Configuration driven Active Directory management.
Registers a new access rule as a desired state.
Register-FMAccessRule -Path <String> -Identity <String> -ActiveDirectoryRights <String>
[-AccessControlType <AccessControlType>] [-InheritanceType <ActiveDirectorySecurityInheritance>]
[-ObjectType <String>] [-InheritedObjectType <String>] [-Optional <Boolean>] [-Present <TriBool>]
[-NoFixConfig <Boolean>] [-ContextName <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
Register-FMAccessRule -ObjectCategory <String> -Identity <String> -ActiveDirectoryRights <String>
[-AccessControlType <AccessControlType>] [-InheritanceType <ActiveDirectorySecurityInheritance>]
[-ObjectType <String>] [-InheritedObjectType <String>] [-Optional <Boolean>] [-Present <TriBool>]
[-NoFixConfig <Boolean>] [-ContextName <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
Registers a new access rule as a desired state. These are then compared with a domain’s configuration when executing Test-FMAccessRule. See that command for more details on this procedure.
Register-FMAccessRule -ObjectCategory DomainControllers -Identity '%DomainName%\Domain Admins' -ActiveDirectoryRights GenericAll
Grants the domain admins of the target domain FullControl over all domain controllers, without any inheritance.
The path to the AD object to govern. This should be a distinguishedname. This path uses name resolution. For example %DomainDN% will be replaced with the DN of the target domain itself (and should probably be part of everyy single path).
Type: String
Parameter Sets: Path
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Instead of a path, define a category to apply the rule to. Categories are defined using Register-AdcObjectCategory. This allows you to apply rules to a category of objects, rather than a specific path. With this you could apply a rule to all domain controller objects, for example.
Type: String
Parameter Sets: Category
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The identity to apply the rule to.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The actual rights to grant. This is a [string] type to allow some invalid values that happen in the field and are still applied by AD.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Whether this is an Allow or Deny rule.
Type: AccessControlType
Parameter Sets: (All)
Aliases:
Accepted values: Allow, Deny
Required: False
Position: Named
Default value: Allow
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
How the Access Rule is being inherited. None: Indicates no inheritance. The ACE information is only used on the object on which the ACE is set. ACE information is not inherited by any descendents of the object. All: Indicates inheritance that includes the object to which the ACE is applied, the object’s immediate children, and the descendents of the object’s children. Descendents: Indicates inheritance that includes the object’s immediate children and the descendants of the object’s children, but not the object itself. SelfAndChildren: Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children. Children: Indicates inheritance that includes the object’s immediate children only, not the object itself or the descendents of its children.
Type: ActiveDirectorySecurityInheritance
Parameter Sets: (All)
Aliases:
Accepted values: None, All, Descendents, SelfAndChildren, Children
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Name or Guid of property or right affected by this rule. Access Rules are governed by ObjectType and InheritedObjectType to affect what objects to affect (e.g. Computer, User, …), what properties to affect (e.g.: User-Account-Control) or what extended rights to grant. Which in what combination applies depends on the ActiveDirectoryRights set.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: <All>
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Name or Guid of property or right affected by this rule. Access Rules are governed by ObjectType and InheritedObjectType to affect what objects to affect (e.g. Computer, User, …), what properties to affect (e.g.: User-Account-Control) or what extended rights to grant. Which in what combination applies depends on the ActiveDirectoryRights set.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: <All>
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
The path this access rule object is assigned to is optional and need not exist. This makes the rule apply only if the object exists, without triggering errors if it doesn’t. It will also ignore access errors on the object. Note: Only if all access rules assigned to an object are set to $true, will the object be considered optional.
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
Whether the access rule should exist or not. By default, it should. Set this to $false in order to explicitly delete an existing access rule. Set this to ‘Undefined’ to neither create nor delete it, in which case it will simply be accepted if it exists.
Type: TriBool
Parameter Sets: (All)
Aliases:
Accepted values: False, True, Undefined
Required: False
Position: Named
Default value: True
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
By default, Test-FMAccessRule will generate a “FixConfig” result for accessrules that have been explicitly defined but are also part of the Schema Default permissions. If this setting is enabled, this result object is suppressed.
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
The name of the context defining the setting. This allows determining the configuration set that provided this setting. Used by the ADMF, available to any other configuration management solution.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: <Undefined>
Accept pipeline input: False
Accept wildcard characters: False
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.