How can I lookup an Active Directory Class's “Schema-Id-Guid” and an Attribute's “System-Id-Guid”...

Multi tool use
Multi tool use












1















I need to create some new Access Control Entries (ACE) to be delegated to specific Active Directory OU's using PowerShell.



These rules need to grant/deny access of specific Attributes to the "NT AUTHORITYSELF" user account on the "Computer" object.



I am creating the ACE using the System.DirectoryServices.ActiveDirectoryAccessRule .NET class. The constructor that I require to create this object needs the GUID of both the desired Attribute and Class.



I am able to create this rule just fine right now using the below PowerShell code that I wrote:



# Get the security descriptor for the desired OU
$ouPath = "AD:\OU=TestOU,DC=example,DC=com"
$acl = Get-Acl $ouPath

# Get the SID of the "NT AUTHORITYSELF" user account
$account = [System.Security.Principal.NTAccount]::New("NT AUTHORITY", "SELF")
$accountSID = $account.Translate([System.Security.Principal.SecurityIdentifier])

# Property values for ActiveDirectoryAccessRule
$identity = [System.Security.Principal.IdentityReference]$accountSID
$adRights = [System.DirectoryServices.ActiveDirectoryRights]("ReadProperty, WriteProperty")
$type = [System.Security.AccessControl.AccessControlType]("Allow")
$objectType = [System.Guid]::New("bf9679d9-0de6-11d0-a285-00aa003049e2")
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]("Descendents")
$inheritedObjectType = [System.Guid]::New("bf967a86-0de6-11d0-a285-00aa003049e2")

# Create the new rule object
$ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($identity, $adRights, $type, $objectType, $inheritanceType, $inheritedObjectType)

# Add the rule to the ACL
$acl.AddAccessRule($ace)

# Change the security descriptor
Set-Acl -AclObject $acl $ouPath


The above code example allows read and write for the Network-Address attribute on the Computer class. The referenced GUIDs are as follows:



Network-Address: System-Id-Guid bf9679d9-0de6-11d0-a285-00aa003049e2



Computer: Schema-Id-Guid bf967a86-0de6-11d0-a285-00aa003049e2



The only problem I am having is that I have to manually lookup the GUID for both the desired Attribute and Class.



So my question is:



Does anyone know of a way to lookup these GUIDs using only the CN or Ldap-Display-Name?










share|improve this question




















  • 1





    Maybe this answer can help you out? Get Property guid

    – Theo
    Dec 29 '18 at 11:05











  • You could create a hashtable (lookuptable) with either the CN or Ldap-Display-Name as key and the corresponding GUIDs as value. For the details this page might help.

    – Theo
    Dec 30 '18 at 12:49











  • Thanks Theo. The first link you provided was the answer.

    – jmjohnson85
    Dec 31 '18 at 14:24
















1















I need to create some new Access Control Entries (ACE) to be delegated to specific Active Directory OU's using PowerShell.



These rules need to grant/deny access of specific Attributes to the "NT AUTHORITYSELF" user account on the "Computer" object.



I am creating the ACE using the System.DirectoryServices.ActiveDirectoryAccessRule .NET class. The constructor that I require to create this object needs the GUID of both the desired Attribute and Class.



I am able to create this rule just fine right now using the below PowerShell code that I wrote:



# Get the security descriptor for the desired OU
$ouPath = "AD:\OU=TestOU,DC=example,DC=com"
$acl = Get-Acl $ouPath

# Get the SID of the "NT AUTHORITYSELF" user account
$account = [System.Security.Principal.NTAccount]::New("NT AUTHORITY", "SELF")
$accountSID = $account.Translate([System.Security.Principal.SecurityIdentifier])

# Property values for ActiveDirectoryAccessRule
$identity = [System.Security.Principal.IdentityReference]$accountSID
$adRights = [System.DirectoryServices.ActiveDirectoryRights]("ReadProperty, WriteProperty")
$type = [System.Security.AccessControl.AccessControlType]("Allow")
$objectType = [System.Guid]::New("bf9679d9-0de6-11d0-a285-00aa003049e2")
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]("Descendents")
$inheritedObjectType = [System.Guid]::New("bf967a86-0de6-11d0-a285-00aa003049e2")

# Create the new rule object
$ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($identity, $adRights, $type, $objectType, $inheritanceType, $inheritedObjectType)

# Add the rule to the ACL
$acl.AddAccessRule($ace)

# Change the security descriptor
Set-Acl -AclObject $acl $ouPath


The above code example allows read and write for the Network-Address attribute on the Computer class. The referenced GUIDs are as follows:



Network-Address: System-Id-Guid bf9679d9-0de6-11d0-a285-00aa003049e2



Computer: Schema-Id-Guid bf967a86-0de6-11d0-a285-00aa003049e2



The only problem I am having is that I have to manually lookup the GUID for both the desired Attribute and Class.



