Script Repository

Assign Security Role

March 17, 2021

The following function can be used in PowerShell scripts to assign a security role to a user or group with a certain Assignment Scope.

To avoid creating duplicates, when assigning a security role, you need to check whether the security role is already assigned to a user within the scope that you want to assign. The below function eliminates the need to check existing assignments.


  • $trusteeSid - Specifies the SID of the user or group that you want to assign the security role to (in the SDDL form).
  • $baseObjectDN - Specifies the distinguished name (DN) of the base directory object that defines the scope of activity.
  • $scopeItemType - Specifies the type of the base object. For a list of possible values, see ADM_SCOPEBASEOBJECTTYPE_ENUM.
  • $inheritance - Specifies whether all descendants or only immediate children of the base directory object should be included into or excluded from the scope of activity. For a list of values, see ADS_SCOPEENUM.
  • $exclude - Specifies whether the scope item will be excluded from or included into the scope of activity.
  • $rolePath - Specifies the ADS path of the security role that you want to assign to the user.
    How to get the ADS path of a role:
    1. Launch Adaxes Administration Console.
    2. In the Console Tree, locate the security role you need.
    3. Right-click the role and click Properties.
    4. On the General tab, click Advanced.
    5. The ADS path is displayed in the ADS path field.

Sample Usage:

Edit Remove
UpdateRoleAssignments -TrusteeSid "S-1-5-21-573937-2149998-410785" `
                      -BaseObjectDN "OU=Sales,DC=example,DC=com" `
                      -ScopeItemType "ADM_SCOPEBASEOBJECTTYPE_CONTAINER" `
                      -Inheritance "ADS_SCOPE_SUBTREE" `
                      -Exclude $False `
                      -RolePath "Adaxes:// Role,CN=Security Roles,CN=Access Control,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes"


Edit Remove
function UpdateRoleAssignments

    $role = $Context.BindToObject($rolePath)

    # Get assignments
    $assignments = $role.Assignments
    $scopeItems = $NULL

    foreach ($assignment in $assignments)
        # Check whether the Trustee is already assigned to the role
        if ($assignment.Trustee -ine $trusteeSid)
        # Get the Assignment Scope for the Trustee
        $scopeItems = $assignment.ActivityScopeItems

    if ($scopeItems -eq $NULL)
        # Trustee is not yet assigned to the role, add new Trustee
        $assignment = $role.Assignments.Create()
        $assignment.Trustee = $trusteeSid
        $scopeItems = $assignment.ActivityScopeItems

    # Define the Assignment Scope
    # Get the base object GUID
    if ([System.String]::IsNullOrEmpty($baseObjectDN))
        # All objects
		$baseObject = $NULL
        $baseObjectGuid = [Guid]::Empty
        $baseObject = $Context.BindToObjectByDN($baseObjectDN)
        $baseObjectGuid = [Guid]$baseObject.Get("objectGuid")

    # Check whether the scope item already exists in the Assignment Scope
    $removeExistingItem = $False
    foreach ($item in $scopeItems)
        # Compare base object GUID, Inheritance, Include / Exclude
        $scopeBaseObjectGuid = [Guid]$item.Get("adm-ScopeBaseObjectGuid")

        if ($scopeBaseObjectGuid -ine $baseObjectGuid)

        if ($item.Type -ne $scopeItemType)

        if ($item.Inheritance -ne $inheritance)

        if ($item.Exclude -eq $exclude)
            # The scope item already exists in the Assignment Scope of the Trustee, exit
        # Remove the item
        $removeExistingItem = $True
    if ($removeExistingItem)

    # Add a new item to the Assignment Scope
    $scopeItem = $scopeItems.Create()
    $scopeItem.BaseObject = $baseObject
    $scopeItem.Type = $scopeItemType
    $scopeItem.Inheritance = $inheritance
    $scopeItem.Exclude = $exclude

Comments ( 0 )
No results found.
Leave a comment