0 votes

Hello again!

I've built a script to make a few Security Roles. I need to set the read permission to OUs in the script and I think I'm having an issue.

I went into the Adaxes Admin console to find the GUID of an OU.

I found an OU Under the AD section and selected it, then I found the Object GUID in the result pane and right clicked it and went to properties. The GUID I found under the Advanced button is: GUID: {bf9679e7-0de6-11d0-a285-00aa003049e2}

When I use that GUID in the script like this:

# Allow: Read Group and User OUs
$entry = $role.Permissions.Create()

$ouClassGuid = # the GUID of the OU object class

$entry.AccessMask = "ADS_RIGHT_GENERIC_READ"
$entry.ObjectType = [System.Guid]::Empty.ToString()
$entry.InheritedObjectType = $ouClassGuid

$entry.SetInfo() # save the permission entry
$role.Permissions.Add($entry) # add the permission to the role

It works without errors but when I check the Security Role in the Admin console it shows the GUID I entered under "apply to" rather than "Organizational-Unit" like it does when I create it in the interface.

Did I get the wrong GUID or am I doing something wrong in the script?

Thanks again!

by (810 points)

1 Answer

0 votes
by (215k points)
selected by
Best answer


Yes, you've got a wrong GUID :)

The thing is that each object in Active Directory has its own object GUID that is used to distinguish it from other objects. You copied the GUID of that specific Organizational Unit that you've selected. However, to set a permission, you need the GUID of the Organizational-Unit object class. You can get the GUID of any class from descriptions of AD object classes provided by Microsoft. In particular, here's a description of the Organizational-Unit class: https://msdn.microsoft.com/en-us/librar ... 85%29.aspx. The GUID you need is the one available in the Schema-Id-Guid section. For example, for OUs the GUID is {bf967aa5-0de6-11d0-a285-00aa003049e2}.


Perfect! I was wondering where I could find those GUIDs in the Microsoft documentation!

I tested it out with that GUID and it works perfect. Thanks again!

Related questions

0 votes
1 answer

Hello Forum, in our Adaxes environment we have a lot of security roles (one Security Role per Department). This allows the management of the Department to modify their Users / ... copy it to my newly created Role in powershell? Thanks a lot for your help.

asked Apr 30, 2015 by esoAdxAdmin (650 points)
0 votes
1 answer

I'm using the example from the following SDK page: http://www.adaxes.com/sdk/ManagingSecurityRoles.html # Allow: Reset Password -> User $entry = $role.Permissions.Create() ... from the example. What am I missing here? Thanks for any help you can provide

asked Nov 16, 2015 by drew.tittle (810 points)
0 votes
1 answer

Hello all, I'm sure this is possible, but I'm confused on a few points. I'm trying to set up the security role and matching homepage action that will allow a user ... I'd like to use the least amount of permissions possible, just for security's sake. Thanks!

asked Jan 18, 2017 by ctdhelpdesk (190 points)
0 votes
1 answer

Hello, We have a complex multi-domain environment where the Help Desk (and other groups) is assigned variety of rights over certain OUs within a given per-customer OU ... Role for the new AD group. Any assistance with this would be greatly appreciated. Thanks

asked May 28, 2015 by SomeUser (90 points)
0 votes
1 answer

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6, 2021 by cfrazier (20 points)
2,757 questions
2,491 answers
1,469,015 users