/AccessControlDsc

Primary LanguagePowerShellMIT LicenseMIT

AccessControlDsc

master: Build status

dev: Build status

The AccessControlDsc module allows you to configure and manage access control on NTFS and Registry objects. It also allows management of audit access for Active Directory object SACL.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Contributing

Please check out common DSC Resources contributing guidelines.

Resources

ActiveDirectoryAccessEntryRule

  • [String] DistinguishedName (Key): Indicates the Distinguished Name value for the target Active Directory Object.

  • [String] AccessControlList: Indicates the access control information in the form of an array of instances of the ActiveDirectoryAccessControlList CIM class. Includes the following properties:

    • [String] Principal: Indicates the identity of the principal.

    • [String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:

      • [String] AccessControlType: Specifies whether an AccessRule object is used to allow or deny access. { Allow | Deny }

      • [String] ActiveDirectoryRights: Specifies the access rights that are assigned to an Active Directory Domain Services object. { AccessSystemSecurity | CreateChild | Delete | DeleteChild | DeleteTree | ExtendedRight | GenericAll | GenericExecute | GenericRead | GenericWrite | ListChildren | ListObject | ReadControl | ReadProperty | Self | WriteDacl | WriteOwner | WriteProperty }

      • [String] Ensure: Whether the rights should be present or absent. { Ensure | Present }

      • [String] InheritanceType: Specifies if, and how, ACE information is applied to an object and its descendents. { All | Children | Descendents | None | SelfAndChildren }

      • [String] InheritedObjectType: Specifies the object type name that identifies the type of child object that can inherit this access rule.

      • [String] ObjectType: Specifies the object type name that identifies the type of child object that can inherit this access rule.

    • [String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.

ActiveDirectoryAccessRule Examples

ActiveDirectoryAuditRule

  • [String] DistinguishedName (Key): Indicates the Distinguished Name value for the target Active Directory Object.

  • [String] AccessControlList: Indicates the access control information in the form of an array of instances of the ActiveDirectoryAuditRuleList CIM class. Includes the following properties:

    • [String] Principal: Indicates the identity of the principal.

    • [String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:

      • [String] AuditFlags: Specifies the conditions for auditing attempts to access a securable object. { Success | Failure }

      • [String] ActiveDirectoryRights: Specifies the access rights that are assigned to an Active Directory Domain Services object. { AccessSystemSecurity | CreateChild | Delete | DeleteChild | DeleteTree | ExtendedRight | GenericAll | GenericExecute | GenericRead | GenericWrite | ListChildren | ListObject | ReadControl | ReadProperty | Self | WriteDacl | WriteOwner | WriteProperty }

      • [String] Ensure: Whether the rights should be present or absent. { Ensure | Present }

      • [String] InheritanceType: Specifies if, and how, ACE information is applied to an object and its descendents. { All | Children | Descendents | None | SelfAndChildren }

      • [String] InheritedObjectType: Specifies the object type name that identifies the type of child object that can inherit this access rule.

    • [String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.

  • [Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.

ActiveDirectoryAuditRule Examples

NtfsAccessEntry

  • [String] Path (Key): Indicates the path to the target item.

  • [String] AccessControlList: Indicates the access control information in the form of an array of instances of the NTFSAccessControlList CIM class. Includes the following properties:

    • [String] Principal: Indicates the identity of the principal.

    • [String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:

      • [String] AccessControlType: Indicates whether to allow or deny access to the target item. { Allow | Deny }

      • [String] FileSystemRights: Indicates the access rights to be granted to the principal. { AppendData | ChangePermissions | CreateDirectories | CreateFiles | Delete | DeleteSubdirectoriesAndFiles | ExecuteFile | FullControl | ListDirectory | Modify | Read | ReadAndExecute | ReadAttributes | ReadData | ReadExtendedAttributes | ReadPermissions | Synchronize | TakeOwnership | Traverse | Write | WriteAttributes | WriteData | WriteExtendedAttributes }

      • [String] Ensure: Whether the rights should be present or absent. { Ensure | Present }

      • [String] Inheritance: Indicates the inheritance type of the permission entry. { This folder only | This folder subfolders and files | This folder and subfolders | This folder and files | Subfolders and files only | Subfolders only | Files only }

    • [String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.

  • [Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.

NtfsAccessEntry Examples

RegistryAccessEntry

  • [String] Path (Key): Indicates the path to the target item.

  • [String] AccessControlList: Indicates the access control information in the form of an array of instances of the RegistryRule CIM class. Includes the following properties:

    • [String] Principal: Indicates the identity of the principal.

    • [String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:

      • [String] AccessControlType: Indicates whether to allow or deny access to the target item. { Allow | Deny }

      • [String] Rights: Indicates the access rights to be granted to the principal. { ChangePermissions | CreateLink | CreateSubKey | Delete | EnumerateSubKeys | ExecuteKey | FullControl | Notify | QueryValues | ReadKey | ReadPermissions | SetValue | TakeOwnership | WriteKey }

      • [String] Ensure: Whether the rights should be present or absent. { Ensure | Present }

      • [String] Inheritance: Indicates the inheritance type of the permission entry. { This Key Only | This Key and Subkeys | SubKeys Only }

    • [String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.

  • [Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.

RegistryAccessEntry Examples

FileSystemAuditRuleEntry

  • [String] Path (Key): Indicates the path to the target item.

  • [String] AuditRuleList: Indicates the audit rule information in the form of an array of instances of the FileSystemAuditRuleList CIM class. Includes the following properties:

    • [String] Principal: Indicates the identity of the principal.

    • [String] AuditRuleEntry: Indicates the audit rule entry in the form of an array of instances of the FileSystemAuditRule CIM class. Includes the following properties:

      • [String] AuditFlags: Specifies the conditions for auditing attempts to access a securable object. { None | Success | Failure }

      • [String] FileSystemRights: Indicates the access rights to be granted to the principal. { AppendData | ChangePermissions | CreateDirectories | CreateFiles | Delete | DeleteSubdirectoriesAndFiles | ExecuteFile | FullControl | ListDirectory | Modify | Read | ReadAndExecute | ReadAttributes | ReadData | ReadExtendedAttributes | ReadPermissions | Synchronize | TakeOwnership | Traverse | Write | WriteAttributes | WriteData | WriteExtendedAttributes }

      • [String] Inheritance: Indicates the inheritance type of the permission entry. { This folder only | This folder subfolders and files | This folder and subfolders | This folder and files | Subfolders and files only | Subfolders only | Files only }

      • [String] Ensure: Whether the rights should be present or absent. { Ensure | Present }

    • [String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.

  • [String] Force: Indicates whether the audit rules defined should be enforced. Will remove any audit rules not explicitly defined in the configuration for the path.

FileSystemAuditRuleEntry Examples

Versions

1.3.0.0

1.2.0.0

1.1.0.0

1.0.0.0

  • Initial release with the following resources:

    • ActiveDirectoryAuditRule
    • NtfsAccessEntry
    • RegistryAccessEntry