From e7c2c5faa92d6ec15574aba8049ea6ecc7716c03 Mon Sep 17 00:00:00 2001 From: Jason Walker Date: Thu, 8 Feb 2018 16:38:12 -0500 Subject: [PATCH 1/5] Updated ActiveDirectoryAccessEntry example with a valid ADRights value Refactored Get-SchemaGuidId helper function to Get-DelegationRightsGuid so it returns schemaGuids and rightsGuids --- .../AccessControlResourceHelper.psm1 | 20 +++++++++++++------ .../ActiveDirectoryAccessEntry.psm1 | 4 ++-- .../ActiveDirectoryAuditRuleEntry.psm1 | 2 +- .../ActiveDirectoryAccessEntry_example.ps1 | 2 +- .../Unit/ActiveDirectoryAccessEntry.Tests.ps1 | 4 ++-- .../ActiveDirectoryAuditRuleEntry.Tests.ps1 | 4 ++-- 6 files changed, 22 insertions(+), 14 deletions(-) diff --git a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 index df95535..b64ebe4 100644 --- a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 +++ b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 @@ -137,7 +137,7 @@ function Assert-Module } } -Function Get-SchemaIdGuid +function Get-DelegationRightsGuid { Param ( @@ -148,8 +148,16 @@ Function Get-SchemaIdGuid if($ObjectName) { - $value = Get-ADObject -filter {name -eq $ObjectName} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID - return [system.guid]$value.schemaIDGUID + # Create a hashtable to store the GUID value of each schemaGuids and rightsGuids + $guidmap = @{} + $rootdse = Get-ADRootDSE + Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | + Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID } + + Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | + Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid } + + return $guidmap[$ObjectName] } else { @@ -157,7 +165,7 @@ Function Get-SchemaIdGuid } } -Function Get-SchemaObjectName +function Get-SchemaObjectName { Param ( @@ -168,11 +176,11 @@ Function Get-SchemaObjectName If($SchemaIdGuid) { - $value = Get-ADObject -filter {schemaIDGUID -eq $SchemaIdGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID + $value = Get-ADObject -filter {schemaIDGUID -eq $SchemaIdGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -Property schemaIDGUID return $value.name } else { return "none" - } + } } diff --git a/DscResources/ActiveDirectoryAccessEntry/ActiveDirectoryAccessEntry.psm1 b/DscResources/ActiveDirectoryAccessEntry/ActiveDirectoryAccessEntry.psm1 index 4827222..fd2dfba 100644 --- a/DscResources/ActiveDirectoryAccessEntry/ActiveDirectoryAccessEntry.psm1 +++ b/DscResources/ActiveDirectoryAccessEntry/ActiveDirectoryAccessEntry.psm1 @@ -361,8 +361,8 @@ Function ConvertTo-ActiveDirectoryAccessRule foreach($ace in $AccessControlList.AccessControlEntry) { - $inheritedObjectType = Get-SchemaIdGuid -ObjectName $ace.InheritedObjectType - $objectType = Get-SchemaIdGuid -ObjectName $ace.ObjectType + $inheritedObjectType = Get-DelegationRightsGuid -ObjectName $ace.InheritedObjectType + $objectType = Get-DelegationRightsGuid -ObjectName $ace.ObjectType $rule = [PSCustomObject]@{ Rules = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityRef, $ace.ActiveDirectoryRights, $ace.AccessControlType, $objectType, $ace.InheritanceType, $inheritedObjectType) Ensure = $ace.Ensure diff --git a/DscResources/ActiveDirectoryAuditRuleEntry/ActiveDirectoryAuditRuleEntry.psm1 b/DscResources/ActiveDirectoryAuditRuleEntry/ActiveDirectoryAuditRuleEntry.psm1 index 33727ae..93c5de3 100644 --- a/DscResources/ActiveDirectoryAuditRuleEntry/ActiveDirectoryAuditRuleEntry.psm1 +++ b/DscResources/ActiveDirectoryAuditRuleEntry/ActiveDirectoryAuditRuleEntry.psm1 @@ -406,7 +406,7 @@ Function ConvertTo-ActiveDirectoryAuditRule foreach($ace in $AccessControlList.AccessControlEntry) { - $InheritedObjectType = Get-SchemaIdGuid -ObjectName $ace.InheritedObjectType + $InheritedObjectType = Get-DelegationRightsGuid -ObjectName $ace.InheritedObjectType $rule = [PSCustomObject]@{ Rules = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityRef, $ace.ActiveDirectoryRights, $ace.AuditFlags, $ace.InheritanceType, $InheritedObjectType) Ensure = $ace.Ensure diff --git a/Examples/ActiveDirectoryAccessEntry_example.ps1 b/Examples/ActiveDirectoryAccessEntry_example.ps1 index 032b6ec..afdf579 100644 --- a/Examples/ActiveDirectoryAccessEntry_example.ps1 +++ b/Examples/ActiveDirectoryAccessEntry_example.ps1 @@ -15,7 +15,7 @@ configuration Sample_ADAccessControl ActiveDirectoryAccessRule { AccessControlType = 'Allow' - ActiveDirectoryRights = 'FullControl' + ActiveDirectoryRights = 'GenericAll' InheritanceType = 'Descendents' Ensure = 'Present' } diff --git a/Tests/Unit/ActiveDirectoryAccessEntry.Tests.ps1 b/Tests/Unit/ActiveDirectoryAccessEntry.Tests.ps1 index b538efb..e1c0e7b 100644 --- a/Tests/Unit/ActiveDirectoryAccessEntry.Tests.ps1 +++ b/Tests/Unit/ActiveDirectoryAccessEntry.Tests.ps1 @@ -111,7 +111,7 @@ InModuleScope ActiveDirectoryAccessEntry { Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$name -eq 'ActiveDirectory'}-ModuleName $DSCResourceName - Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName + Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName Mock -CommandName Get-Acl -MockWith { @@ -218,7 +218,7 @@ InModuleScope ActiveDirectoryAccessEntry { Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$name -eq 'ActiveDirectory'} -ModuleName $DSCResourceName - Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName + Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName $identity = Resolve-Identity -Identity "Everyone" diff --git a/Tests/Unit/ActiveDirectoryAuditRuleEntry.Tests.ps1 b/Tests/Unit/ActiveDirectoryAuditRuleEntry.Tests.ps1 index f9a30c6..dcc5b1a 100644 --- a/Tests/Unit/ActiveDirectoryAuditRuleEntry.Tests.ps1 +++ b/Tests/Unit/ActiveDirectoryAuditRuleEntry.Tests.ps1 @@ -111,7 +111,7 @@ Import-Module "$($PSScriptRoot)\..\TestHelper.psm1" -Force Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$Name -eq 'ActiveDirectory'}-ModuleName $DSCResourceName - Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName + Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName Mock -CommandName Get-Acl -MockWith { @@ -261,7 +261,7 @@ Import-Module "$($PSScriptRoot)\..\TestHelper.psm1" -Force Mock -CommandName Test-Path -MockWith { return $true } -ModuleName $DSCResourceName Mock -CommandName Assert-Module -MockWith {} -ModuleName $DSCResourceName Mock -CommandName Import-Module -MockWith {} -ParameterFilter {$Name -eq 'ActiveDirectory'} -ModuleName $DSCResourceName - Mock -CommandName Get-SchemaIdGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName + Mock -CommandName Get-DelegationRightsGuid -MockWith { return [guid]"52ea1a9a-be7e-4213-9e69-5f28cb89b56a" } -ModuleName $DSCResourceName Mock -CommandName Get-SchemaObjectName -MockWith { return "Pwd-Last-Set" } -ModuleName $DSCResourceName $Identity = Resolve-Identity -Identity "Everyone" From 88ceb3ae4913c60b2f41d9835b1d8c4d7327c4c8 Mon Sep 17 00:00:00 2001 From: Jason Walker Date: Thu, 8 Feb 2018 17:13:26 -0500 Subject: [PATCH 2/5] typo corrections --- .../AccessControlResourceHelper.psm1 | 2 +- Examples/ActiveDirectoryAccessEntry_example.ps1 | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 index b64ebe4..3c1e18f 100644 --- a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 +++ b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 @@ -157,7 +157,7 @@ function Get-DelegationRightsGuid Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid } - return $guidmap[$ObjectName] + return [system.guid]$guidmap[$ObjectName] } else { diff --git a/Examples/ActiveDirectoryAccessEntry_example.ps1 b/Examples/ActiveDirectoryAccessEntry_example.ps1 index afdf579..f1d172a 100644 --- a/Examples/ActiveDirectoryAccessEntry_example.ps1 +++ b/Examples/ActiveDirectoryAccessEntry_example.ps1 @@ -19,7 +19,7 @@ configuration Sample_ADAccessControl InheritanceType = 'Descendents' Ensure = 'Present' } - ) + ) } ) } @@ -40,7 +40,7 @@ configuration Sample_ADAccessControl InheritedObjectType = 'organizational-unit' Ensure = 'Present' } - ) + ) } ActiveDirectoryAccessControlList { @@ -55,7 +55,7 @@ configuration Sample_ADAccessControl ObjectType = 'computer' Ensure = 'Present' } - ) + ) } ) } From 00b845259daa58c46b17eb33db8efe4400394f61 Mon Sep 17 00:00:00 2001 From: Jason Walker Date: Fri, 9 Feb 2018 10:42:29 -0500 Subject: [PATCH 3/5] Update Get-SchemaObjectName to resolve SchemaGuids and RightsGuids --- .../AccessControlResourceHelper.psm1 | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 index 3c1e18f..253a961 100644 --- a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 +++ b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 @@ -124,7 +124,8 @@ function Assert-Module [CmdletBinding()] param ( - [Parameter()] [ValidateNotNullOrEmpty()] + [Parameter()] + [ValidateNotNullOrEmpty()] [System.String] $ModuleName ) @@ -167,17 +168,24 @@ function Get-DelegationRightsGuid function Get-SchemaObjectName { - Param + Param ( [Parameter()] [guid] $SchemaIdGuid ) - If($SchemaIdGuid) + if($SchemaIdGuid) { - $value = Get-ADObject -filter {schemaIDGUID -eq $SchemaIdGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -Property schemaIDGUID - return $value.name + Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | + Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID } + + Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties Name,rightsGuid | + Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.rightsGuid } + + # This is to address the edge case where one guid resolves to multiple names ex. f3a64788-5306-11d1-a9c5-0000f80367c1 resolves to Service-Principal-Name,Validated-SPN + $names = ( $guidmap.GetEnumerator() | Where-Object -FilterScript { $_.Value -eq $SchemaIdGuid } ).Name + return $names -join ',' } else { From 0113c19cca2e1caba1aa27eb186e92f4cd266cc9 Mon Sep 17 00:00:00 2001 From: Jason Walker Date: Fri, 9 Feb 2018 10:45:27 -0500 Subject: [PATCH 4/5] Added $guidmap to Get-SchemaObjectName --- .../AccessControlResourceHelper/AccessControlResourceHelper.psm1 | 1 + 1 file changed, 1 insertion(+) diff --git a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 index 253a961..3257965 100644 --- a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 +++ b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 @@ -177,6 +177,7 @@ function Get-SchemaObjectName if($SchemaIdGuid) { + $guidmap = @{} Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID } From 0271211a1dc3e39dbf5dff2e42542ddffc53e9e4 Mon Sep 17 00:00:00 2001 From: Jason Walker Date: Fri, 9 Feb 2018 10:48:12 -0500 Subject: [PATCH 5/5] Added $rootDse to Get-SchemaObjectName --- .../AccessControlResourceHelper/AccessControlResourceHelper.psm1 | 1 + 1 file changed, 1 insertion(+) diff --git a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 index 3257965..a5d7349 100644 --- a/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 +++ b/DscResources/AccessControlResourceHelper/AccessControlResourceHelper.psm1 @@ -178,6 +178,7 @@ function Get-SchemaObjectName if($SchemaIdGuid) { $guidmap = @{} + $rootdse = Get-ADRootDSE Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties Name,schemaIDGUID | Foreach-Object -Process { $guidmap[$_.Name] = [System.GUID]$_.schemaIDGUID }