Forum Discussion
Restore defaults ACL permissions using PowerShell
I'm doing a Active Directory Domain Services ADDS cleanup where I try to correct the ACL of every Computer/Group/User. I'm using the following script below to correct the owner of each object. I...
Hi, Andreas.
Speaking to your question around "reset to default permissions", you need to obtain the default DACL from the Active Directory schema for the specific object class you're interested in. So, if you you want to reset the permissions for users, groups and computers, you'd need to fetch three DACLs: one for each object class type.
I'm not going to write a full script but here's an example on how you can retrieve the DACL and convert it from the native SDDL format into something useable by your script.
Basic steps for retrieving and converting the default DACL for the "user" object class
$RootDSE = [adsi]"LDAP://RootDSE";
$Descriptor = [System.DirectoryServices.ActiveDirectorySecurity]::new();
$SddlString = (Get-ADObject -Filter { (lDAPDisplayName -eq "user") } -SearchBase ($RootDSE.schemaNamingContext[0]) -Properties defaultSecurityDescriptor).defaultSecurityDescriptor;
$Descriptor.SetSecurityDescriptorSddlForm($SddlString);
Sample output
Here, we can see that in my environment, there are 24 default ACEs in the DACL (accessed via the "Access" property), with a few examples of ACEs below that.
Cheers,
Lain