windowspowershellactive-directory

Get Property guid


This is the context: I'm trying to set a bunch of properties to the group "Authenticated Users". For that, I've written the following script:

# GETTING AUTHENTICATED USERS SID
$sid1 = "S-1-5-11"
$objSID1 = New-Object System.Security.Principal.SecurityIdentifier($sid1)

# GETTING AUTHENTICATED ACL
$acl = Get-Acl -Path "AD:DC=*****,DC=*****"

# CREATING RULE ATTTIBUTES
$objectGuid = New-Object Guid 5f332e20-9eaa-48e7-b8c4-f4431fef859a 
$identity = [System.Security.Principal.IdentityReference] $objSID1
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ReadProperty,WriteProperty"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$inheritedobjectguid = New-Object Guid bf967aba-0de6-11d0-a285-00aa003049e2

# CREATING THE NEW RULE
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $objectGuid, $inheritanceType, $inheritedobjectguid

# SETTING THE NEW RULE
$acl.AddAccessRule($ace)
Set-Acl -AclObject $acl "AD:DC=*****,DC=*****"

And the final result should be this:

Part One

Part Two

One important thing is that what I'm trying to set, as can be seen in the second image, is a property and not a permission. And that property doesn't have the same GUID in all the computers because I create it with another script before this one.

The question is the following:

In the code where I set $objectGuid variable I've hardcoded the GUID I need. What I need to know is if there is any way to get the GUID of the property using PowerShell.


Solution

  • You can retrieve the GUID of an attribute from the Schema:

    1. Query the schemaNamingContext for an attributeSchema object
    2. Filter on ldapDisplayName, the attribute name shown by the GUI
    3. Grab the schemaIDGUID attribute value and use that in the ACE

    I'll use the RSAT ActiveDirectory module for simplicity here, but you can do this with any ldap client:

    $attrSchemaParams = @{
        SearchBase = (Get-ADRootDSE).schemaNamingContext
        Filter = "ldapDisplayName -eq 'pwmEventLog' -and objectClass -eq 'attributeSchema'"
        Properties = 'schemaIDGUID'
    }
    $pwmEventLogSchema = Get-ADObject @attrSchemaParams
    
    $pwmEventLogGUID = $pwmEventLogSchema.schemaIDGuid -as [guid]
    

    Now use $pwmEventLogGUID in place of $objectGuid