Skip to main content

Access Control Lists

Synopsis

Define the owner and inheritance settings for objects within the forest's Configuration and Schema naming contexts.

Description

Forest-level Access Control Lists (ACLs) allow you to declare the desired owner and inheritance behaviour for any object in the forest's Configuration or Schema naming contexts — the areas of Active Directory managed by the ForestManagement module.

This component mirrors the Domain Access Control Lists component in design, but operates at the forest scope.

You can define ACL settings in three ways:

  • Path — targets a single object by its distinguished name.
  • Object Category — targets all objects belonging to a specific category.
  • Default Owner — a catch-all default that sets the owner for objects not covered by a path or category rule.

A warning is shown for objects under management that have no ACL definition.

Example Configuration

Set the owner and disable inheritance on a specific object:

[
{
"Path": "CN=Sites,%ConfigurationDN%",
"Owner": "%RootDomainSID%-519",
"NoInheritance": true
}
]

The same rule in psd1 format:

@(
@{
Path = 'CN=Sites,%ConfigurationDN%'
Owner = '%RootDomainSID%-519' # Enterprise Admins
NoInheritance = $true
}
)

Define a default owner that applies to all forest objects not otherwise specified:

[
{
"DefaultOwner": true,
"Owner": "%RootDomainSID%-519"
}
]

Apply an ownership rule to all objects of a particular category:

[
{
"ObjectCategory": "SchemaObjects",
"Owner": "%RootDomainSID%-518",
"NoInheritance": false
}
]

Tools

Export the current ACL settings from a subtree of the Configuration partition:

Get-ADObject -SearchBase 'CN=Sites,CN=Configuration,DC=contoso,DC=com' -Filter * |
Get-ADSAcl |
ForEach-Object {
[PSCustomObject]@{
Owner = $_.Owner -as [string] -replace '^.+\\', '%DomainName%\'
Path = $_.DistinguishedName -replace 'CN=Configuration,DC=.+$', '%ConfigurationDN%'
}
} | ConvertTo-Json

Properties

Path

Optional: No | Default: None | ParameterSet: path

This parameter uses name resolution.

The distinguished name of the AD object whose ACL should be managed.

ObjectCategory

Optional: No | Default: None | ParameterSet: category

Instead of a specific path, specify an object category. The ACL setting is applied to all objects belonging to that category.

Owner

Optional: No | Default: None

This parameter uses name resolution.

The identity that should be the owner of the targeted object(s). Accepts different kinds of input:

  • NT Account: The name-based notation for ease of reading. E.g.: %RootDomainName%\Enterprise Admins
  • SID: Maximum precision for reduced readability. E.g.: %RootDomainSID%-519
  • Privileged Group Set: To allow multiple different owners and only intercede if none of allowed owners is actual owner. E.g.: __DomainAdminsEx__

NoInheritance

Optional: Yes | Default: $false

Whether permission inheritance should be disabled on the targeted object. Set to true to block inheritance; false (default) leaves inheritance enabled.

warning

When possible, it is recommended to not disable inheritance.

Optional

Optional: Yes | Default: $false

When true, the object targeted by this rule does not need to exist. The ACL setting is applied only when the object is present; a missing object is silently ignored. Access errors on the object are also suppressed.

DefaultOwner

Optional: Yes | Default: $false | ParameterSet: DefaultOwner

Switch that marks this entry as the global default owner. This owner is applied to any forest object not covered by a path or object category rule. Only one default owner can be active at a time; registering a new one replaces the previous.