AccessControlDsc

master:

dev:

The AccessControlDsc module allows you to configure and manage access control on NTFS and Registry objects. It also allows management of audit access for Active Directory object SACL.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Contributing

Please check out common DSC Resources contributing guidelines.

Resources

• ActiveDirectoryAuditRule: Provides the ability to manage audit access for Active Directory object SACL.

• NtfsAccessEntry: Provides the ability to manage access entries for NTFS files and directories.

• RegistryAccessEntry: Provides the ability to manage access entries for Registry objects.

ActiveDirectoryAuditRule

• [String] DistinguishedName (Key): Indicates the Distinguished Name value for the target Active Directory Object.

• [String] AccessControlList: Indicates the access control information in the form of an array of instances of the ActiveDirectoryAuditRuleList CIM class. Includes the following properties:

  • [String] Principal: Indicates the identity of the principal.

  • [String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:

    • [String] AuditFlags: Specifies the conditions for auditing attempts to access a securable object. { Success | Failure }

    • [String] ActiveDirectoryRights: Specifies the access rights that are assigned to an Active Directory Domain Services object. { AccessSystemSecurity | CreateAllChildObjects | Delete | DeleteAllChildObjects | DeleteSubtree | AllExtendedRights | FullControl | Execute | Read | Write | ListContents | ListObject | ReadPermissions | ReadAllProperties | AllValidatedWrites | ModifyPermissions | ModifyOwner | WriteAllProperties }

    • [String] Ensure: Whether the rights should be present or absent. { Ensure | Present }

    • [String] InheritanceType: Specifies if, and how, ACE information is applied to an object and its descendents. { All | Children | Descendents | None | SelfAndChildren }

    • [String] InheritedObjectType: Specifies the object type name that identifies the type of child object that can inherit this access rule.

  • [String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.

• [Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.

ActiveDirectoryAuditRule Examples

• Set Active Directory OU audit access rules

NtfsAccessEntry

• [String] Path (Key): Indicates the path to the target item.

• [String] AccessControlList: Indicates the access control information in the form of an array of instances of the NTFSAccessControlList CIM class. Includes the following properties:

  • [String] Principal: Indicates the identity of the principal.

  • [String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:

    • [String] AccessControlType: Indicates whether to allow or deny access to the target item. { Allow | Deny }

    • [String] FileSystemRights: Indicates the access rights to be granted to the principal. { AppendData | ChangePermissions | CreateDirectories | CreateFiles | Delete | DeleteSubdirectoriesAndFiles | ExecuteFile | FullControl | ListDirectory | Modify | Read | ReadAndExecute | ReadAttributes | ReadData | ReadExtendedAttributes | ReadPermissions | Synchronize | TakeOwnership | Traverse | Write | WriteAttributes | WriteData | WriteExtendedAttributes }

    • [String] Ensure: Whether the rights should be present or absent. { Ensure | Present }

    • [String] Inheritance: Indicates the inheritance type of the permission entry.

  • [String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.

• [Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.

NtfsAccessEntry Examples

• Set access entries for NTFS folders

RegistryAccessEntry

• [String] Path (Key): Indicates the path to the target item.

• [String] AccessControlList: Indicates the access control information in the form of an array of instances of the RegistryRule CIM class. Includes the following properties:

  • [String] Principal: Indicates the identity of the principal.

  • [String] AccessControlEntry: Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class. Includes the following properties:

    • [String] AccessControlType: Indicates whether to allow or deny access to the target item. { Allow | Deny }

    • [String] Rights: Indicates the access rights to be granted to the principal. { ChangePermissions | CreateLink | CreateSubKey | Delete | EnumerateSubKeys | ExecuteKey | FullControl | Notify | QueryValues | ReadKey | ReadPermissions | SetValue | TakeOwnership | WriteKey }

    • [String] Ensure: Whether the rights should be present or absent. { Ensure | Present }

    • [String] Inheritance: Indicates the inheritance type of the permission entry. { This Key Only | This Key and Subkeys | SubKeys Only }

  • [String] ForcePrincipal: Indicates whether the rights for this principal should be forced. Will remove any rights not explicitly defined in the configuration for the principal.

• [Boolean] Force: Indicates whether the rights defined should be enforced. Will remove any rights not explicitly defined in the configuration for the path.

RegistryAccessEntry Examples

• Configure access entries for registry key

Versions

Unreleased

1.0.0.0

• Initial release with the following resources:

  • ActiveDirectoryAuditRule
  • NtfsAccessEntry
  • RegistryAccessEntry