PowerShell Scripts, Tips, Expert Advices, Forums, and Resources

image rotation

Welcome to PowerShell.com, the educational and community site for Windows PowerShell People. Get a quick overview.

Latest Scripts

12-22-2014 - EnumAssemblies
12-18-2014 - users
12-16-2014 - Get-RegistryTimestamp

Latest Announcements/Events

10-31-2014 - Using PowerShell to download Teched Europe 2014 content
10-15-2014 - Class Dismissed
10-12-2014 - The Case for PowerShell

As a Powershell.com member you will have access to:

  • Daily PowerShell tips written by Microsoft MVPs and other leading Windows PowerShell experts
  • Free Windows PowerShell advice and training provided by Microsoft MVPs and other leading Windows PowerShell experts
  • Access to leading Windows PowerShell blogs
  • A free ebook, Mastering PowerShell, written by Microsoft MVP Dr. Tobias Weltner
PowerTip of the Day

Setting Permissions in AD or Windows Registry

ActiveDirectory Module

We already illustrated previously how you can use Get/Set-Acl to read and write permissions to files and folders.

The truth is that both cmdlets can deal with any valid PowerShell path. So you can use them in the exact same way to read, clone, and write permissions in the Windows Registry.

This example reads existing security information from a Registry key, and applies it to another:

# both Registry keys must exist
$KeyToCopySecurityFrom = 'HKLM:\Software\Key1'
$KeyToCopySecurityTo = 'HKLM:\Software\Key1'

$securityDescriptor = Get-Acl -Path $KeyToCopySecurityFrom
Set-Acl -Path $KeyToCopySecurityTo -AclObject $securityDescriptor  

Likewise, if you have installed the RSAT tools from Microsoft and enabled the ActiveDirectory PowerShell module, you can use its PowerShell drive AD: to do the very same with AD objects, and for example, clone delegation privileges from one OU to another.

Active Directory features like control of delegation, or accidental deletion prevention, really are just security settings that you now can read, change, and re-apply as needed.

Import-Module ActiveDirectory

# both OUs must exist
$OUtoCopyFrom = 'AD:\OU=Employees,DC=TRAINING,DC=POWERSHELL'
$OUtoCopyTo = 'AD:\OU=TestEmployees,DC=TRAINING,DC=POWERSHELL'

$securityDescriptor = Get-Acl -Path $OUtoCopyFrom
Set-Acl -Path $OUtoCopyTo -AclObject $securityDescriptor  

You can read and write security to any AD object that way, including DNS information. All you need is the LDAP path to the particular object you want to read or change.

Twitter This Tip! ReTweet this Tip!

Copyright 2012 PowerShell.com. All rights reserved.