since im just working on automating 8.0.1 installation and adsschema
still has no commandline switches ...

a bit of the script, which could be adapted, dirty but maybe helpful for
somebody?


# needs Powershell v3/2008

# ....


# FUNCTIONS

#region AccessControl

# well-known-sids:
http://technet.microsoft.com/en-us/l.../cc962001.aspx
# construct an ACE:
http://msdn.microsoft.com/en-us/library/w72e8e69.aspx

Function Get-SchemaIDGUID ( [String] $ObjectName )
{

$rootDSE = Get-ADRootDSE
$schemaNCDN = $rootDSE.SchemaNamingContext
$classObject = Get-ADObject -SearchBase $schemaNCDN -Filter {
name -eq $ObjectName } -Properties SchemaIDGUID

If ($classObject -ne $null) {

$schemaIDGuid = [System.Guid] $classObject.SchemaIDGUID

} Else {

#LogError ("Function Get-SchemaIDGUID: Object $ObjectName
was not found in schema")
Exit 1

}

Return $schemaIDGuid

} #end Get-SchemaIDGUID

Function Compose-ACE
{

Param (
[System.Security.Principal.SecurityIdentifier] $SID,
[String] $DetailedAccess,
[String] $AlloworDeny,
[GUID] $Property,
[String] $Axis,
[GUID] $ObjectType
)

$ACEEntry = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule
$SID,$DetailedAccess,$AlloworDeny,$Property,$Axis, $ObjectType

Return $ACEEntry

} #end Function Compose-ACE

Function Write-ACE ( [Array] $ACEArray, [String] $Base )
{

#LogInfo "Writing ACE's on $Base"

cd AD:
$OU = Get-ADOrganizationalUnit -Identity $Base
$ACL = Get-Acl $OU

ForEach ($ace in $ACEArray ) {
$ACL.AddAccessRule($ace)
}

Set-Acl -AclObject $ACL -Path $OU
cd C:

} #end Write-ACE

Function Update-ACL
{

#LogSection (' Setting ACL of Bank-OU ...')

Import-Module ActiveDirectory

# seen some times: slow import of the module can crash script
(if: $ErrorActionPreference = 'Stop')
Start-Sleep 10

# define Array for storing ACE's
[Array] $arrACE = @()

# vars for Compose-ACE
$SID = New-Object System.Security.Principal.SecurityIdentifier
"S-1-5-10" # = SELF
$AlloworDeny = "Allow"
$Axis = "Descendents"

# get SchemaIDGUID for User-Objects
$SGUID = Get-SchemaIDGUID -ObjectName "User"
$ChildObjTypeGUID = New-Object GUID $SGUID

ForEach ( $item in $SSOProperties ) {

$SGUID = Get-SchemaIDGUID -ObjectName $item
$ObjectGUID = New-Object GUID $SGUID

$ace = Compose-ACE -SID $SID -DetailedAccess "GenericRead"
-AlloworDeny $AlloworDeny -Property $ObjectGUID -Axis $Axis -ObjectType
$ChildObjTypeGUID
$arrACE += $ace
$ace = Compose-ACE -SID $SID -DetailedAccess "GenericWrite"
-AlloworDeny $AlloworDeny -Property $ObjectGUID -Axis $Axis -ObjectType
$ChildObjTypeGUID
$arrACE += $ace
}

Write-ACE -ACEArray $arrACE -Base $SSOMgmtOU

} #end Update-ACL

#endregion AccessControl

# MAIN


$SSOMgmtOU = "OU=abc,dc=xyz,dc=com"

# define array with protocom-properties
[Array] $SSOProperties = "protocom-SSO-Entries",`
"protocom-SSO-Entries-Checksum",`
"protocom-SSO-Profile",`
"protocom-SSO-Security-Prefs",`
"protocom-SSO-Security-Prefs-Checksum",`
"protocom-SSO-Auth-Data"
# ...

Update-ACL


--
florianz
------------------------------------------------------------------------
florianz's Profile: https://forums.netiq.com/member.php?userid=309
View this thread: https://forums.netiq.com/showthread.php?t=51245