powershell:accessruleentfernen
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende Überarbeitung | |||
powershell:accessruleentfernen [2016/08/18 12:06] – ronny | powershell:accessruleentfernen [2016/08/18 14:23] (aktuell) – [2. Entwurf: Funktionalität ausgebaut + Verbose] ronny | ||
---|---|---|---|
Zeile 55: | Zeile 55: | ||
[Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights, | [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights, | ||
[Parameter(Mandatory=$true)][String]$ObjectGuid, | [Parameter(Mandatory=$true)][String]$ObjectGuid, | ||
- | [Parameter()][string]$DC | + | [Parameter()][string]$DC, |
- | [Parameter()][string]$AdminAccount | + | [Parameter()][string]$AdminAccount, |
- | [Parameter()][string]$Password | + | [Parameter()][string]$Password |
) | ) | ||
begin | begin | ||
{ | { | ||
Write-Verbose " | Write-Verbose " | ||
- | Import-Module ActiveDirectory -Verbose: | + | if ($AdminAccount -ne "" |
- | If ($DC -ne $null -and ` | + | |
- | $AdminAccount -ne $null -and ` | + | |
- | $Password -ne $null) | + | |
{ | { | ||
+ | $isCredential = $true | ||
$PW = ConvertTo-Securestring $Password -AsPlainText -force | $PW = ConvertTo-Securestring $Password -AsPlainText -force | ||
$Credential = New-Object System.Management.Automation.PSCredential($AdminAccount, | $Credential = New-Object System.Management.Automation.PSCredential($AdminAccount, | ||
- | $Session = New-PSSession -ComputerName $DC -Credential $Credential | ||
- | Write-Verbose " | ||
- | $isRemote = $true | ||
} else | } else | ||
+ | { | ||
+ | $isCredential = $false | ||
+ | } | ||
+ | If ($DC -eq "" | ||
{ | { | ||
$isRemote = $false | $isRemote = $false | ||
+ | Import-Module ActiveDirectory -Verbose: | ||
Write-Verbose " | Write-Verbose " | ||
+ | |||
+ | } else | ||
+ | { | ||
+ | if ($isCredential) | ||
+ | { | ||
+ | $Session = New-PSSession -ComputerName $DC -Credential $Credential | ||
+ | } else | ||
+ | { | ||
+ | $Session = New-PSSession -ComputerName $DC | ||
+ | } | ||
+ | Invoke-Command -Session $Session -Command {Import-Module ActiveDirectory} | ||
+ | Write-Verbose " | ||
+ | $isRemote = $true | ||
} | } | ||
} | } | ||
Zeile 81: | Zeile 94: | ||
{ | { | ||
Write-Verbose " | Write-Verbose " | ||
- | if ($isRemote) | + | $ScriptBlock |
- | { | + | |
- | $ADObject | + | |
- | } else | + | |
- | { | + | |
- | $ADObject = Get-ADGroup -Identity $ADGroup | + | |
- | } | + | |
- | $ADObjectName = $ADObject.SamAccountName | + | |
- | Write-Verbose "Zu prüfende Gruppe: $ADObjectName" | + | |
- | $LDAPPath = " | + | |
- | if ($isRemote) | + | |
- | { | + | |
- | $ACL = Invoke-Command -Session $Session -Commane {param ($a1) Get-Acl -Path $a1} -ArgumentList $LDAPPath | + | |
- | } else | + | |
{ | { | ||
+ | param | ||
+ | ( | ||
+ | $ADGroup, | ||
+ | $AccessControlType, | ||
+ | $IdentityReference, | ||
+ | $ActiveDirectoryRights, | ||
+ | $ObjectGuid, | ||
+ | [System.Management.Automation.ActionPreference]$VerbosePreference | ||
+ | ) | ||
+ | $ADObject = Get-ADGroup -Identity $ADGroup | ||
+ | $ADObjectName = $ADObject.SamAccountName | ||
+ | Write-Verbose "Zu prüfende Gruppe: $ADObjectName" | ||
+ | $LDAPPath = " | ||
$ACL = Get-Acl -Path $LDAPPath | $ACL = Get-Acl -Path $LDAPPath | ||
- | } | + | Write-Verbose "ACL abgerufen" |
- | Write-Verbose "ACL abgerufen" | + | $RuleToRemove = $null; |
- | $RuleToRemove = $null; | + | $RuleFound = $false; |
- | $RuleFound = $false; | + | foreach($Rule in $ACL.Access) |
- | foreach($Rule in $ACL.Access) | + | |
- | { | + | |
- | if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` | + | |
- | $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` | + | |
- | $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` | + | |
- | $Rule.ObjectType.ToString() -eq $ObjectGuid) ` | + | |
{ | { | ||
- | $RuleToRemove = $Rule | + | if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` |
- | $RuleFound = $true; | + | $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` |
- | Write-Verbose "Regel gefunden!" | + | $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` |
+ | $Rule.ObjectType.ToString() -eq $ObjectGuid) ` | ||
+ | { | ||
+ | $RuleToRemove = $Rule | ||
+ | $RuleFound = $true; | ||
+ | Write-Verbose "Regel gefunden!" | ||
+ | } | ||
} | } | ||
- | } | + | if ($RuleFound) |
- | if ($RuleFound) | + | |
- | { | + | |
- | $erg = $ACL.RemoveAccessRule($RuleToRemove) | + | |
- | if ($isRemote) | + | |
- | { | + | |
- | Invoke-Command -Session $Session -Command {param ($a1, $a2) Set-Acl -Path $a1 -AclObject $a2} -ArgumentList $LDAPPath, | + | |
- | } else | + | |
{ | { | ||
+ | $erg = $ACL.RemoveAccessRule($RuleToRemove) | ||
Set-Acl -Path $LDAPPath -AclObject $ACL | Set-Acl -Path $LDAPPath -AclObject $ACL | ||
+ | Write-Verbose "Regel entfernt: $erg" | ||
+ | } else | ||
+ | { | ||
+ | Write-Verbose "Regel nicht gefunden!" | ||
} | } | ||
- | Write-Verbose "Regel entfernt: | + | } |
+ | if ($isRemote) | ||
+ | { | ||
+ | Invoke-Command -Session $Session -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, | ||
} else | } else | ||
{ | { | ||
- | Write-Verbose "Regel nicht gefunden!" | + | Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, |
- | } | + | } |
+ | } | ||
+ | end | ||
+ | { | ||
+ | if ($isRemote) {Remove-PSSession -Session $Session} | ||
} | } | ||
- | end {} | ||
} | } | ||
</ | </ |
powershell/accessruleentfernen.txt · Zuletzt geändert: 2016/08/18 14:23 von ronny