Benutzer-Werkzeuge

Webseiten-Werkzeuge


powershell:accessruleentfernen

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
powershell:accessruleentfernen [2016/08/18 12:06] ronnypowershell:accessruleentfernen [2016/08/18 14:23] (aktuell) – [2. Entwurf: Funktionalität ausgebaut + Verbose] ronny
Zeile 55: Zeile 55:
  [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights,  [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights,
  [Parameter(Mandatory=$true)][String]$ObjectGuid,  [Parameter(Mandatory=$true)][String]$ObjectGuid,
- [Parameter()][string]$DC = $null+ [Parameter()][string]$DC, 
- [Parameter()][string]$AdminAccount = $null+ [Parameter()][string]$AdminAccount, 
- [Parameter()][string]$Password = $null+ [Parameter()][string]$Password
  )  )
  begin   begin 
  {  {
  Write-Verbose "*************begin*************"  Write-Verbose "*************begin*************"
- Import-Module ActiveDirectory -Verbose:$false + if ($AdminAccount -ne "" -and $Password -ne "")
- If ($DC -ne $null -and ` +
- $AdminAccount -ne $null -and +
- $Password -ne $null)+
  {  {
 + $isCredential = $true
  $PW = ConvertTo-Securestring $Password -AsPlainText -force  $PW = ConvertTo-Securestring $Password -AsPlainText -force
  $Credential = New-Object System.Management.Automation.PSCredential($AdminAccount,$PW)  $Credential = New-Object System.Management.Automation.PSCredential($AdminAccount,$PW)
- $Session = New-PSSession -ComputerName $DC -Credential $Credential 
- Write-Verbose "Remote-Anmeldung auf $DC" 
- $isRemote = $true 
  } else  } else
 + {
 + $isCredential = $false
 + }
 + If ($DC -eq "")
  {  {
  $isRemote = $false  $isRemote = $false
 + Import-Module ActiveDirectory -Verbose:$false
  Write-Verbose "Lokale Ausführung"  Write-Verbose "Lokale Ausführung"
 +
 + } else
 + {
 + if ($isCredential)
 + {
 + $Session = New-PSSession -ComputerName $DC -Credential $Credential
 + } else
 + {
 + $Session = New-PSSession -ComputerName $DC
 + }
 + Invoke-Command -Session $Session -Command {Import-Module ActiveDirectory}
 + Write-Verbose "Remote-Anmeldung auf $DC"
 + $isRemote = $true
  }  }
  }  }
Zeile 81: Zeile 94:
  {  {
  Write-Verbose "*************process*************"  Write-Verbose "*************process*************"
- if ($isRemote) + $ScriptBlock =
-+
- $ADObject Invoke-Command -Session $Session -Command {param ($a1) Get-ADGroup -Identity $a1} -ArgumentList $ADObject +
- } else +
-+
- $ADObject = Get-ADGroup -Identity $ADGroup +
- }  +
- $ADObjectName = $ADObject.SamAccountName +
- Write-Verbose "Zu prüfende Gruppe: $ADObjectName" +
- $LDAPPath = "AD:\" + $ADObject.DistinguishedName.toString(); +
- if ($isRemote) +
-+
- $ACL = Invoke-Command -Session $Session -Commane {param ($a1) Get-Acl -Path $a1} -ArgumentList $LDAPPath  +
- } else +
  {  {
 + param
 + (
 + $ADGroup, 
 + $AccessControlType, 
 + $IdentityReference, 
 + $ActiveDirectoryRights, 
 + $ObjectGuid,
 + [System.Management.Automation.ActionPreference]$VerbosePreference
 +
 + $ADObject = Get-ADGroup -Identity $ADGroup 
 + $ADObjectName = $ADObject.SamAccountName
 + Write-Verbose "Zu prüfende Gruppe: $ADObjectName"
 + $LDAPPath = "AD:\" + $ADObject.DistinguishedName.toString();
  $ACL = Get-Acl -Path $LDAPPath  $ACL = Get-Acl -Path $LDAPPath
-+ Write-Verbose "ACL abgerufen"  
- Write-Verbose "ACL abgerufen"  + $RuleToRemove = $null; 
- $RuleToRemove = $null; + $RuleFound = $false; 
- $RuleFound = $false; + foreach($Rule in $ACL.Access)
- foreach($Rule in $ACL.Access) +
-+
- if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` +
- $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` +
- $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` +
- $Rule.ObjectType.ToString() -eq $ObjectGuid) `+
  {  {
- $RuleToRemove = $Rule + if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` 
- $RuleFound = $true; + $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` 
- Write-Verbose "Regel gefunden!"+ $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` 
 + $Rule.ObjectType.ToString() -eq $ObjectGuid) ` 
 +
 + $RuleToRemove = $Rule 
 + $RuleFound = $true; 
 + Write-Verbose "Regel gefunden!" 
 + }
  }  }
-+ if ($RuleFound)
- if ($RuleFound)  +
-+
- $erg = $ACL.RemoveAccessRule($RuleToRemove) +
- if ($isRemote) +
-+
- Invoke-Command -Session $Session -Command {param ($a1, $a2) Set-Acl -Path $a1 -AclObject $a2} -ArgumentList $LDAPPath,$ACL  +
- } else +
  {  {
 + $erg = $ACL.RemoveAccessRule($RuleToRemove)
  Set-Acl -Path $LDAPPath -AclObject $ACL  Set-Acl -Path $LDAPPath -AclObject $ACL
 + Write-Verbose "Regel entfernt: $erg"
 + } else
 + {
 + Write-Verbose "Regel nicht gefunden!"
  }  }
- Write-Verbose "Regel entfernt: $erg"+
 + if ($isRemote) 
 +
 + Invoke-Command -Session $Session -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, $VerbosePreference
  } else  } else
  {  {
- Write-Verbose "Regel nicht gefunden!" + Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType, $IdentityReference, $ActiveDirectoryRights, $ObjectGuid, $VerbosePreference, $VerbosePreference 
- }+ }  
 +
 + end  
 +
 + if ($isRemote) {Remove-PSSession -Session $Session}
  }  }
- end {} 
 } }
 </code> </code>
powershell/accessruleentfernen.txt · Zuletzt geändert: 2016/08/18 14:23 von ronny

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki