Benutzer-Werkzeuge

Webseiten-Werkzeuge


powershell:accessruleentfernen

ACL AccessRule entfernen

1. Entwurf - Die gewünschte Funktionalität

function Remove-ACLAccessRule
{
	[CmdletBinding()]
	param
	(
		[Parameter(Mandatory=$true)][System.DirectoryServices.ActiveDirectorySecurity]$ACL,
		[Parameter(Mandatory=$true)][String]$AccessControlType,
		[Parameter(Mandatory=$true)][String]$IdentityReference,
		[Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights,
		[Parameter(Mandatory=$true)][String]$ObjectGuid
	)
	begin 
	{
		$RuleToRemove = $null;
		$RuleFound = $false;
	}
	process 
	{
		foreach($Rule in $ACL.Access)
		{
			if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and `
				$Rule.IdentityReference.ToString() -eq $IdentityReference -and `
				$Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and `
				$Rule.ObjectType.ToString() -eq $ObjectGuid) `
			{
				$RuleToRemove = $Rule
				$RuleFound = $true;
			}
		}
	}
	end 
	{
		if ($RuleFound)	{$erg = $ACL.RemoveAccessRule($RuleToRemove)}
	}
}

2. Entwurf: Funktionalität ausgebaut + Verbose

function Remove-ACLAccessRule
{
	[CmdletBinding()]
	param
	(
		[Parameter(Mandatory=$true)][String]$ADGroup,
		[Parameter(Mandatory=$true)][String]$AccessControlType,
		[Parameter(Mandatory=$true)][String]$IdentityReference,
		[Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights,
		[Parameter(Mandatory=$true)][String]$ObjectGuid,
		[Parameter()][string]$DC,
		[Parameter()][string]$AdminAccount,
		[Parameter()][string]$Password
	)
	begin 
	{
		Write-Verbose "*************begin*************"
		if ($AdminAccount -ne "" -and $Password -ne "")
		{
			$isCredential = $true
			$PW = ConvertTo-Securestring $Password -AsPlainText -force
			$Credential = New-Object System.Management.Automation.PSCredential($AdminAccount,$PW)
		} else
		{
			$isCredential = $false
		}
		If ($DC -eq "")
		{
			$isRemote = $false
			Import-Module ActiveDirectory -Verbose:$false
			Write-Verbose "Lokale Ausführung"
 
		} else
		{
			if ($isCredential)
			{
				$Session = New-PSSession -ComputerName $DC -Credential $Credential
			} else
			{
				$Session = New-PSSession -ComputerName $DC
			}
			Invoke-Command -Session $Session -Command {Import-Module ActiveDirectory}
			Write-Verbose "Remote-Anmeldung auf $DC"
			$isRemote = $true
		}
	}
	process 
	{
		Write-Verbose "*************process*************"
		$ScriptBlock =
		{
			param
			(
				$ADGroup, 
				$AccessControlType, 
				$IdentityReference, 
				$ActiveDirectoryRights, 
				$ObjectGuid,
				[System.Management.Automation.ActionPreference]$VerbosePreference
			) 
			$ADObject = Get-ADGroup -Identity $ADGroup 
			$ADObjectName = $ADObject.SamAccountName
			Write-Verbose "Zu prüfende Gruppe: $ADObjectName"
			$LDAPPath = "AD:\" + $ADObject.DistinguishedName.toString();
			$ACL = Get-Acl -Path $LDAPPath
			Write-Verbose "ACL abgerufen"		
			$RuleToRemove = $null;
			$RuleFound = $false;
			foreach($Rule in $ACL.Access)
			{
				if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and `
					$Rule.IdentityReference.ToString() -eq $IdentityReference -and `
					$Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and `
					$Rule.ObjectType.ToString() -eq $ObjectGuid) `
				{
					$RuleToRemove = $Rule
					$RuleFound = $true;
					Write-Verbose "Regel gefunden!"
				}
			}
			if ($RuleFound)	
			{
				$erg = $ACL.RemoveAccessRule($RuleToRemove)
				Set-Acl -Path $LDAPPath -AclObject $ACL
				Write-Verbose "Regel entfernt: $erg"
			} else
			{
				Write-Verbose "Regel nicht gefunden!"
			}
		}
		if ($isRemote)
		{
			Invoke-Command -Session $Session -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, $VerbosePreference
		} else
		{
			Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, $VerbosePreference, $VerbosePreference
		}			
	}
	end 
	{
		if ($isRemote) {Remove-PSSession -Session $Session}
	}
}

powershell/accessruleentfernen.txt · Zuletzt geändert: 2016/08/18 14:23 von ronny

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki