Active Directory Management Framework

Configuration driven Active Directory management.

Access Control Lists


Access Control Lists allow you to define owner and inheritance on any object desired. While this resource is managed by the DomainManagement module, it is possible to also define rules that apply to the configuration Naming Context.

Note that a warning is shown on objects under management that do not have an ACL definition.

Example Configuration

A reasonably simple configuration entry:

        "Path":  "OU=Tiering,%DomainDN%",
        "Owner":  "Administrators",
        "NoInheritance":  true,
        "Optional":  true

This rule will verify and if neccesarry set Administrators as owner and disable Inheritance of the custom Tiering organizational unit.


Get-ADobject -SearchBase 'OU=Contoso,DC=contoso,DC=com' -Filter * |
    Get-ADSAcl |
        ForEach-Object {
                Owner = $_.Owner -as [String] -replace '^.+\\','%DomainName%\'
                path = $_.DistinguishedName -replace 'DC=.+$','%DomainDN%'
        } | ConvertTo-Json

This will return the ACL definitions of every object under a specific



This parameter uses name resolution.

The distinguished name of the object, on which access rules are applied.


This parameter uses name resolution.

Owner of the ADObject. Subject to string insertion. To verify or set the correct owner for an ADObject.


Optional: Yes Default: false

Whether inheritance should be disabled on the ADObject e.g. special permissions.


Optional: Yes Default: false

A boolean value, accepting either true or false (note: no quotes in json!). By default, the Domain Management module will complain about an object not existing when defining an acl for an object that … well, doesn’t exist. Setting Optional to true will make it ignore it instead.