powershell:accessruleentfernen
ACL AccessRule entfernen
1. Entwurf - Die gewünschte Funktionalität
function Remove-ACLAccessRule { [CmdletBinding()] param ( [Parameter(Mandatory=$true)][System.DirectoryServices.ActiveDirectorySecurity]$ACL, [Parameter(Mandatory=$true)][String]$AccessControlType, [Parameter(Mandatory=$true)][String]$IdentityReference, [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights, [Parameter(Mandatory=$true)][String]$ObjectGuid ) begin { $RuleToRemove = $null; $RuleFound = $false; } process { foreach($Rule in $ACL.Access) { if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` $Rule.ObjectType.ToString() -eq $ObjectGuid) ` { $RuleToRemove = $Rule $RuleFound = $true; } } } end { if ($RuleFound) {$erg = $ACL.RemoveAccessRule($RuleToRemove)} } }
2. Entwurf: Funktionalität ausgebaut + Verbose
function Remove-ACLAccessRule { [CmdletBinding()] param ( [Parameter(Mandatory=$true)][String]$ADGroup, [Parameter(Mandatory=$true)][String]$AccessControlType, [Parameter(Mandatory=$true)][String]$IdentityReference, [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights, [Parameter(Mandatory=$true)][String]$ObjectGuid, [Parameter()][string]$DC, [Parameter()][string]$AdminAccount, [Parameter()][string]$Password ) begin { Write-Verbose "*************begin*************" if ($AdminAccount -ne "" -and $Password -ne "") { $isCredential = $true $PW = ConvertTo-Securestring $Password -AsPlainText -force $Credential = New-Object System.Management.Automation.PSCredential($AdminAccount,$PW) } else { $isCredential = $false } If ($DC -eq "") { $isRemote = $false Import-Module ActiveDirectory -Verbose:$false Write-Verbose "Lokale Ausführung" } else { if ($isCredential) { $Session = New-PSSession -ComputerName $DC -Credential $Credential } else { $Session = New-PSSession -ComputerName $DC } Invoke-Command -Session $Session -Command {Import-Module ActiveDirectory} Write-Verbose "Remote-Anmeldung auf $DC" $isRemote = $true } } process { Write-Verbose "*************process*************" $ScriptBlock = { param ( $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, [System.Management.Automation.ActionPreference]$VerbosePreference ) $ADObject = Get-ADGroup -Identity $ADGroup $ADObjectName = $ADObject.SamAccountName Write-Verbose "Zu prüfende Gruppe: $ADObjectName" $LDAPPath = "AD:\" + $ADObject.DistinguishedName.toString(); $ACL = Get-Acl -Path $LDAPPath Write-Verbose "ACL abgerufen" $RuleToRemove = $null; $RuleFound = $false; foreach($Rule in $ACL.Access) { if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` $Rule.ObjectType.ToString() -eq $ObjectGuid) ` { $RuleToRemove = $Rule $RuleFound = $true; Write-Verbose "Regel gefunden!" } } if ($RuleFound) { $erg = $ACL.RemoveAccessRule($RuleToRemove) Set-Acl -Path $LDAPPath -AclObject $ACL Write-Verbose "Regel entfernt: $erg" } else { Write-Verbose "Regel nicht gefunden!" } } if ($isRemote) { Invoke-Command -Session $Session -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, $VerbosePreference } else { Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, $VerbosePreference, $VerbosePreference } } end { if ($isRemote) {Remove-PSSession -Session $Session} } }
powershell/accessruleentfernen.txt · Zuletzt geändert: 2016/08/18 14:23 von ronny