TestimoX

API Reference

Command

Add-ADXAclGovernedPermission

Namespace ADPlayground.PowerShell
Inputs
System.DirectoryServices.ActiveDirectorySecurity System.DirectoryServices.DirectoryEntry System.String
Outputs
ADPlayground.Acl.AdxAclGovernedOperationResult

Runs a governance-aware ACL add-permission operation with dry-run/apply semantics.

Examples

Authored help example

Example 1: Run a governance dry run before granting Helpdesk read access


Add-ADXAclGovernedPermission -ADObject 'OU=Workstations,OU=Managed,DC=contoso,DC=com' -Identity 'CONTOSO\Helpdesk Tier1' -Rights ReadProperty -Inheritance Descendents -Intent read_only

Example 2: Apply a governed ACL grant with audit metadata


Add-ADXAclGovernedPermission -ADObject 'OU=Servers,OU=Managed,DC=contoso,DC=com' -Identity 'CONTOSO\Tier1 Server Admins' -Rights WriteProperty -Inheritance Children -Intent read_write -AllowWrite -Apply -WriteExecutionId 'chg-cab-4127' -WriteActorId 'ops-pipeline\delegation-refresh' -WriteChangeReason 'CAB-4127 approved server OU delegation refresh' -WriteRollbackPlanId 'rbp-cab-4127'

Common Parameters

This command supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.

For more information, see about_CommonParameters.

Syntax

Add-ADXAclGovernedPermission -Security <ActiveDirectorySecurity> -Identity <string> -Rights <CreateChild> [-AccessControlType <Allow|Deny>] [-AllowWrite] [-Apply] [-DryRun <bool>] [-Inheritance <All|Descendents|Children|SelfAndChildren>] [-Intent <string>] [-WriteActorId <string>] [-WriteAuditCorrelationId <string>] [-WriteChangeReason <string>] [-WriteExecutionId <string>] [-WriteRollbackPlanId <string>] [-WriteRollbackProviderId <string>] [<CommonParameters>]
#
Parameter set: By Security

Parameters

Security ActiveDirectorySecurity requiredposition: 0pipeline: true (ByValue, ByPropertyName)
ActiveDirectorySecurity instance to modify.
Identity string requiredposition: 1pipeline: false
Identity to add (SID, DOMAIN\name, UPN, DN).
Rights AclRights requiredposition: 2pipeline: falsevalues: 16
Rights to add. Possible values: None, CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, GenericRead, GenericWrite, GenericExecute, ListChildren, DeleteChild, DeleteTree, ReadProperty, WriteProperty, ExtendedRight, Self, GenericAll
Possible values: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, GenericRead, GenericWrite, GenericExecute, ListChildren, DeleteChild, DeleteTree, ReadProperty, WriteProperty, ExtendedRight, Self, GenericAll
AccessControlType AccessControlType optionalposition: namedpipeline: falsealiases: access_control_typevalues: 2
Access type for the added ACE. Default: Allow. Possible values: Allow, Deny
Possible values: Allow, Deny
AllowWrite SwitchParameter optionalposition: namedpipeline: falsealiases: allow_write
Explicit write confirmation flag for mutating operations.
Apply SwitchParameter optionalposition: namedpipeline: false
Applies changes. Without this switch, the cmdlet runs in dry-run mode.
DryRun bool optionalposition: namedpipeline: falsealiases: dry_run
Dry-run mode flag. Defaults to true; set to false (or use -Apply) to execute writes. If both switches are provided, -Apply takes precedence.
Inheritance AclInheritance optionalposition: namedpipeline: falsevalues: 4
Inheritance mode for the added ACE. Default: None. Possible values: None, All, Descendents, Children, SelfAndChildren
Possible values: All, Descendents, Children, SelfAndChildren
Intent string optionalposition: namedpipeline: false
Execution intent (read_only or read_write). Default: read_only.
WriteActorId string optionalposition: namedpipeline: falsealiases: write_actor_id
Write actor identifier.
WriteAuditCorrelationId string optionalposition: namedpipeline: falsealiases: write_audit_correlation_id
Optional write audit correlation identifier.
WriteChangeReason string optionalposition: namedpipeline: falsealiases: write_change_reason
Write change reason, ticket, or approval reference.
WriteExecutionId string optionalposition: namedpipeline: falsealiases: write_execution_id
Write execution identifier for governance/audit correlation.
WriteRollbackPlanId string optionalposition: namedpipeline: falsealiases: write_rollback_plan_id
Write rollback plan identifier.
WriteRollbackProviderId string optionalposition: namedpipeline: falsealiases: write_rollback_provider_id
Optional write rollback provider identifier.

Outputs

ADPlayground.Acl.AdxAclGovernedOperationResult

Add-ADXAclGovernedPermission -Entry <DirectoryEntry> -Identity <string> -Rights <CreateChild> [-AccessControlType <Allow|Deny>] [-AllowWrite] [-Apply] [-DryRun <bool>] [-Inheritance <All|Descendents|Children|SelfAndChildren>] [-Intent <string>] [-WriteActorId <string>] [-WriteAuditCorrelationId <string>] [-WriteChangeReason <string>] [-WriteExecutionId <string>] [-WriteRollbackPlanId <string>] [-WriteRollbackProviderId <string>] [<CommonParameters>]
#
Parameter set: By Entry