So my question is:



Does anyone know of a way to lookup these GUIDs using only the CN or Ldap-Display-Name?










share|improve this question




















  • 1





    Maybe this answer can help you out? Get Property guid

    – Theo
    Dec 29 '18 at 11:05











  • You could create a hashtable (lookuptable) with either the CN or Ldap-Display-Name as key and the corresponding GUIDs as value. For the details this page might help.

    – Theo
    Dec 30 '18 at 12:49











  • Thanks Theo. The first link you provided was the answer.

    – jmjohnson85
    Dec 31 '18 at 14:24














1












1








1








I need to create some new Access Control Entries (ACE) to be delegated to specific Active Directory OU's using PowerShell.



These rules need to grant/deny access of specific Attributes to the "NT AUTHORITYSELF" user account on the "Computer" object.



I am creating the ACE using the System.DirectoryServices.ActiveDirectoryAccessRule .NET class. The constructor that I require to create this object needs the GUID of both the desired Attribute and Class.



I am able to create this rule just fine right now using the below PowerShell code that I wrote:



# Get the security descriptor for the desired OU
$ouPath = "AD:\OU=TestOU,DC=example,DC=com"
$acl = Get-Acl $ouPath

# Get the SID of the "NT AUTHORITYSELF" user account
$account = [System.Security.Principal.NTAccount]::New("NT AUTHORITY", "SELF")
$accountSID = $account.Translate([System.Security.Principal.SecurityIdentifier])

# Property values for ActiveDirectoryAccessRule
$identity = [System.Security.Principal.IdentityReference]$accountSID
$adRights = [System.DirectoryServices.ActiveDirectoryRights]("ReadProperty, WriteProperty")
$type = [System.Security.AccessControl.AccessControlType]("Allow")
$objectType = [System.Guid]::New("bf9679d9-0de6-11d0-a285-00aa003049e2")
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]("Descendents")
$inheritedObjectType = [System.Guid]::New("bf967a86-0de6-11d0-a285-00aa003049e2")

# Create the new rule object
$ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($identity, $adRights, $type, $objectType, $inheritanceType, $inheritedObjectType)

# Add the rule to the ACL
$acl.AddAccessRule($ace)

# Change the security descriptor
Set-Acl -AclObject $acl $ouPath


The above code example allows read and write for the Network-Address attribute on the Computer class. The referenced GUIDs are as follows:



Network-Address: System-Id-Guid bf9679d9-0de6-11d0-a285-00aa003049e2



Computer: Schema-Id-Guid bf967a86-0de6-11d0-a285-00aa003049e2



The only problem I am having is that I have to manually lookup the GUID for both the desired Attribute and Class.



So my question is:



Does anyone know of a way to lookup these GUIDs using only the CN or Ldap-Display-Name?










share|improve this question
















I need to create some new Access Control Entries (ACE) to be delegated to specific Active Directory OU's using PowerShell.



These rules need to grant/deny access of specific Attributes to the "NT AUTHORITYSELF" user account on the "Computer" object.



I am creating the ACE using the System.DirectoryServices.ActiveDirectoryAccessRule .NET class. The constructor that I require to create this object needs the GUID of both the desired Attribute and Class.



I am able to create this rule just fine right now using the below PowerShell code that I wrote:



# Get the security descriptor for the desired OU
$ouPath = "AD:\OU=TestOU,DC=example,DC=com"
$acl = Get-Acl $ouPath

# Get the SID of the "NT AUTHORITYSELF" user account
$account = [System.Security.Principal.NTAccount]::New("NT AUTHORITY", "SELF")
$accountSID = $account.Translate([System.Security.Principal.SecurityIdentifier])

# Property values for ActiveDirectoryAccessRule
$identity = [System.Security.Principal.IdentityReference]$accountSID
$adRights = [System.DirectoryServices.ActiveDirectoryRights]("ReadProperty, WriteProperty")
$type = [System.Security.AccessControl.AccessControlType]("Allow")
$objectType = [System.Guid]::New("bf9679d9-0de6-11d0-a285-00aa003049e2")
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]("Descendents")
$inheritedObjectType = [System.Guid]::New("bf967a86-0de6-11d0-a285-00aa003049e2")

# Create the new rule object
$ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($identity, $adRights, $type, $objectType, $inheritanceType, $inheritedObjectType)

# Add the rule to the ACL
$acl.AddAccessRule($ace)

# Change the security descriptor
Set-Acl -AclObject $acl $ouPath


The above code example allows read and write for the Network-Address attribute on the Computer class. The referenced GUIDs are as follows:



Network-Address: System-Id-Guid bf9679d9-0de6-11d0-a285-00aa003049e2



Computer: Schema-Id-Guid bf967a86-0de6-11d0-a285-00aa003049e2



The only problem I am having is that I have to manually lookup the GUID for both the desired Attribute and Class.



So my question is:



Does anyone know of a way to lookup these GUIDs using only the CN or Ldap-Display-Name?







.net powershell ldap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 28 '18 at 23:02







jmjohnson85

















asked Dec 28 '18 at 21:23









jmjohnson85jmjohnson85

515




515








  • 1





    Maybe this answer can help you out? Get Property guid

    – Theo
    Dec 29 '18 at 11:05











  • You could create a hashtable (lookuptable) with either the CN or Ldap-Display-Name as key and the corresponding GUIDs as value. For the details this page might help.

    – Theo
    Dec 30 '18 at 12:49











  • Thanks Theo. The first link you provided was the answer.

    – jmjohnson85
    Dec 31 '18 at 14:24














  • 1





    Maybe this answer can help you out? Get Property guid

    – Theo
    Dec 29 '18 at 11:05











  • You could create a hashtable (lookuptable) with either the CN or Ldap-Display-Name as key and the corresponding GUIDs as value. For the details this page might help.

    – Theo
    Dec 30 '18 at 12:49











  • Thanks Theo. The first link you provided was the answer.

    – jmjohnson85
    Dec 31 '18 at 14:24








1




1





Maybe this answer can help you out? Get Property guid

– Theo
Dec 29 '18 at 11:05





Maybe this answer can help you out? Get Property guid

– Theo
Dec 29 '18 at 11:05













You could create a hashtable (lookuptable) with either the CN or Ldap-Display-Name as key and the corresponding GUIDs as value. For the details this page might help.

– Theo
Dec 30 '18 at 12:49





You could create a hashtable (lookuptable) with either the CN or Ldap-Display-Name as key and the corresponding GUIDs as value. For the details this page might help.

– Theo
Dec 30 '18 at 12:49













Thanks Theo. The first link you provided was the answer.

– jmjohnson85
Dec 31 '18 at 14:24





Thanks Theo. The first link you provided was the answer.

– jmjohnson85
Dec 31 '18 at 14:24












1 Answer
1






active

oldest

votes


















0














Link to the answer was provided by Theo.



Get Property guid



I'll copy/paste the answer from Mathias R. Jessen:



You can retrieve the GUID of an attribute from the Schema:




  1. Query the schemaNamingContext for an attributeSchema object

  2. Filter on ldapDisplayName, the attribute name shown by the GUI

  3. Grab the schemaIDGUID attribute value and use that in the ACE


I'll use the RSAT ActiveDirectory module for simplicity here, but you can do this with any ldap client:



$attrSchemaParams = @{
SearchBase = (Get-ADRootDSE).schemaNamingContext
Filter = "ldapDisplayName -eq 'pwmEventLog' -and objectClass -eq 'attributeSchema'"
Properties = 'schemaIDGUID'
}
$pwmEventLogSchema = Get-ADObject @attrSchemaParams

$pwmEventLogGUID = $pwmEventLogSchema.schemaIDGuid -as [guid]





share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53964424%2fhow-can-i-lookup-an-active-directory-classs-schema-id-guid-and-an-attributes%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Link to the answer was provided by Theo.



