|
Replies:
8
-
Pages:
1
-
Last Post:
Nov 12, 2008 6:22 AM
by: JanuszR
|
|
|
Posts:
1
Registered:
8/20/08
|
|
|
|
Add-QADPermission: -applytotype don't work
Posted:
Aug 25, 2008 3:18 AM
|
|
|
Parameter ""-applytotype" don't work.
I run command:
Add-QADPermission $DN -Account $Users_Full -Rights 'GenericAll' -ApplyToType 'user'
And i see :
get-QADPermission $DN -Account $Users_Full
| fl
Permissions for: my.domain.ru/The-Test/Department
...
AccessControlType : Allow
Rights : GenericAll
RightsDisplay : Full control
Source : NotInherited
ExtendedRight :
ValidatedWrite :
Property :
PropertySet :
ApplyTo : All
ApplyToDisplay : This object and all child objects
ApplyToType :
ChildType :
WARNING: Only explicit permissions were displayed. To display inherited and AD
default permissions use -Inherited and -SchemaDefault switches respectively.
If I set in dsa.msc correct rights "by hand", it seems like this:
get-QADPermission $DN -Account $Users_Full
| fl
Permissions for: my.domain.ru/The-Test/Department
...
AccessControlType : Allow
Rights : GenericAll
RightsDisplay : Full control
Source : NotInherited
ExtendedRight :
ValidatedWrite :
Property :
PropertySet :
ApplyTo : ChildObjects
ApplyToDisplay : Child user objects
ApplyToType : CN=User,CN=Schema,CN=Configuration,DC=domain,DC=ru
ChildType :
WARNING: Only explicit permissions were displayed. To display inherited and AD
default permissions use -Inherited and -SchemaDefault switches respectively.
"Get-QADPermission .... | Add-QADPermission" also transmit all parameters, except "applytotype"
|
|
|
Posts:
415
Registered:
9/4/07
|
|
|
|
Re: Add-QADPermission: -applytotype don't work
Posted:
Aug 25, 2008 8:29 AM
in response to: DrNight
|
|
|
It's a bug in present version of AD cmdlets. Unfortunately, no easy workaround exist. Will be fixed in next version.
|
|
|
Posts:
1,151
Registered:
12/1/06
|
|
|
Posts:
1,151
Registered:
12/1/06
|
|
|
|
Re: Add-QADPermission: -applytotype don't work
Posted:
Oct 1, 2008 7:37 AM
in response to: DrNight
|
|
|
Assuming the question as answered - the issue is fixed in the current release
|
|
|
Posts:
6
Registered:
11/7/08
|
|
|
|
Re: Add-QADPermission: -applytotype don't work
Posted:
Nov 7, 2008 1:14 PM
in response to: Dmitry Sotnikov
|
|
|
I installed the 1.1.2 version of Qwest AD Management Shell, which was supposed to fix the -ApplyToType switch. After running the following command
add-qadpermission $Service -Account $ctradmins -Rights ‘GenericAll’ -ApplyToType ‘user’
it now shows Full Control but in the "Apply onto" field it is listing “Special” instead of “User objects”. Is this another bug in the -ApplyToType switch?
|
|
|
Posts:
415
Registered:
9/4/07
|
|
|
|
Re: Add-QADPermission: -applytotype don't work
Posted:
Nov 10, 2008 1:03 AM
in response to: JanuszR
|
|
|
Can you write here full otput from your command?
|
|
|
Posts:
6
Registered:
11/7/08
|
|
|
|
Re: Add-QADPermission: -applytotype don't work
Posted:
Nov 10, 2008 5:54 AM
in response to: Andrey Moiseev ...
|
|
|
Hi Andrey,
here is the output. It does show that it applies to user objects only but the GUI just says Special which is confusing from a support standpoint.
Ctrl Account Rights Source AppliesTo
---- ------- ------ ------ ---------
RDEVDFS\SEC-EN-Service Account Admins Create/Delete Child objects Not inherited All user objects
RDEVDFS\SEC-EN-Service Account Admins Read/Write all properties Not inherited All user objects
RDEVDFS\SEC-EN-Service Account Admins All extended rights Not inherited All user objects
RDEVDFS\SEC-EN-Service Account Admins All validated writes Not inherited All user objects
RDEVDFS\SEC-EN-Service Account Admins Special Not inherited All user objects
RDEVDFS\SEC-NA-Center Admins Create/Delete Child objects Not inherited All user objects
RDEVDFS\SEC-NA-Center Admins Read/Write all properties Not inherited All user objects
RDEVDFS\SEC-NA-Center Admins All extended rights Not inherited All user objects
RDEVDFS\SEC-NA-Center Admins All validated writes Not inherited All user objects
RDEVDFS\SEC-NA-Center Admins Special Not inherited All user object
|
|
|
Posts:
415
Registered:
9/4/07
|
|
|
|
Re: Add-QADPermission: -applytotype don't work
Posted:
Nov 12, 2008 3:52 AM
in response to: JanuszR
|
|
|
Use -ApplyTo ChildObjects parameter:
Add-QADPermission <object identity> -Account <Trustee identity> -Right GenericAll -ApplyTo ChildObjects -ApplyToType user
Thus, ADUC will show right string in ApplyTo.
|
|
|
Posts:
6
Registered:
11/7/08
|
|
|
|
Re: Add-QADPermission: -applytotype don't work
Posted:
Nov 12, 2008 6:22 AM
in response to: Andrey Moiseev ...
|
|
|
Thank you very much Andrey, that works.
|
|
|
|
Legend
|
|
MVP: 2501
+
pts
|
|
Guru: 2001
- 2500
pts
|
|
Expert: 751
- 2000
pts
|
|
Enthusiast: 31
- 750
pts
|
|
Novice: 0
- 30
pts
|
|
Moderators
|
|
Helpful answer
(5 pts)
|
|
Answered
(10 pts)
|
|
