Script repository

Remove non-existing objects from Security Role Assignments

October 05, 2023 Views: 2262
Security

The script removes non-existing objects from Assignments of all security roles. Both role Trustees and objects comprising Assignment Scopes of security roles are checked. It can be used, for example, to clean up security role Assignments of objects that have been deleted.

To clean up invalid security role Assignments on a regular basis, you can configure a scheduled task for the Domain object type that executes the script.

Edit Remove
PowerShell
function FixRoleAssignments
{
    Param($rolePath)

    $role = $Context.BindToObject($rolePath)

    # Get security role assignments
    $assignments = $role.Assignments
    for ($i = $assignments.Count - 1; $i -ge 0; $i--)
    {
        $assignment = $assignments.GetObject($i)
        
        # Check whether the Trustee exists
        $trusteeSid = $assignment.Trustee
        if (-not([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trusteeSid)) -and
            ([Softerra.Adaxes.Adsi.Sid]::PrimaryOwnerSid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::ManagerSid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::SecretarySid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::AssistantSid -ne $trusteeSid))
        {
            try
            {
                $object = $Context.BindToObject("Adaxes://<SID=$trusteeSid>")
            }
            catch
            {
                $assignments.Remove($assignment)
                continue
            }
        }
        
        # Check Activity Scope Items
        $activityScopeItems = $assignment.ActivityScopeItems

        for ($j = $activityScopeItems.Count - 1; $j -ge 0; $j--)
        {
            $item = $activityScopeItems.GetObject($j)
            if (($item.Type -ne "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY") -and
                ($item.Type -ne "ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION") -and 
                ($item.BaseObject -eq $NULL))
            {
                $assignment.ActivityScopeItems.Remove($item)
            }
        }

        if ($activityScopeItems.Count -eq 0)
        {
            # Remove assignment
            $assignments.Remove($assignment)
        }
    }
}

# Search all security roles
$configurationContainerPath = $Context.GetWellKnownContainerPath("AccessControlRoles")
$configurationContainer = $Context.BindToObject($configurationContainerPath)
$configurationContainer.SearchFilter =  "(objectCategory=adm-Role)"
$configurationContainer.PageSize = 500
$configurationContainer.SearchScope = "ADS_SCOPE_SUBTREE"
$configurationContainer.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    $searcherResultIterator = $configurationContainer.ExecuteSearch()
    $roles = $searcherResultIterator.FetchAll()
    
    foreach ($rolesID in $roles)
    {
        # Check assignments and trustees
        FixRoleAssignments $rolesID.AdsPath
    }
}
finally
{
    # Release resources
    $searcherResultIterator.Dispose()
}
Comments 2
avatar
Mark Monaco Oct 04, 2023
I am unable to locate the "Domain-DNS" object type even when "Show all object types" is selected. I would like to get this script implemented under our Adaxes 2023.2 install.
Reply
avatar
Support Oct 05, 2023
Hello Mark,

Sorry for the confusion, the Domain-DNS object type is no longer present. You need to use the Domain object type. We updated the script description accordingly.
Reply
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers