====== ACL AccessRule entfernen ======
===== 1. Entwurf - Die gewünschte Funktionalität =====
function Remove-ACLAccessRule
{
[CmdletBinding()]
param
(
[Parameter(Mandatory=$true)][System.DirectoryServices.ActiveDirectorySecurity]$ACL,
[Parameter(Mandatory=$true)][String]$AccessControlType,
[Parameter(Mandatory=$true)][String]$IdentityReference,
[Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights,
[Parameter(Mandatory=$true)][String]$ObjectGuid
)
begin
{
$RuleToRemove = $null;
$RuleFound = $false;
}
process
{
foreach($Rule in $ACL.Access)
{
if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and `
$Rule.IdentityReference.ToString() -eq $IdentityReference -and `
$Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and `
$Rule.ObjectType.ToString() -eq $ObjectGuid) `
{
$RuleToRemove = $Rule
$RuleFound = $true;
}
}
}
end
{
if ($RuleFound) {$erg = $ACL.RemoveAccessRule($RuleToRemove)}
}
}
===== 2. Entwurf: Funktionalität ausgebaut + Verbose =====
function Remove-ACLAccessRule
{
[CmdletBinding()]
param
(
[Parameter(Mandatory=$true)][String]$ADGroup,
[Parameter(Mandatory=$true)][String]$AccessControlType,
[Parameter(Mandatory=$true)][String]$IdentityReference,
[Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights,
[Parameter(Mandatory=$true)][String]$ObjectGuid,
[Parameter()][string]$DC,
[Parameter()][string]$AdminAccount,
[Parameter()][string]$Password
)
begin
{
Write-Verbose "*************begin*************"
if ($AdminAccount -ne "" -and $Password -ne "")
{
$isCredential = $true
$PW = ConvertTo-Securestring $Password -AsPlainText -force
$Credential = New-Object System.Management.Automation.PSCredential($AdminAccount,$PW)
} else
{
$isCredential = $false
}
If ($DC -eq "")
{
$isRemote = $false
Import-Module ActiveDirectory -Verbose:$false
Write-Verbose "Lokale Ausführung"
} else
{
if ($isCredential)
{
$Session = New-PSSession -ComputerName $DC -Credential $Credential
} else
{
$Session = New-PSSession -ComputerName $DC
}
Invoke-Command -Session $Session -Command {Import-Module ActiveDirectory}
Write-Verbose "Remote-Anmeldung auf $DC"
$isRemote = $true
}
}
process
{
Write-Verbose "*************process*************"
$ScriptBlock =
{
param
(
$ADGroup,
$AccessControlType,
$IdentityReference,
$ActiveDirectoryRights,
$ObjectGuid,
[System.Management.Automation.ActionPreference]$VerbosePreference
)
$ADObject = Get-ADGroup -Identity $ADGroup
$ADObjectName = $ADObject.SamAccountName
Write-Verbose "Zu prüfende Gruppe: $ADObjectName"
$LDAPPath = "AD:\" + $ADObject.DistinguishedName.toString();
$ACL = Get-Acl -Path $LDAPPath
Write-Verbose "ACL abgerufen"
$RuleToRemove = $null;
$RuleFound = $false;
foreach($Rule in $ACL.Access)
{
if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and `
$Rule.IdentityReference.ToString() -eq $IdentityReference -and `
$Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and `
$Rule.ObjectType.ToString() -eq $ObjectGuid) `
{
$RuleToRemove = $Rule
$RuleFound = $true;
Write-Verbose "Regel gefunden!"
}
}
if ($RuleFound)
{
$erg = $ACL.RemoveAccessRule($RuleToRemove)
Set-Acl -Path $LDAPPath -AclObject $ACL
Write-Verbose "Regel entfernt: $erg"
} else
{
Write-Verbose "Regel nicht gefunden!"
}
}
if ($isRemote)
{
Invoke-Command -Session $Session -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, $VerbosePreference
} else
{
Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, $VerbosePreference, $VerbosePreference
}
}
end
{
if ($isRemote) {Remove-PSSession -Session $Session}
}
}
{{tag>[Powershell ACL AccessRule Remove]}}