Script Repository

Remove non-existing objects from Security Role Assignments

March 17, 2021 Views: 1757
Security

The script removes non-existing objects from Assignments of all security roles. Both role Trustees and objects comprising Assignment Scopes of security roles are checked. It can be used, for example, to clean up security role Assignments of objects that have been deleted.

To clean up invalid security role Assignments on a regular basis, you can configure a scheduled task for the Domain-DNS object type that executes the script.

Edit Remove
PowerShell
function FixRoleAssignments
{
    Param($rolePath)

    $role = $Context.BindToObject($rolePath)

    # Get security role assignments
    $assignments = $role.Assignments
    for ($i = $assignments.Count - 1; $i -ge 0; $i--)
    {
        $assignment = $assignments.GetObject($i)
        
        # Check whether the Trustee exists
        $trusteeSid = $assignment.Trustee
        if (-not([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trusteeSid)) -and
            ([Softerra.Adaxes.Adsi.Sid]::PrimaryOwnerSid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::ManagerSid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::SecretarySid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::AssistantSid -ne $trusteeSid))
        {
            try
            {
                $object = $Context.BindToObject("Adaxes://<SID=$trusteeSid>")
            }
            catch
            {
                $assignments.Remove($assignment)
                continue
            }
        }
        
        # Check Activity Scope Items
        $activityScopeItems = $assignment.ActivityScopeItems

        for ($j = $activityScopeItems.Count - 1; $j -ge 0; $j--)
        {
            $item = $activityScopeItems.GetObject($j)
            if (($item.Type -ne "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY") -and
                ($item.Type -ne "ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION") -and 
                ($item.BaseObject -eq $NULL))
            {
                $assignment.ActivityScopeItems.Remove($item)
            }
        }

        if ($activityScopeItems.Count -eq 0)
        {
            # Remove assignment
            $assignments.Remove($assignment)
        }
    }
}

# Search all security roles
$configurationContainerPath = $Context.GetWellKnownContainerPath("AccessControlRoles")
$configurationContainer = $Context.BindToObject($configurationContainerPath)
$configurationContainer.SearchFilter =  "(objectCategory=adm-Role)"
$configurationContainer.PageSize = 500
$configurationContainer.SearchScope = "ADS_SCOPE_SUBTREE"
$configurationContainer.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    $searcherResultIterator = $configurationContainer.ExecuteSearch()
    $roles = $searcherResultIterator.FetchAll()
    
    foreach ($rolesID in $roles)
    {
        # Check assignments and trustees
        FixRoleAssignments $rolesID.AdsPath
    }
}
finally
{
    # Release resources
    $searcherResultIterator.Dispose()
}
Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers