Active Directory Management Framework

Configuration driven Active Directory management.

AccessRule Processing Mode


When processing AccessRules, by default all undesired rules on a configured object will be removed. This is great for objects fully under your control. But what about scenarios where you just want to enable another process to self-manage an environment? At that point, where other servies may interfere with your deployed configuration, you may want to instead define your settings as a minimum while disregarding/ignoring other rules defined.

This is what the AccessRule Processing Mode controls.

With that you can define which objects to fully control and where to just add to. You can target by:


With the various targeting modes, several rules may apply to the same AD object. When that happens, the settings are applied in the following, descending precedence:

This allows to define multiple SubTree tiers, where only the most specific one will apply to a given object.

Overriding settings

Each Processing Mode can be overridden by a different Context. A Processing Mode is identified by: PathMode & Path or ObjectCategory.

This means an Explicit Path rule can only be overriden by a matching Explicit Path rule (which may have a different Processing Mode).

Example Configurations

Configuration entries can be defined by adding them to the domain/accessrulemodes folder as json files. The specific filename is not important and any number of configuration files can be defined.

Explicit Path Rule

	"Path":  "CN=MyGroup3,OU=Groups,OU=DomainContent,%DomainDN%",
	"Mode":  "Additive"

SubTree Path Rule

	"Path":  "OU=Groups,OU=DomainContent,%DomainDN%",
	"PathMode":  "SubTree",
	"Mode":  "Additive"

ObjectCategory Rule

	"ObjectCategory":  "DomainControllers",
	"Mode":  "Constrained"



Supports string replacement

The path in Active Directory to the targeted item. Whether this is an Explicit or SubTree Path-rule is determined by the PathMode rule.


Optional: true Options: SingleItem, SubTree Default: SingleItem

Determines whether a Path-rule is either Explicit or SubTree:


Instead of targeting by path, target a specific ObjectCategory.


Options: ‘Constrained’, ‘Additive’, ‘Defined’

The AccessRule Processing Mode to apply: