Every now and then I run across something that feels like I’m the only human on Earth who has to run across it.  I Google and Google and Bing and Bing and the answers just seem to miss the mark for what I’m trying to accomplish.

Case in point:  Setting permissions on a container object in Active Directory.  The f-ing “ActiveDirectoryAccessRule” class and its overloads have pushed me to the point of sticking my foot through my monitor and screaming multi-syllabic expletives at it while throwing desk objects across the room.  But I’m too poor to buy more monitors and I don’t feel like painting the walls again.

Example 1 – The PowerShell Wrench

$Container = "ad:CN=System Management,CN=System,DC=contoso,DC=com"
$oACL = Get-Acl $Container
$SID = (Get-ADComputer "P01").SID 
$oACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID, "GenericAll", "Allow", "All"
Set-Acl -AclObject $oACL $Container

Example 2 – The “Old” Hammer

$Container = "CN=System Management,CN=System,DC=contoso,DC=com"
$x = "`"$Container`"" + " /I:T /G " + "`"CONTOSO\P01`$"+":GA`""
Start-Process dsacls.exe -ArgumentList $x -Wait

I’ve tried about six variations on Example 1, using various overloaded options for the AddAccessRule() method, and the ActiveDirectoryAccessRule property.  This includes TechNet script goodies, blog articles, and so on.  Obviously, this example is focused on the familiar System Center Configuration Manager AD container “System Management“, and delegating permissions on that container to the appropriate site server(s).

It’s made me doubt the validity of trying to remain sober in a world gone crazy.  First off, all the folks who used to crack jokes about how verbose COBOL was, can suck it.  PowerShell and C++ have long surpassed COBOLs infamous wordiness.  For example:  “Add-ADDomainControllerPasswordReplicationPolicy“.  Really?


I’m NOT picking on PowerShell.  I’ve seen this exact same issue with everything from KiXtart to Batch to Perl to VBScript.  Coders rush in to make a tool, without stopping to check if there’s a tool sitting on the bench right next to them which is PERFECT for the job.

Also, if you know of a more concise, less convoluted way to delegate the container permissions from within PowerShell (or command line), let me know?  I could very well be using the wrong wrong wrench, rather than the wrong wrench. 🙂



One thought on “PowerShell and Sticks and Mud

  1. Unfortunately, managing any sort of permissions in the world of Windows is downright ugly. PowerShell doesn’t make it any easier than VBScript, or maybe a little easier. It is a multi-step process and what you are going through looks like the right way. You could combine a few commands but that wouldn’t necessarily make it any less complicated.

    The only way you could make this better would be to create your own tooling around the process, although the function would be just as gnarly. But then when you wanted to use it in a script, that code could be easier. If you can get your hands on the old Quest AD cmdlets I seem to recall that they had cmdlets specific to working with permissions.

    And yes, some cmdlet names are long. I think some in Sharepoint are even worse. But that’s why we have aliases and tab completion.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s