Benutzer-Werkzeuge

Webseiten-Werkzeuge


powershell:accessruleentfernen

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen gezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
powershell:accessruleentfernen [2016/08/18 12:06]
ronny
powershell:accessruleentfernen [2016/08/18 14:23] (aktuell)
ronny [2. Entwurf: Funktionalität ausgebaut + Verbose]
Zeile 55: Zeile 55:
  [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights,​  [Parameter(Mandatory=$true)][Int]$ActiveDirectoryRights,​
  [Parameter(Mandatory=$true)][String]$ObjectGuid,​  [Parameter(Mandatory=$true)][String]$ObjectGuid,​
- [Parameter()][string]$DC ​= $null+ [Parameter()][string]$DC,​ 
- [Parameter()][string]$AdminAccount ​= $null+ [Parameter()][string]$AdminAccount,​ 
- [Parameter()][string]$Password ​= $null+ [Parameter()][string]$Password
  )  )
  begin ​  begin ​
  {  {
  Write-Verbose "​*************begin*************"​  Write-Verbose "​*************begin*************"​
- Import-Module ActiveDirectory -Verbose:​$false + if ($AdminAccount -ne "" ​-and $Password -ne ""​)
- If ($DC -ne $null -and ` +
- $AdminAccount -ne $null -and +
- $Password -ne $null)+
  {  {
 + $isCredential = $true
  $PW = ConvertTo-Securestring $Password -AsPlainText -force  $PW = ConvertTo-Securestring $Password -AsPlainText -force
  $Credential = New-Object System.Management.Automation.PSCredential($AdminAccount,​$PW)  $Credential = New-Object System.Management.Automation.PSCredential($AdminAccount,​$PW)
- $Session = New-PSSession -ComputerName $DC -Credential $Credential 
- Write-Verbose "​Remote-Anmeldung auf $DC" 
- $isRemote = $true 
  } else  } else
 + {
 + $isCredential = $false
 + }
 + If ($DC -eq ""​)
  {  {
  $isRemote = $false  $isRemote = $false
 + Import-Module ActiveDirectory -Verbose:​$false
  Write-Verbose "​Lokale Ausführung"​  Write-Verbose "​Lokale Ausführung"​
 +
 + } else
 + {
 + if ($isCredential)
 + {
 + $Session = New-PSSession -ComputerName $DC -Credential $Credential
 + } else
 + {
 + $Session = New-PSSession -ComputerName $DC
 + }
 + Invoke-Command -Session $Session -Command {Import-Module ActiveDirectory}
 + Write-Verbose "​Remote-Anmeldung auf $DC"
 + $isRemote = $true
  }  }
  }  }
Zeile 81: Zeile 94:
  {  {
  Write-Verbose "​*************process*************"​  Write-Verbose "​*************process*************"​
- if ($isRemote) + $ScriptBlock ​=
-+
- $ADObject ​Invoke-Command -Session $Session -Command {param ($a1) Get-ADGroup -Identity $a1} -ArgumentList $ADObject +
- } else +
-+
- $ADObject = Get-ADGroup -Identity $ADGroup +
- }  +
- $ADObjectName = $ADObject.SamAccountName +
- Write-Verbose "Zu prüfende Gruppe: $ADObjectName"​ +
- $LDAPPath = "​AD:​\"​ + $ADObject.DistinguishedName.toString();​ +
- if ($isRemote) +
-+
- $ACL = Invoke-Command -Session $Session -Commane {param ($a1) Get-Acl -Path $a1} -ArgumentList $LDAPPath  +
- } else +
  {  {
 + param
 + (
 + $ADGroup, ​
 + $AccessControlType, ​
 + $IdentityReference, ​
 + $ActiveDirectoryRights, ​
 + $ObjectGuid,​
 + [System.Management.Automation.ActionPreference]$VerbosePreference
 +
 + $ADObject = Get-ADGroup -Identity $ADGroup ​
 + $ADObjectName = $ADObject.SamAccountName
 + Write-Verbose "Zu prüfende Gruppe: $ADObjectName"​
 + $LDAPPath = "​AD:​\"​ + $ADObject.DistinguishedName.toString();​
  $ACL = Get-Acl -Path $LDAPPath  $ACL = Get-Acl -Path $LDAPPath
-+ Write-Verbose "ACL abgerufen"​  
- Write-Verbose "ACL abgerufen"​  + $RuleToRemove = $null; 
- $RuleToRemove = $null; + $RuleFound = $false; 
- $RuleFound = $false; + foreach($Rule in $ACL.Access)
- foreach($Rule in $ACL.Access) +
-+
- if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` +
- $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` +
- $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` +
- $Rule.ObjectType.ToString() -eq $ObjectGuid) `+
  {  {
- $RuleToRemove = $Rule + if ($Rule.AccessControlType.ToString() -eq $AccessControlType -and ` 
- $RuleFound = $true; + $Rule.IdentityReference.ToString() -eq $IdentityReference -and ` 
- Write-Verbose "Regel gefunden!"​+ $Rule.ActiveDirectoryRights.value__ -eq $ActiveDirectoryRights -and ` 
 + $Rule.ObjectType.ToString() -eq $ObjectGuid) ` 
 +
 + $RuleToRemove = $Rule 
 + $RuleFound = $true; 
 + Write-Verbose "Regel gefunden!"​ 
 + }
  }  }
-+ if ($RuleFound)
- if ($RuleFound)  +
-+
- $erg = $ACL.RemoveAccessRule($RuleToRemove) +
- if ($isRemote) +
-+
- Invoke-Command -Session $Session -Command {param ($a1, $a2) Set-Acl -Path $a1 -AclObject $a2} -ArgumentList $LDAPPath,​$ACL  +
- } else +
  {  {
 + $erg = $ACL.RemoveAccessRule($RuleToRemove)
  Set-Acl -Path $LDAPPath -AclObject $ACL  Set-Acl -Path $LDAPPath -AclObject $ACL
 + Write-Verbose "Regel entfernt: $erg"
 + } else
 + {
 + Write-Verbose "Regel nicht gefunden!"​
  }  }
- Write-Verbose "Regel entfernt: ​$erg"+
 + if ($isRemote) 
 +
 + Invoke-Command -Session $Session -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType,​ $IdentityReference,​ $ActiveDirectoryRights,​ $ObjectGuid, ​$VerbosePreference
  } else  } else
  {  {
- Write-Verbose "Regel nicht gefunden!"​ + Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $ADGroup, $AccessControlType,​ $IdentityReference,​ $ActiveDirectoryRights,​ $ObjectGuid,​ $VerbosePreference,​ $VerbosePreference 
- }+ }  
 +
 + end  
 +
 + if ($isRemote) {Remove-PSSession -Session $Session}
  }  }
- end {} 
 } }
 </​code>​ </​code>​
powershell/accessruleentfernen.txt · Zuletzt geändert: 2016/08/18 14:23 von ronny