ericjaystevens · December 31, 2018 03:21
diff --git a/new-extendedRight b/new-extendedRight
 function set-UserExtendRightRule{
 [cmdletbinding()]
 param(
    [parameter(Mandatory=$true)]
    [string]
    $userName,

    [parameter(Mandatory=$true)]
    [string]
    $extendedright,

    [parameter(Mandatory=$true)]
    [ValidateSet("Allow", "Deny")]
    $AccessControlType,

    [parameter(Mandatory=$true)]
    [ValidateSet("All", "Children", "Descendents", "None", "SelfAndChildren" )]
    $Inheritance,

    $adPath
 )


    $userSchemaObject = Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(ldapdisplayname=computer)" -Properties schemaIDGUID
    
    $extendedrightObject =  Get-ADObject -SearchBase ((Get-ADRootDSE).configurationNamingContext) -LDAPFilter "(displayname=$extendedright)" -Properties rightsGuid

    $acl = Get-Acl -Path "ad:\$adPath"

    $sid = Get-ADUser -Identity $userName | Select-Object -ExpandProperty SID

    $IdentityReference = $sid 
    $ActiveDirectoryRights = "ExtendedRight"
    $objectGuid = $extendedrightObject.rightsGuid
    $ActiveDirectorySecurityInheritance = $Inheritance
    $guid = [guid]$userSchemaObject.schemaIDGUID

    $AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ( 
        $IdentityReference, #  The trustee of the access rule. 
        $ActiveDirectoryRights, # Access rights that are assigned to an Active Directory Domain Services object
        $AccessControlType, # Specifies whether an AccessRule object is used to allow or deny access.
        $objectGuid, # The schema GUID of the object to which the access rule applies.
        $ActiveDirectorySecurityInheritance, # The inheritance type of the access rule
        $guid # The schema GUID of the child object type that can inherit this access rule.
    )
    #$AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ( $IdentityReference, 
    #$ActiveDirectoryRights, 
    #$AccessControlType,  
    #$objectGuid, 
    #$ActiveDirectorySecurityInheritance, 
    #$guid  )

    $acl.AddAccessRule($AccessRule)
    $acl | Set-Acl -Path "ad:\$adPath"
 }
	function set-UserExtendRightRule{
	[cmdletbinding()]
	param(
	[parameter(Mandatory=$true)]
	[string]
	$userName,

	[parameter(Mandatory=$true)]
	[string]
	$extendedright,

	[parameter(Mandatory=$true)]
	[ValidateSet("Allow", "Deny")]
	$AccessControlType,

	[parameter(Mandatory=$true)]
	[ValidateSet("All", "Children", "Descendents", "None", "SelfAndChildren" )]
	$Inheritance,

	$adPath
	)


	$userSchemaObject = Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(ldapdisplayname=computer)" -Properties schemaIDGUID

	$extendedrightObject = Get-ADObject -SearchBase ((Get-ADRootDSE).configurationNamingContext) -LDAPFilter "(displayname=$extendedright)" -Properties rightsGuid

	$acl = Get-Acl -Path "ad:\$adPath"

	$sid = Get-ADUser -Identity $userName \| Select-Object -ExpandProperty SID

	$IdentityReference = $sid
	$ActiveDirectoryRights = "ExtendedRight"
	$objectGuid = $extendedrightObject.rightsGuid
	$ActiveDirectorySecurityInheritance = $Inheritance
	$guid = [guid]$userSchemaObject.schemaIDGUID

	$AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
	$IdentityReference, # The trustee of the access rule.
	$ActiveDirectoryRights, # Access rights that are assigned to an Active Directory Domain Services object
	$AccessControlType, # Specifies whether an AccessRule object is used to allow or deny access.
	$objectGuid, # The schema GUID of the object to which the access rule applies.
	$ActiveDirectorySecurityInheritance, # The inheritance type of the access rule
	$guid # The schema GUID of the child object type that can inherit this access rule.
	)
	#$AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ( $IdentityReference,
	#$ActiveDirectoryRights,
	#$AccessControlType,
	#$objectGuid,
	#$ActiveDirectorySecurityInheritance,
	#$guid )

	$acl.AddAccessRule($AccessRule)
	$acl \| Set-Acl -Path "ad:\$adPath"
	}