Every now and then I run across something that feels like I’m the only human on Earth who has to run across it. I Google and Google and Bing and Bing and the answers just seem to miss the mark for what I’m trying to accomplish.
Case in point: Setting permissions on a container object in Active Directory. The f-ing “ActiveDirectoryAccessRule” class and its overloads have pushed me to the point of sticking my foot through my monitor and screaming multi-syllabic expletives at it while throwing desk objects across the room. But I’m too poor to buy more monitors and I don’t feel like painting the walls again.
Example 1 – The PowerShell Wrench
$Container = "ad:CN=System Management,CN=System,DC=contoso,DC=com" $oACL = Get-Acl $Container $SID = (Get-ADComputer "P01").SID $oACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID, "GenericAll", "Allow", "All" $oACL.AddAccessRule($oACE) Set-Acl -AclObject $oACL $Container
Example 2 – The “Old” Hammer
$Container = "CN=System Management,CN=System,DC=contoso,DC=com" $x = "`"$Container`"" + " /I:T /G " + "`"CONTOSO\P01`$"+":GA`"" Start-Process dsacls.exe -ArgumentList $x -Wait
I’ve tried about six variations on Example 1, using various overloaded options for the AddAccessRule() method, and the ActiveDirectoryAccessRule property. This includes TechNet script goodies, blog articles, and so on. Obviously, this example is focused on the familiar System Center Configuration Manager AD container “System Management“, and delegating permissions on that container to the appropriate site server(s).
It’s made me doubt the validity of trying to remain sober in a world gone crazy. First off, all the folks who used to crack jokes about how verbose COBOL was, can suck it. PowerShell and C++ have long surpassed COBOLs infamous wordiness. For example: “Add-ADDomainControllerPasswordReplicationPolicy“. Really?
I’m NOT picking on PowerShell. I’ve seen this exact same issue with everything from KiXtart to Batch to Perl to VBScript. Coders rush in to make a tool, without stopping to check if there’s a tool sitting on the bench right next to them which is PERFECT for the job.
Also, if you know of a more concise, less convoluted way to delegate the container permissions from within PowerShell (or command line), let me know? I could very well be using the wrong wrong wrench, rather than the wrong wrench. 🙂