The AccessControlDsc module allows you to configure and manage access control on NTFS and Registry objects. It also allows management of audit access for Active Directory object SACL.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Please check out common DSC Resources contributing guidelines.
-
ActiveDirectoryAccessEntry: Provides the ability to manage access entries for Active Directory objects.
-
ActiveDirectoryAuditRule: Provides the ability to manage audit access for Active Directory object SACL.
-
NtfsAccessEntry: Provides the ability to manage access entries for NTFS files and directories.
-
RegistryAccessEntry: Provides the ability to manage access entries for Registry objects.
-
[String] DistinguishedName (Key): Indicates the Distinguished Name value for the target Active Directory Object.
-
[String] AccessControlList: Indicates the access control information in the form of an array of instances of the ActiveDirectoryAccessControlList CIM class. Includes the following properties:
-
[String] Principal: Indicates the identity of the principal.
-
[String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:
-
[String] AccessControlType: Specifies whether an AccessRule object is used to allow or deny access. { Allow | Deny }
-
[String] ActiveDirectoryRights: Specifies the access rights that are assigned to an Active Directory Domain Services object. { AccessSystemSecurity | CreateChild | Delete | DeleteChild | DeleteTree | ExtendedRight | GenericAll | GenericExecute | GenericRead | GenericWrite | ListChildren | ListObject | ReadControl | ReadProperty | Self | WriteDacl | WriteOwner | WriteProperty }
-
[String] Ensure: Whether the rights should be present or absent. { Ensure | Present }
-
[String] InheritanceType: Specifies if, and how, ACE information is applied to an object and its descendents. { All | Children | Descendents | None | SelfAndChildren }
-
[String] InheritedObjectType: Specifies the object type name that identifies the type of child object that can inherit this access rule.
-
[String] ObjectType: Specifies the object type name that identifies the type of child object that can inherit this access rule.
-
-
[String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.
-
-
[String] DistinguishedName (Key): Indicates the Distinguished Name value for the target Active Directory Object.
-
[String] AccessControlList: Indicates the access control information in the form of an array of instances of the ActiveDirectoryAuditRuleList CIM class. Includes the following properties:
-
[String] Principal: Indicates the identity of the principal.
-
[String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:
-
[String] AuditFlags: Specifies the conditions for auditing attempts to access a securable object. { Success | Failure }
-
[String] ActiveDirectoryRights: Specifies the access rights that are assigned to an Active Directory Domain Services object. { AccessSystemSecurity | CreateChild | Delete | DeleteChild | DeleteTree | ExtendedRight | GenericAll | GenericExecute | GenericRead | GenericWrite | ListChildren | ListObject | ReadControl | ReadProperty | Self | WriteDacl | WriteOwner | WriteProperty }
-
[String] Ensure: Whether the rights should be present or absent. { Ensure | Present }
-
[String] InheritanceType: Specifies if, and how, ACE information is applied to an object and its descendents. { All | Children | Descendents | None | SelfAndChildren }
-
[String] InheritedObjectType: Specifies the object type name that identifies the type of child object that can inherit this access rule.
-
-
[String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.
-
-
[Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.
-
[String] Path (Key): Indicates the path to the target item.
-
[String] AccessControlList: Indicates the access control information in the form of an array of instances of the NTFSAccessControlList CIM class. Includes the following properties:
-
[String] Principal: Indicates the identity of the principal.
-
[String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:
-
[String] AccessControlType: Indicates whether to allow or deny access to the target item. { Allow | Deny }
-
[String] FileSystemRights: Indicates the access rights to be granted to the principal. { AppendData | ChangePermissions | CreateDirectories | CreateFiles | Delete | DeleteSubdirectoriesAndFiles | ExecuteFile | FullControl | ListDirectory | Modify | Read | ReadAndExecute | ReadAttributes | ReadData | ReadExtendedAttributes | ReadPermissions | Synchronize | TakeOwnership | Traverse | Write | WriteAttributes | WriteData | WriteExtendedAttributes }
-
[String] Ensure: Whether the rights should be present or absent. { Ensure | Present }
-
[String] Inheritance: Indicates the inheritance type of the permission entry.
-
-
[String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.
-
-
[Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.
-
[String] Path (Key): Indicates the path to the target item.
-
[String] AccessControlList: Indicates the access control information in the form of an array of instances of the RegistryRule CIM class. Includes the following properties:
-
[String] Principal: Indicates the identity of the principal.
-
[String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:
-
[String] AccessControlType: Indicates whether to allow or deny access to the target item. { Allow | Deny }
-
[String] Rights: Indicates the access rights to be granted to the principal. { ChangePermissions | CreateLink | CreateSubKey | Delete | EnumerateSubKeys | ExecuteKey | FullControl | Notify | QueryValues | ReadKey | ReadPermissions | SetValue | TakeOwnership | WriteKey }
-
[String] Ensure: Whether the rights should be present or absent. { Ensure | Present }
-
[String] Inheritance: Indicates the inheritance type of the permission entry. { This Key Only | This Key and Subkeys | SubKeys Only }
-
-
[String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.
-
-
[Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.
- Added ActiveDirectoryAccessEntry resource
- Breaking Change: Modified ActiveDirectoryAuditRuleEntry ActiveDirectoryRights parameter values to match System.DirectoryServices.ActiveDirectoryRights members
-
Initial release with the following resources:
- ActiveDirectoryAuditRule
- NtfsAccessEntry
- RegistryAccessEntry