`}`
`158`	`167`	`}`
`159`	`168`
`160`		`-Function Get-SchemaObjectName`
	`169`	`+function Get-SchemaObjectName`
`161`	`170`	`{`
`162`		`- Param`
	`171`	`+ Param`
`163`	`172`	`(`
`164`	`173`	`[Parameter()]`
`165`	`174`	`[guid]`
`166`	`175`	`$SchemaIdGuid`
`167`	`176`	`)`
`168`	`177`
`169`		`- If($SchemaIdGuid)`
	`178`	`+ if($SchemaIdGuid)`
`170`	`179`	`{`
`171`		`- $value = Get-ADObject -filter {schemaIDGUID -eq $SchemaIdGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID`
`172`		`- return $value.name`
	`180`	`+ $guidmap = @{}`
	`181`	`+ $rootdse = Get-ADRootDSE`
	`182`	`+ Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID \|`
	`183`	`+ Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }`
	`184`	`+`
	`185`	`+ Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid \|`
	`186`	`+ Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid }`
	`187`	`+`
	`188`	`+ # This is to address the edge case where one guid resolves to multiple names ex. f3a64788-5306-11d1-a9c5-0000f80367c1 resolves to Service-Principal-Name,Validated-SPN`
	`189`	`+ $names = ( $guidmap.GetEnumerator() \| Where-Object -FilterScript { $_.Value -eq $SchemaIdGuid } ).Name`
	`190`	`+ return $names -join ','`
`173`	`191`	`}`
`174`	`192`	`else`
`175`	`193`	`{`
`176`	`194`	`return "none"`
`177`		`- }`
	`195`	`+ }`
`178`	`196`	`}`
Original file line number	Diff line number	Diff line change
`@@ -406,7 +406,7 @@ Function ConvertTo-ActiveDirectoryAuditRule`
`406`	`406`
`407`	`407`	`foreach($ace in $AccessControlList.AccessControlEntry)`
`408`	`408`	`{`
`409`		`- $InheritedObjectType = Get-SchemaIdGuid -ObjectName $ace.InheritedObjectType`
	`409`	`+ $InheritedObjectType = Get-DelegationRightsGuid -ObjectName $ace.InheritedObjectType`
`410`	`410`	`$rule = [PSCustomObject]@{`
`411`	`411`	`Rules = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityRef, $ace.ActiveDirectoryRights, $ace.AuditFlags, $ace.InheritanceType, $InheritedObjectType)`
`412`	`412`	`Ensure = $ace.Ensure`
Original file line number	Diff line number	Diff line change
`@@ -15,11 +15,11 @@ configuration Sample_ADAccessControl`
`15`	`15`	`ActiveDirectoryAccessRule`
`16`	`16`	`{`
`17`	`17`	`AccessControlType = 'Allow'`
`18`		`- ActiveDirectoryRights = 'FullControl'`
	`18`	`+ ActiveDirectoryRights = 'GenericAll'`
`19`	`19`	`InheritanceType = 'Descendents'`
`20`	`20`	`Ensure = 'Present'`
`21`	`21`	`}`
`22`		`- )`
	`22`	`+ )`
`23`	`23`	`}`
`24`	`24`	`)`
`25`	`25`	`}`
`@@ -40,7 +40,7 @@ configuration Sample_ADAccessControl`
`40`	`40`	`InheritedObjectType = 'organizational-unit'`
`41`	`41`	`Ensure = 'Present'`
`42`	`42`	`}`
`43`		`- )`
	`43`	`+ )`
`44`	`44`	`}`
`45`	`45`	`ActiveDirectoryAccessControlList`
`46`	`46`	`{`
`@@ -55,7 +55,7 @@ configuration Sample_ADAccessControl`
`55`	`55`	`ObjectType = 'computer'`
`56`	`56`	`Ensure = 'Present'`
`57`	`57`	`}`
`58`		`- )`
	`58`	`+ )`
`59`	`59`	`}`
`60`	`60`	`)`
`61`	`61`	`}`