Forum Discussion

andreaskrovel's avatar
andreaskrovel
Copper Contributor
Sep 29, 2022

Restore defaults ACL permissions using PowerShell


I'm doing a Active Directory Domain Services ADDS cleanup where I try to correct the ACL of every Computer/Group/User. I'm using the following script below to correct the owner of each object.

I would also like to correct the explicit permissions set on each object by reset the permissions to default (Equivalent to hitting the Restore defaults button). How can I do that?

 

$ADDomainDistName = (Get-ADDomain).DistinguishedName
$ADDomainName = (Get-ADDomain).Name
$ADForestName = (Get-ADDomain).Forest

$SecurityPrincipalDomainAdmins = New-Object System.Security.Principal.NTAccount("$ADForestName", "Domain Admins" )

function ADUsers () {
    $ADUsers = Get-ADUser -Filter * -Properties CanonicalName -SearchBase "OU=OU,$ADDomainDistName" | Sort-Object CanonicalName

    foreach ($ADUser in $ADUsers) {
        $ACL = Get-Acl -Path ("AD:" + $ADUser.DistinguishedName)
        Write-Host $ADUser.Name -NoNewline

        if ($ACL.Owner -eq "$ADDomainName\Domain Admins") {
            Write-Host ' OK' -ForegroundColor Green
        } elseif ($ACL.Owner -match "$ADDomainName") {
            Write-Host '' $ACL.Owner -ForegroundColor Yellow
            $ACL.SetOwner($SecurityPrincipalDomainAdmins)
            Set-Acl -Path ("AD:" + $ADUser.DistinguishedName) -AclObject $ACL -Confirm
        } else {
            Write-Host '' ($ACL.Owner).Substring(2) -ForegroundColor Red
            $ACL.SetOwner($SecurityPrincipalDomainAdmins)
            Set-Acl -Path ("AD:" + $ADUser.DistinguishedName) -AclObject $ACL -Confirm
        }
    }
}

 

Active Directory
Active Directory and Powershell script
powershell

1 Reply

Sort By
  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    Sep 30, 2022

    andreaskrovel 

     

    Hi, Andreas.

     

    Speaking to your question around "reset to default permissions", you need to obtain the default DACL from the Active Directory schema for the specific object class you're interested in. So, if you you want to reset the permissions for users, groups and computers, you'd need to fetch three DACLs: one for each object class type.

     

    I'm not going to write a full script but here's an example on how you can retrieve the DACL and convert it from the native SDDL format into something useable by your script.

     

    Basic steps for retrieving and converting the default DACL for the "user" object class

    $RootDSE = [adsi]"LDAP://RootDSE";
$Descriptor = [System.DirectoryServices.ActiveDirectorySecurity]::new();
$SddlString = (Get-ADObject -Filter { (lDAPDisplayName -eq "user") } -SearchBase ($RootDSE.schemaNamingContext[0]) -Properties defaultSecurityDescriptor).defaultSecurityDescriptor;
$Descriptor.SetSecurityDescriptorSddlForm($SddlString);

     

    Sample output

    Here, we can see that in my environment, there are 24 default ACEs in the DACL (accessed via the "Access" property), with a few examples of ACEs below that.

     

     

    Cheers,

    Lain

Resources