ad-rbac

1.3.0

private/Add-OUPermissions.ps1

                                function Add-OUPermissions {

    [CmdletBinding(DefaultParameterSetName='Normal',SupportsShouldProcess=$true)]

    Param

    (

        [Parameter(ValueFromPipelineByPropertyName, ValueFromPipeline)]

        #[ValidateScript( {get-adorganizationalUnit -identity $_ })]

        [String]$Path,

        [Parameter(ValueFromPipelineByPropertyName, ValueFromPipeline)]

        [System.DirectoryServices.ActiveDirectoryAccessRule[]]$ACEList,

        # Rebuild from a Base ACL

        [Parameter(ParameterSetName="Rebuild",Mandatory)]

        [switch]

        $Rebuild,

        [Parameter(ParameterSetName="Rebuild", Mandatory)]

        [System.Security.AccessControl.DirectoryObjectSecurity]

        $DefaultACL

    )

    Begin{

#        $DefaultOU_SDDL = (get-adobject -filter { (ldapDisplayName -eq "organizationalUnit") } -searchBase ($(get-adrootdse).SchemaNamingContext) -properties defaultSecurityDescriptor).defaultSecurityDescriptor

#        $defaultOU_ACL = [System.DirectoryServices.ActiveDirectorySecurity]::new()

#        $defaultOU_ACL.SetSecurityDescriptorSddlForm($defaultOU_SDDL)

    }

    Process {

        get-host

        try {

            $CurrentACL = get-acl -path "AD:$Path"

            if ($rebuild) {

                $BaseACL = $DefaultACL

            } else {

                $baseACL = $currentACL

            }

            write-loghandler -level "Debug" -message "Current ACL: $($CurrentACL.count); default: $($DefaultACL.count); adding: $($aceList.count)"

            if ($rebuild) {

                $Action = "{0,-20}: {1}" -f "Rebuilding DACLs on", $Path

            } else {

                $Action = "{0,-20}: {1}" -f "Adding DACLs on", $Path

            }

            foreach ($ACE in $ACEList) {

                $baseACL.addAccessRule($ACE)

            }

            $message = write-loghandler -level Info -message $Action -target $path -passthru

            if ($PSCmdlet.ShouldProcess.invoke($($message))) {

                write-host ($(get-OUACLs -ACLList $ACEList -ShowDefaults -ObjectGUIDs $objectGUIDs ) | format-Table | Out-String)

                set-ACL -path "AD:$Path" -ACLObject $baseACL | out-null

            }

        } catch {

            write-warning $_.exception.getType().fullname

            $_ | format-list * -force

            write-loghandler -level "warning" -message "WHOOPS"

        }

    }

}