How can I lookup an Active Directory Class's "Schema-Id-Guid" and an Attribute's "System-Id-Guid" using PowerShell

2
votes

I need to create some new Access Control Entries (ACE) to be delegated to specific Active Directory OU's using PowerShell.

These rules need to grant/deny access of specific Attributes to the "NT AUTHORITY\SELF" user account on the "Computer" object.

I am creating the ACE using the System.DirectoryServices.ActiveDirectoryAccessRule .NET class. The constructor that I require to create this object needs the GUID of both the desired Attribute and Class.

I am able to create this rule just fine right now using the below PowerShell code that I wrote:

# Get the security descriptor for the desired OU
$ouPath = "AD:\\OU=TestOU,DC=example,DC=com"
$acl = Get-Acl $ouPath

# Get the SID of the "NT AUTHORITY\SELF" user account
$account = [System.Security.Principal.NTAccount]::New("NT AUTHORITY", "SELF")
$accountSID = $account.Translate([System.Security.Principal.SecurityIdentifier])

# Property values for ActiveDirectoryAccessRule
$identity = [System.Security.Principal.IdentityReference]$accountSID
$adRights = [System.DirectoryServices.ActiveDirectoryRights]("ReadProperty, WriteProperty")
$type = [System.Security.AccessControl.AccessControlType]("Allow")
$objectType = [System.Guid]::New("bf9679d9-0de6-11d0-a285-00aa003049e2")
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]("Descendents")
$inheritedObjectType = [System.Guid]::New("bf967a86-0de6-11d0-a285-00aa003049e2")

# Create the new rule object
$ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($identity, $adRights, $type, $objectType, $inheritanceType, $inheritedObjectType)

# Add the rule to the ACL
$acl.AddAccessRule($ace)

# Change the security descriptor
Set-Acl -AclObject $acl $ouPath

The above code example allows read and write for the Network-Address attribute on the Computer class. The referenced GUIDs are as follows:

Network-Address: System-Id-Guid bf9679d9-0de6-11d0-a285-00aa003049e2

Computer: Schema-Id-Guid bf967a86-0de6-11d0-a285-00aa003049e2

The only problem I am having is that I have to manually lookup the GUID for both the desired Attribute and Class.

So my question is:

Does anyone know of a way to lookup these GUIDs using only the CN or Ldap-Display-Name?

1
.netpowershellldap
Maybe this answer can help you out? Get Property guidTheo
You could create a hashtable (lookuptable) with either the CN or Ldap-Display-Name as key and the corresponding GUIDs as value. For the details this page might help.Theo
Thanks Theo. The first link you provided was the answer.jmjohnson85

1 Answers

1
votes

Link to the answer was provided by Theo.

Get Property guid

I'll copy/paste the answer from Mathias R. Jessen:

You can retrieve the GUID of an attribute from the Schema:

  1. Query the schemaNamingContext for an attributeSchema object
  2. Filter on ldapDisplayName, the attribute name shown by the GUI
  3. Grab the schemaIDGUID attribute value and use that in the ACE

I'll use the RSAT ActiveDirectory module for simplicity here, but you can do this with any ldap client:

$attrSchemaParams = @{
    SearchBase = (Get-ADRootDSE).schemaNamingContext
    Filter = "ldapDisplayName -eq 'pwmEventLog' -and objectClass -eq 'attributeSchema'"
    Properties = 'schemaIDGUID'
}
$pwmEventLogSchema = Get-ADObject @attrSchemaParams

$pwmEventLogGUID = $pwmEventLogSchema.schemaIDGuid -as [guid]