Skip to content

Instantly share code, notes, and snippets.

@2XXE-SRA

2XXE-SRA/removeace.ps1

Last active June 29, 2022 19:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 2XXE-SRA/2b6fbea2d644747f9e78d99d9608b4d5 to your computer and use it in GitHub Desktop.
Save 2XXE-SRA/2b6fbea2d644747f9e78d99d9608b4d5 to your computer and use it in GitHub Desktop.
Download ZIP
Example removal of an ACE via PowerShell ADSI
Raw
removeace.ps1
# get SID for "Everyone" principal
$sid = [Security.Principal.securityidentifier]::new([System.Security.Principal.WellKnownSidType]::WorldSid, $null)
$everyone = $sid.Translate([security.principal.ntaccount])
# change user password permissions
$adRight=[DirectoryServices.ActiveDirectoryRights]"ExtendedRight"
$pguid = new-object GUID "ab721a53-1e2f-11d0-9819-00aa0040529b" # refer to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
# craft an ACE that grants "Everyone" "Allow" for changing user password
$accessRuleArgs = $everyone,$adRight,"Allow",$pguid,"None"
$ace = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
# for each user, remove the ACE from its DACL
$users = get-aduser -filter *
foreach($user in $users){
$path = "LDAP://" + $user.DistinguishedName
$obj = [adsi]$path
$obj.psbase.ObjectSecurity.RemoveAccessRule($ace)
$obj.psbase.CommitChanges()
}
Raw
removeace2.ps1
# the easy way
$users = get-aduser -filter *
foreach($user in $users){
$path = "LDAP://" + $user.DistinguishedName
$obj = [adsi]$path
$ace = $user.psbase.ObjectSecurity.Access | where IdentityReference -eq "Everyone" | where ObjectType -eq ab721a55-1e2f-11d0-9819-00aa0040529b | where ... # whatever conditions you need
$obj.psbase.ObjectSecurity.RemoveAccessRule($ace)
$obj.psbase.CommitChanges()
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment