powershell:accessruleentfernen
Dies ist eine alte Version des Dokuments!
ACL AccessRule entfernen
1. Entwurf - Die gewünschte Funktionalität
function Remove-ACLAccessRule { [CmdletBinding()] param ( [Parameter(Mandatory=$true)][System.DirectoryServices.ActiveDirectorySecurity]$ACL, [Parameter(Mandatory=$true)][String]$AccessControlType, [Parameter(Mandatory=$true)][String]$IdentityReference, [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights, [Parameter(Mandatory=$true)][String]$ObjectGuid ) begin { $RuleToRemove = $null; $RuleFound = $false; } process { foreach($Rule in $ACL.Access) { if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` $Rule.ObjectType.ToString() -eq $ObjectGuid) ` { $RuleToRemove = $Rule $RuleFound = $true; } } } end { if ($RuleFound) {$erg = $ACL.RemoveAccessRule($RuleToRemove)} } }
2. Entwurf: Funktionalität ausgebaut + Verbose
function Remove-ACLAccessRule { [CmdletBinding()] param ( [Parameter(Mandatory=$true)][String]$ADGroup, [Parameter(Mandatory=$true)][String]$AccessControlType, [Parameter(Mandatory=$true)][String]$IdentityReference, [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights, [Parameter(Mandatory=$true)][String]$ObjectGuid, [Parameter()][string]$DC = $null, [Parameter()][string]$AdminAccount = $null, [Parameter()][string]$Password = $null ) begin { Write-Verbose "*************begin*************" Import-Module ActiveDirectory -Verbose:$false If ($DC -ne $null -and ` $AdminAccount -ne $null -and ` $Password -ne $null) { $PW = ConvertTo-Securestring $Password -AsPlainText -force $Credential = New-Object System.Management.Automation.PSCredential($AdminAccount,$PW) $Session = New-PSSession -ComputerName $DC -Credential $Credential Write-Verbose "Remote-Anmeldung auf $DC" $isRemote = $true } else { $isRemote = $false Write-Verbose "Lokale Ausführung" } } process { Write-Verbose "*************process*************" if ($isRemote) { $ADObject = Invoke-Command -Session $Session -Command {param ($a1) Get-ADGroup -Identity $a1} -ArgumentList $ADObject } else { $ADObject = Get-ADGroup -Identity $ADGroup } $ADObjectName = $ADObject.SamAccountName Write-Verbose "Zu prüfende Gruppe: $ADObjectName" $LDAPPath = "AD:\" + $ADObject.DistinguishedName.toString(); if ($isRemote) { $ACL = Invoke-Command -Session $Session -Commane {param ($a1) Get-Acl -Path $a1} -ArgumentList $LDAPPath } else { $ACL = Get-Acl -Path $LDAPPath } Write-Verbose "ACL abgerufen" $RuleToRemove = $null; $RuleFound = $false; foreach($Rule in $ACL.Access) { if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` $Rule.ObjectType.ToString() -eq $ObjectGuid) ` { $RuleToRemove = $Rule $RuleFound = $true; Write-Verbose "Regel gefunden!" } } if ($RuleFound) { $erg = $ACL.RemoveAccessRule($RuleToRemove) if ($isRemote) { Invoke-Command -Session $Session -Command {param ($a1, $a2) Set-Acl -Path $a1 -AclObject $a2} -ArgumentList $LDAPPath,$ACL } else { Set-Acl -Path $LDAPPath -AclObject $ACL } Write-Verbose "Regel entfernt: $erg" } else { Write-Verbose "Regel nicht gefunden!" } } end {} }
powershell/accessruleentfernen.1471514783.txt.gz · Zuletzt geändert: 2016/08/18 12:06 von ronny