How to manage NTFS Conditional Access (DAC) based on group membership via Powershell?

0

1

I need to manage NTFS Access Conditions based on group membership through the Powershell. Digging through MS Documentation about DAC I've found a bunch of cmdlets [Get/New/Set/Remove]-[ADClaimType/ADCentralAccessPolicy/ADCentralAccessRule], but the condition I've created using the GUI (Settings screenshot) is not popping up there. Even though it functions correctly restricting access to members of the specified group only.

I have a feeling that I am missing some point here... It has nothing to do with the claims (since group membership is not an AD User record attribute), so I expected the condition I created to be shown in the rule/policy list, but both seem to be empty.

The end target is the way of managing these type of conditions via PS for the sake of automation. Would be very helpful if somebody points me in the right direction.

Alexey Panov - Dresden

Programmierus

Posted 2019-06-05T09:48:13.877

Reputation: 1

Answers

0

Answering my own question in case somebody needs it... The access rule in the screenshot is not a central one (so it's not showing in AD DAC) but seems to be kind of extension to regular ACL.

The only way to modify it I found is through the SDDL.

  1. Get ACL Object: $acl = Get-Acl -Path $FolderPath
  2. Get current SDDL string: $acl.Sddl
  3. Expand an existing entry with the conditional rule like this (Note X, 0x1301bf and ;(Member_of_any {SID(S-1-5-21-XXX-XXX-XXX-1619)}) parts).
(A;OICI;FA;;;S-1-5-21-XXX-XXX-XXX-1113)

(XA;OICI;0x1301bf;;;S-1-5-21-XXX-XXX-XXX-1113;(Member_of_any {SID(S-1-5-21-XXX-XXX-XXX-1619)}))

More examples can be learned by examining different SDDLs from GUI-made objects.

  1. Modify $acl object: $acl.SetSecurityDescriptorSddlForm($NewSddl)
  2. Re-apply it to the folder: Set-Acl -Path $FolderPath -AclObject $acl

If somebody knows the better handy way - please reply :)

Alexey Panov - Dresden

Programmierus

Posted 2019-06-05T09:48:13.877

Reputation: 1

Asked: 2019-06-05T09:48:13.877

Viewed: 101 times

Active: 2019-06-05T11:14:12.840