I’m attempting to automate delegated permissions of an Active Directory (AD) Organizational Unit (OU) using Access Control Entries (ACE).

However, I don’t fully understand Active Directory schema and I’m facing an issue where my PowerShell results do not match the manually configured OU permissions as set via dsa.msc (Active Directory Users and Computers).

There is one setting that the UI sets, InheritedObjectType bf967a86-0de6-11d0-a285-00aa003049e2 which corresponds to “Application-Version” that I can’t get to set via PowerShell or dsacls.exe

Does anyone know why the UI when I set the settings I receive this extra ActiveDirectoryRight CreateChild on Application-Version InheritedObjectType and how I would replicate that setting via powershell?

I’m using win_ad_dacls.ps1 by Jordan Borean so as to not reinvent the wheel (and so I can run this idempotently and natively via ansible).

End Goal

Give rights to a User/Group on all Computer Objects of all Children of an OU to the following:

  • Read
  • Write
  • Create All Child Objects
  • Read All Properties
  • Write All Properties
  • Reset Password

Testing/Validation Method

Get-Acl 'AD:\OU=TestOU,OU=Servers,OU=TestADACE,DC=domain,DC=local' | Select-Object -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'domain\\testuser'}

UI Settings That Actually Get Set

These are the settings I see when I run the PowerShell above in Testing/Validation Method after setting the 6 permissions under the End Goal section of this document in Active Directory Users and Computers (dsa.msc) using the Delegation Wizard on Computer Objects.

ActiveDirectoryRights : CreateChild, ListChildren, ReadProperty, GenericWrite
InheritanceType       : Descendents
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : domain\testuser
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : CreateChild
InheritanceType       : Descendents
ObjectType            : ddc790ac-af4d-442a-8f0f-a1d4caa7dd92
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : domain\testuser
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : ExtendedRight
InheritanceType       : Descendents
ObjectType            : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : domain\testuser
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

Item That I Can’t Figure Out

Of the settings set via UI (dsa.msc), this is the one I can’t figure out how to automate. My concern is that skipping this setting will break something.

ActiveDirectoryRights : CreateChild
InheritanceType       : Descendents
ObjectType            : ddc790ac-af4d-442a-8f0f-a1d4caa7dd92
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : domain\testuser
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

Powershell Settings That I Can Set Using The Ansible Playbook Below and This Ansible Module

These are the settings I see when I run the PowerShell above in Testing/Validation Method after setting the permissions listed under Ansible Tasks below.

ActiveDirectoryRights : CreateChild, ListChildren, ReadProperty, GenericWrite
InheritanceType       : Descendents
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : domain\testuser
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : ExtendedRight
InheritanceType       : Descendents
ObjectType            : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : domain\testuser
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

Ansible Tasks

  - name: Broad access on Computer Objects in App OU
    state: present
    path: "OU=TestOU,OU=Servers,OU=TestADACE,DC=domain,DC=local"
    rights: CreateChild, ListChildren, ReadProperty, GenericWrite
    inheritance_type: Descendents
    inherited_object_type: Computer
    object_type: 00000000-0000-0000-0000-000000000000
    access: allow
    account: domain\testuser
  - name: Reset Password Permission on Computer Objects in App OU
    state: present
    path: "OU=TestOU,OU=Servers,OU=TestADACE,DC=domain,DC=local"
    rights: ExtendedRight
    inheritance_type: Descendents
    inherited_object_type: Computer
    object_type: 00299570-246d-11d0-a768-00aa006e0529 # the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) class
    access: allow
    account: domain\testuser
