Configuration driven Active Directory management.
Registers a new access rule as a desired state.
Register-DMAccessRule -Path <String> -Identity <String> -ActiveDirectoryRights <String>
[-AccessControlType <AccessControlType>] [-InheritanceType <ActiveDirectorySecurityInheritance>]
[-ObjectType <String>] [-InheritedObjectType <String>] [-Optional <Boolean>] [<CommonParameters>]
Register-DMAccessRule -ObjectCategory <String> -Identity <String> -ActiveDirectoryRights <String>
[-AccessControlType <AccessControlType>] [-InheritanceType <ActiveDirectorySecurityInheritance>]
[-ObjectType <String>] [-InheritedObjectType <String>] [-Optional <Boolean>] [<CommonParameters>]
Registers a new access rule as a desired state. These are then compared with a domain’s configuration when executing Test-DMAccessRule. See that command for more details on this procedure.
Register-DMAccessRule -ObjectCategory DomainControllers -Identity '%DomainName%\Domain Admins' -ActiveDirectoryRights GenericAll
Grants the domain admins of the target domain FullControl over all domain controllers, without any inheritance.
The path to the AD object to govern. This should be a distinguishedname. This path uses name resolution. For example %DomainDN% will be replaced with the DN of the target domain itself (and should probably be part of everyy single path).
Type: String
Parameter Sets: Path
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Instead of a path, define a category to apply the rule to. Categories are defined using Register-DMObjectCategory. This allows you to apply rules to a category of objects, rather than a specific path. With this you could apply a rule to all domain controller objects, for example.
Type: String
Parameter Sets: Category
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The identity to apply the rule to. Use the string ‘<Parent>’ to apply the rule to the parent object of the object affected by this rule.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The actual rights to grant. This is a [string] type to allow some invalid values that happen in the field and are still applied by AD.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Whether this is an Allow or Deny rule.
Type: AccessControlType
Parameter Sets: (All)
Aliases:
Accepted values: Allow, Deny
Required: False
Position: Named
Default value: Allow
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
How the Access Rule is being inherited.
Type: ActiveDirectorySecurityInheritance
Parameter Sets: (All)
Aliases:
Accepted values: None, All, Descendents, SelfAndChildren, Children
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Name or Guid of property or right affected by this rule. Access Rules are governed by ObjectType and InheritedObjectType to affect what objects to affect (e.g. Computer, User, …), what properties to affect (e.g.: User-Account-Control) or what extended rights to grant. Which in what combination applies depends on the ActiveDirectoryRights set.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: <All>
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Name or Guid of property or right affected by this rule. Access Rules are governed by ObjectType and InheritedObjectType to affect what objects to affect (e.g. Computer, User, …), what properties to affect (e.g.: User-Account-Control) or what extended rights to grant. Which in what combination applies depends on the ActiveDirectoryRights set.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: <All>
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The path this access rule object is assigned to is optional and need not exist. This makes the rule apply only if the object exists, without triggering errors if it doesn’t. It will also ignore access errors on the object. Note: Only if all access rules assigned to an object are set to $true, will the object be considered optional.
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.