Parameters

Entry DirectoryEntry requiredposition: 0pipeline: true (ByValue, ByPropertyName)
DirectoryEntry object to modify.
Identity string requiredposition: 1pipeline: false
Identity to add (SID, DOMAIN\name, UPN, DN).
Rights AclRights requiredposition: 2pipeline: falsevalues: 16
Rights to add. Possible values: None, CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, GenericRead, GenericWrite, GenericExecute, ListChildren, DeleteChild, DeleteTree, ReadProperty, WriteProperty, ExtendedRight, Self, GenericAll
Possible values: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, GenericRead, GenericWrite, GenericExecute, ListChildren, DeleteChild, DeleteTree, ReadProperty, WriteProperty, ExtendedRight, Self, GenericAll
AccessControlType AccessControlType optionalposition: namedpipeline: falsealiases: access_control_typevalues: 2
Access type for the added ACE. Default: Allow. Possible values: Allow, Deny
Possible values: Allow, Deny
AllowWrite SwitchParameter optionalposition: namedpipeline: falsealiases: allow_write
Explicit write confirmation flag for mutating operations.
Apply SwitchParameter optionalposition: namedpipeline: false
Applies changes. Without this switch, the cmdlet runs in dry-run mode.
DryRun bool optionalposition: namedpipeline: falsealiases: dry_run
Dry-run mode flag. Defaults to true; set to false (or use -Apply) to execute writes. If both switches are provided, -Apply takes precedence.
Inheritance AclInheritance optionalposition: namedpipeline: falsevalues: 4
Inheritance mode for the added ACE. Default: None. Possible values: None, All, Descendents, Children, SelfAndChildren
Possible values: All, Descendents, Children, SelfAndChildren
Intent string optionalposition: namedpipeline: false
Execution intent (read_only or read_write). Default: read_only.
WriteActorId string optionalposition: namedpipeline: falsealiases: write_actor_id
Write actor identifier.
WriteAuditCorrelationId string optionalposition: namedpipeline: falsealiases: write_audit_correlation_id
Optional write audit correlation identifier.
WriteChangeReason string optionalposition: namedpipeline: falsealiases: write_change_reason
Write change reason, ticket, or approval reference.
WriteExecutionId string optionalposition: namedpipeline: falsealiases: write_execution_id
Write execution identifier for governance/audit correlation.
WriteRollbackPlanId string optionalposition: namedpipeline: falsealiases: write_rollback_plan_id
Write rollback plan identifier.
WriteRollbackProviderId string optionalposition: namedpipeline: falsealiases: write_rollback_provider_id
Optional write rollback provider identifier.

Outputs

ADPlayground.Acl.AdxAclGovernedOperationResult

Add-ADXAclGovernedPermission -ADObject <string> -Identity <string> -Rights <CreateChild> [-AccessControlType <Allow|Deny>] [-AllowWrite] [-Apply] [-DryRun <bool>] [-Inheritance <All|Descendents|Children|SelfAndChildren>] [-Intent <string>] [-WriteActorId <string>] [-WriteAuditCorrelationId <string>] [-WriteChangeReason <string>] [-WriteExecutionId <string>] [-WriteRollbackPlanId <string>] [-WriteRollbackProviderId <string>] [<CommonParameters>]
#
Parameter set: By ADObject

Parameters

ADObject string requiredposition: 0pipeline: true (ByValue, ByPropertyName)aliases: ad_object
Distinguished name/path of the object to modify.
Identity string requiredposition: 1pipeline: false
Identity to add (SID, DOMAIN\name, UPN, DN).
Rights AclRights requiredposition: 2pipeline: falsevalues: 16
Rights to add. Possible values: None, CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, GenericRead, GenericWrite, GenericExecute, ListChildren, DeleteChild, DeleteTree, ReadProperty, WriteProperty, ExtendedRight, Self, GenericAll
Possible values: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, GenericRead, GenericWrite, GenericExecute, ListChildren, DeleteChild, DeleteTree, ReadProperty, WriteProperty, ExtendedRight, Self, GenericAll
AccessControlType AccessControlType optionalposition: namedpipeline: falsealiases: access_control_typevalues: 2
Access type for the added ACE. Default: Allow. Possible values: Allow, Deny
Possible values: Allow, Deny
AllowWrite SwitchParameter optionalposition: namedpipeline: falsealiases: allow_write
Explicit write confirmation flag for mutating operations.
Apply SwitchParameter optionalposition: namedpipeline: false
Applies changes. Without this switch, the cmdlet runs in dry-run mode.
DryRun bool optionalposition: namedpipeline: falsealiases: dry_run
Dry-run mode flag. Defaults to true; set to false (or use -Apply) to execute writes. If both switches are provided, -Apply takes precedence.
Inheritance AclInheritance optionalposition: namedpipeline: falsevalues: 4
Inheritance mode for the added ACE. Default: None. Possible values: None, All, Descendents, Children, SelfAndChildren
Possible values: All, Descendents, Children, SelfAndChildren
Intent string optionalposition: namedpipeline: false
Execution intent (read_only or read_write). Default: read_only.
WriteActorId string optionalposition: namedpipeline: falsealiases: write_actor_id
Write actor identifier.
WriteAuditCorrelationId string optionalposition: namedpipeline: falsealiases: write_audit_correlation_id
Optional write audit correlation identifier.
WriteChangeReason string optionalposition: namedpipeline: falsealiases: write_change_reason
Write change reason, ticket, or approval reference.
WriteExecutionId string optionalposition: namedpipeline: falsealiases: write_execution_id
Write execution identifier for governance/audit correlation.
WriteRollbackPlanId string optionalposition: namedpipeline: falsealiases: write_rollback_plan_id
Write rollback plan identifier.
WriteRollbackProviderId string optionalposition: namedpipeline: falsealiases: write_rollback_provider_id
Optional write rollback provider identifier.

Outputs

ADPlayground.Acl.AdxAclGovernedOperationResult