Remove Active Directory ACL PowerShell

Posted on by

Remove Active Directory ACL PowerShell

Hello,

We previously saw how to add some ACL to Active Directory, and how to use the PowerShell Active Directory module. Today, we’ll see how to remove some Acces Control Entry (ACE) from an Active Directory Access Control List (ACL).Let’s see some Active Directory ACL:

Import-Module -Name Act*
Get-Acl -Path "AD:\OU=Test,DC=D2K12R2,DC=local" | Select-Object -ExpandProperty Access
Remove Active Directory ACL PowerShell - Get ACL

Remove Active Directory ACL PowerShell – Get ACL

This list compose your Active Directory Role Based Access Control (RBAC). This list is comosed of GUIDs, this is not very readable in that format. Let’s try to make it more readable with a quick & dirty function:

function Get-ADAcl{
    Param(
        [String[]]$DistinguishedName
    )
    
    Begin{
        Import-Module -Name ActiveDirectory
        $RootDSE = Get-ADRootDSE
        $GuidMap = @{}
        Get-ADObject -SearchBase ($RootDSE.SchemaNamingContext) -LDAPFilter '(schemaidguid=*)' -Properties lDAPDisplayName,schemaIDGUID |% {
            $GuidMap[[System.GUID]$_.schemaIDGUID]=$_.lDAPDisplayName
        }
        Get-ADObject -SearchBase ($RootDSE.ConfigurationNamingContext) -LDAPFilter '(&(objectclass=controlAccessRight)(rightsguid=*))' -Properties displayName,rightsGuid | % {
            $GuidMap[[System.GUID]$_.rightsGuid]=$_.displayName
        }
    }
    Process{
        Get-Acl -Path "AD:\$DistinguishedName" | Select-Object -ExpandProperty Access | Select-Object -Property ActiveDirectoryRights,InheritanceType,@{l='ObjectType';e={$GuidMap[$_.ObjectType]}},@{l='InheritedObjectType';e={$GuidMap[$_.InheritedObjectType]}},ObjectFlags,AccessControlType,IdentityReference,IsInherited,InheritanceFlags,PropagationFlags
    }
    End{}
}
Get-ADAcl -DistinguishedName 'DC=D2K12R2,DC=local'
Remove Active Directory ACL PowerShell - Get AD ACL

Remove Active Directory ACL PowerShell – Get AD ACL

Now it’s a bit more readable! You can search for the ACE you want to remove from the ACL. Let’s remove those two unusual permissions now:

Remove Active Directory ACL PowerShell - Bad ACE to Remove

Remove Active Directory ACL PowerShell – Bad ACE to Remove

You need to identify them with a simple Get-ACL without GUID translation. We can’t use the traslated version because the new object lack the method we want to use to remove the ACE from the ACL. To remove them, we can use the following code:

$CurrentACL = Get-Acl -Path "AD:\DC=D2K12R2,DC=local"
$CurrentACL | Select-Object -ExpandProperty access | Out-GridView -PassThru | ForEach-Object -Process { $CurrentACL.RemoveAccessRule($_) } -End {$CurrentACL | Set-Acl}$CurrentACL = Get-Acl -Path "AD:\DC=D2K12R2,DC=local" | Select-Object -ExpandProperty access
$CurrentACL | Out-GridView -PassThru | ForEach-Object -Process {
    $CurrentACL.RemoveAccessRule($_)
} -End {$CurrentACL | Set-Acl}
Remove Active Directory ACL PowerShell - Bad ACE to Remove with GUID

Remove Active Directory ACL PowerShell – Bad ACE to Remove with GUID

As soon as you press “Ok”, the ACE will be removed from the ACL and then the modification will be applied to your AD.

Note: This kinf of modification requires you to run PowerShell as a admin.

2 thoughts on “Remove Active Directory ACL PowerShell

    • The Get-Acl won’t work if you don’t import the module first, the AD PSDrive call won’t trigger module autoload

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.