    Get Property guid



    I'll copy/paste the answer from Mathias R. Jessen:



    You can retrieve the GUID of an attribute from the Schema:




    1. Query the schemaNamingContext for an attributeSchema object

    2. Filter on ldapDisplayName, the attribute name shown by the GUI

    3. Grab the schemaIDGUID attribute value and use that in the ACE


    I'll use the RSAT ActiveDirectory module for simplicity here, but you can do this with any ldap client:



    $attrSchemaParams = @{
    SearchBase = (Get-ADRootDSE).schemaNamingContext
    Filter = "ldapDisplayName -eq 'pwmEventLog' -and objectClass -eq 'attributeSchema'"
    Properties = 'schemaIDGUID'
    }
    $pwmEventLogSchema = Get-ADObject @attrSchemaParams

    $pwmEventLogGUID = $pwmEventLogSchema.schemaIDGuid -as [guid]





    share|improve this answer




























      0














      Link to the answer was provided by Theo.



      Get Property guid



      I'll copy/paste the answer from Mathias R. Jessen:



      You can retrieve the GUID of an attribute from the Schema:




      1. Query the schemaNamingContext for an attributeSchema object

      2. Filter on ldapDisplayName, the attribute name shown by the GUI

      3. Grab the schemaIDGUID attribute value and use that in the ACE


      I'll use the RSAT ActiveDirectory module for simplicity here, but you can do this with any ldap client:



      $attrSchemaParams = @{
      SearchBase = (Get-ADRootDSE).schemaNamingContext
      Filter = "ldapDisplayName -eq 'pwmEventLog' -and objectClass -eq 'attributeSchema'"
      Properties = 'schemaIDGUID'
      }
      $pwmEventLogSchema = Get-ADObject @attrSchemaParams

      $pwmEventLogGUID = $pwmEventLogSchema.schemaIDGuid -as [guid]





      share|improve this answer


























        0












        0








        0







        Link to the answer was provided by Theo.



        Get Property guid



        I'll copy/paste the answer from Mathias R. Jessen:



        You can retrieve the GUID of an attribute from the Schema:




        1. Query the schemaNamingContext for an attributeSchema object

        2. Filter on ldapDisplayName, the attribute name shown by the GUI

        3. Grab the schemaIDGUID attribute value and use that in the ACE


        I'll use the RSAT ActiveDirectory module for simplicity here, but you can do this with any ldap client:



        $attrSchemaParams = @{
        SearchBase = (Get-ADRootDSE).schemaNamingContext
        Filter = "ldapDisplayName -eq 'pwmEventLog' -and objectClass -eq 'attributeSchema'"
        Properties = 'schemaIDGUID'
        }
        $pwmEventLogSchema = Get-ADObject @attrSchemaParams

        $pwmEventLogGUID = $pwmEventLogSchema.schemaIDGuid -as [guid]





        share|improve this answer













        Link to the answer was provided by Theo.



        Get Property guid



        I'll copy/paste the answer from Mathias R. Jessen:



        You can retrieve the GUID of an attribute from the Schema:




        1. Query the schemaNamingContext for an attributeSchema object

        2. Filter on ldapDisplayName, the attribute name shown by the GUI

        3. Grab the schemaIDGUID attribute value and use that in the ACE


        I'll use the RSAT ActiveDirectory module for simplicity here, but you can do this with any ldap client:



        $attrSchemaParams = @{
        SearchBase = (Get-ADRootDSE).schemaNamingContext
        Filter = "ldapDisplayName -eq 'pwmEventLog' -and objectClass -eq 'attributeSchema'"
        Properties = 'schemaIDGUID'
        }
        $pwmEventLogSchema = Get-ADObject @attrSchemaParams

        $pwmEventLogGUID = $pwmEventLogSchema.schemaIDGuid -as [guid]






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 31 '18 at 14:23









        jmjohnson85jmjohnson85

        515




        515






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53964424%2fhow-can-i-lookup-an-active-directory-classs-schema-id-guid-and-an-attributes%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            yocLT,J91XBRbmZzPGSiQZ2qc,6C
            v,GfaOMUQtwA2WcAbw7yU6LQ2Uc zo3f2 tVggNgJO,NMhKAGARNsoOnPJ6ZECk0RViDY,kL9kB7k,lDhElrqRgN

            Popular posts from this blog

            Monofisismo

            Angular Downloading a file using contenturl with Basic Authentication

            Olmecas