WriteDACL

WriteDACL allow us to write any ACL we want over the object. We can for example write all properties, granting us GenericAll . I haven't tested this one, so please correct me if I'm wrong. I also haven't figured out how to set it through ADSI Edit, but it should work through PowerShell.

$MyAdmin = (get-adgroup "Infrastructure Managers").sid
$MyUser = (get-aduser target)
$MyDistinguishedName = ($Myuser).distinguishedname
$MyDistinguishedNameAD = $MyDistinguishedName = "AD:$MyUser"
$MyACL= Get-ACL $MyDistinguishedNameAD
$MyADRights = [System.DirectoryServices.ActiveDirectoryRights] "WriteDACL" # change to the preferred ACE
$MyType = [System.Security.AccessControl.AccessControlType] "Allow"
$MyInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$MyACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $MyAdmin,$MyADRights,$MyType,$MyInheritanceType
$MyACL.AddAccessRule($MyACE)
Set-acl -aclobject $MyACL $MyDistinguishedNameAD
(Get-ACL "AD:$((Get-ADUser -Identity 'target').distinguishedname)").access | Select IdentityReference, AccessControlType, ActiveDirectoryRights | Where-Object  {$_.ActiveDirectoryRights -contains "WriteDACL"}

Written by ruycr4ft

PreviousGenericWrite NextWriteOwner

Last updated 7 days ago