Register-DMAccessRule
SYNOPSIS
Registers a new access rule as a desired state.
SYNTAX
Path (Default)
Register-DMAccessRule -Path <string> -Identity <string> -ActiveDirectoryRights <string>
[-AccessControlType <AccessControlType>] [-InheritanceType <ActiveDirectorySecurityInheritance>]
[-ObjectType <string>] [-InheritedObjectType <string>] [-Optional <bool>] [-Present <TriBool>]
[-NoFixConfig <bool>] [-ContextName <string>] [<CommonParameters>]
Category
Register-DMAccessRule -ObjectCategory <string> -Identity <string> -ActiveDirectoryRights <string>
[-AccessControlType <AccessControlType>] [-InheritanceType <ActiveDirectorySecurityInheritance>]
[-ObjectType <string>] [-InheritedObjectType <string>] [-Optional <bool>] [-Present <TriBool>]
[-NoFixConfig <bool>] [-ContextName <string>] [<CommonParameters>]
DESCRIPTION
Registers a new access rule as a desired state. These are then compared with a domain's configuration when executing Test-DMAccessRule. See that command for more details on this procedure.
EXAMPLES
EXAMPLE 1
Register-DMAccessRule -ObjectCategory DomainControllers -Identity '%DomainName%\Domain Admins' -ActiveDirectoryRights GenericAll
Grants the domain admins of the target domain FullControl over all domain controllers, without any inheritance.
PARAMETERS
-AccessControlType
Whether this is an Allow or Deny rule.
Type: System.Security.AccessControl.AccessControlType
DefaultValue: Allow
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-ActiveDirectoryRights
The actual rights to grant. This is a [string] type to allow some invalid values that happen in the field and are still applied by AD.
Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-ContextName
The name of the context defining the setting. This allows determining the configuration set that provided this setting. Used by the ADMF, available to any other configuration management solution.
Type: System.String
DefaultValue: <Undefined>
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: false
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-Identity
The identity to apply the rule to.
Use the string '<Parent>' to apply the rule to the parent object of the object affected by this rule.
Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-InheritanceType
How the Access Rule is being inherited. None: Indicates no inheritance. The ACE information is only used on the object on which the ACE is set. ACE information is not inherited by any descendents of the object. All: Indicates inheritance that includes the object to which the ACE is applied, the object's immediate children, and the descendents of the object's children. Descendents: Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself. SelfAndChildren: Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children. Children: Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children.
Type: System.DirectoryServices.ActiveDirectorySecurityInheritance
DefaultValue: None
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-InheritedObjectType
Name or Guid of property or right affected by this rule. Access Rules are governed by ObjectType and InheritedObjectType to affect what objects to affect (e.g. Computer, User, ...), what properties to affect (e.g.: User-Account-Control) or what extended rights to grant. Which in what combination applies depends on the ActiveDirectoryRights set.
Type: System.String
DefaultValue: <All>
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-NoFixConfig
By default, Test-DMAccessRule will generate a "FixConfig" result for accessrules that have been explicitly defined but are also part of the Schema Default permissions. If this setting is enabled, this result object is suppressed.
Type: System.Boolean
DefaultValue: False
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: false
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-ObjectCategory
Instead of a path, define a category to apply the rule to. Categories are defined using Register-DMObjectCategory. This allows you to apply rules to a category of objects, rather than a specific path. With this you could apply a rule to all domain controller objects, for example.
Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: Category
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-ObjectType
Name or Guid of property or right affected by this rule. Access Rules are governed by ObjectType and InheritedObjectType to affect what objects to affect (e.g. Computer, User, ...), what properties to affect (e.g.: User-Account-Control) or what extended rights to grant. Which in what combination applies depends on the ActiveDirectoryRights set.
Type: System.String
DefaultValue: <All>
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-Optional
The path this access rule object is assigned to is optional and need not exist. This makes the rule apply only if the object exists, without triggering errors if it doesn't. It will also ignore access errors on the object. Note: Only if all access rules assigned to an object are set to $true, will the object be considered optional.
Type: System.Boolean
DefaultValue: False
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-Path
The path to the AD object to govern. This should be a distinguishedname. This path uses name resolution. For example %DomainDN% will be replaced with the DN of the target domain itself (and should probably be part of everyy single path).
Type: System.String
DefaultValue: ''
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: Path
Position: Named
IsRequired: true
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
-Present
Whether the access rule should exist or not. By default, it should. Set this to $false in order to explicitly delete an existing access rule. Set this to 'Undefined' to neither create nor delete it, in which case it will simply be accepted if it exists.
Type: DomainManagement.TriBool
DefaultValue: true
SupportsWildcards: false
Aliases: []
ParameterSets:
- Name: (All)
Position: Named
IsRequired: false
ValueFromPipeline: false
ValueFromPipelineByPropertyName: true
ValueFromRemainingArguments: false
DontShow: false
AcceptedValues: []
HelpMessage: ''
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.