welcome back my name is Ron Edwards and we’re gonna talk about we’re gonna continue our talk about power cell access control and this this one this is going to be part two we’re going to talk about how you can manage it with desired state configuration about me again you know for the people that were already in here they they already saw this but I’m a PowerShell enthusiast a quiet one I don’t tweet or blog very much but I do help run the Mississippi PowerShell user group with Mike Robbins I’m sure everybody here has met Mike and and I happened to be lucky enough to win the advanced category the 2012 scripting games so what we’re gonna go over we’re not really going to cover you know the definition of access control or anything we did that in the last one I’m really it’s gonna be short set of slides where I talk about a couple of design considerations that I thought through before making DSC resources and you know when I will talk about what I did end up coming up with up right now there’s three resources we’ll talk about how to use them and we’ll demo so you know a couple of considerations the first thing that I thought of is you know what do you actually want to control so you know that security descriptor object has four parts the owner the group the DAC oldest Akal and you’ve also got the the inheritance of the two ackles if you think of those is different so you know do you want to do you want to control an entire security descriptor do you want to control just a specific Akal do you want to control you know do you you basically not even care what an apple looks like but you just want to make sure that a certain principal has the ability to do something they you know I know on this folder I want this user account to be able to write or to be able to delete files or I don’t want them to be able to do that or I want them to be denied that so you know sometimes you only care about you know you don’t care about the rest of it you just care that specific access is there or is not there or that it’s being audited another big problem I came up with so most of these resources were made in version 3 of my module which it’s up on the Technic gallery but actually all the resources are there but for that version I didn’t take inherited aces into account if you did something with one of the resources it was completely was gonna check to make sure that was an explicit ace and that was that it completely ignored inherited aces and that’s because you know that’s if there’s kind of the big problem with it is what do you do if you find an inherited ace that you know if you find one that that puts you in compliance great there’s not a problem there and if that inherited a sever goes away you know when it converges again and we’ll put that back but what happens if you have something that’s being inherited that breaks that compliance how do you then go in and fix it do you you know you you you basically have a resource that’s saying I want this folder or this file or something like that to look this way and then it comes back so well it doesn’t look that way and I’m gonna have to go to your parent to fix it so I mean what I’m doing right now in version 4 is you you basically opt in to that check you know so it says this on the page before you go to download this is all experimental this could change I may change it so that you don’t opt in to the inherited check you may have to opt out at some point so and I also decided to it just doesn’t fix it if it writes a warning and you know it then it’ll show you that it’s not in compliance and if somebody can go in and manually fix it later then when it converges again it will be in compliance so you know here’s a link to the module at some point I plan to have it up on github all the source code and all that good stuff but right now you can download a copy from the technic gallery and there like I said there are three DSC resources you’ve got one called access control entry one called security descriptor and one called security descriptor STD l we’ll cover those in a little bit more detail so the first one the C access control entry resource so that covers that scenario I was talking about where you you don’t care what the rest of the security descriptor looks like you just care that either the dackel or thus Akal contains or does not contain or audits a certain ace there are certain permissions so you can’t say you can’t touch the owner with this resource you can’t touch whether or not inheritance is enabled or disabled all you care about is it a specific case is there or not there’s a it actually has a bunch of parameters so that you know I didn’t take up a whole bunch of stuff I can put that last one that says you know these are parameters shared with with the new PAC access control entry command –let but there’s a path which is going to obviously identify the object that you want to secure you have an object type and right now I’m artificially limiting it to it doesn’t work with everything that the rest of the module works with Active Directory objects are definitely out on this one during the hackathon the other day it started working on and one that’s gonna be for access control entry and it’s just gonna be a separate resource and you know I’m

a duplicate I may have three separate ones for Active Directory objects right now it works with files folders services wmr namespaces registry keys I don’t know if I mentioned that and I think that’s all I’ve got working with right now there’s not really any reason that it shouldn’t or that it wouldn’t work with the other ones it’s just I you know I want to test stuff before put that back in and by the way again another disclaimer if you use any of these test them extensively in a test environment you know this is all experimental preview stuff so there’s an insurer so that’s the uu insure present or absent it’s going to default to present if you don’t find anything specific so we didn’t really get a chance to cover in the previous the previous presentation specific but the the the remove access control entry command let has this concept of you know do you want to just remove like if you have an ace and you say I want to remove delete access but do you want me to remove an ace that says just delete or do you want me to just make sure that you can have whatever you want there but the delete right is not present specific is what controls that if you say I want to make sure that this user has write access if the user has full control and specific is set to false great I’m happy you know I’m not looking for a specific base that grants delete to the folder subfolders and files I’m just looking at that delete is there somewhere if specific is true then it must match exactly and the reverse is true when you’re telling it ensure is absent it will if you say specific is false and you say remove delete then if you have full control you’re going to be you should be left with full control – delete and you know that the the applies – I’m kind of glossing over that but you know that stuff would have to match as well test inherited aces that’s the property I was talking about where you would have to opt in by default it’s going to assume that’s false if you don’t set it and any of these resources where you tell and I want something to be set there it will completely ignore inherited aces and it will do it all explicitly I will cover that in the demo and then you have the things that you know talk about what how you want to access control entry to look things like the ACE type allowed an eye on it your question instead of going up to the parent to remove what you just like copy Daisy Oh yeah so that’s a good question so he was asking if for the test and harriday says if we find an ace that’s being inherited that breaks the the compliance can’t we just instead of fixing the parent can’t we just disable a CL inheritance on that and then make everything explicit and fix it the answer is yes you could actually do that and so for the C access control entry that would work fine the other resources actually lets you define that a CL inheritance so or whether or not the a CL inheritance is set so you know you could end up with a situation where you want inherit inheritance set and then you want these for access control entries and then or you want an inheritance enabled and you want these for access control entries and then one that’s being inherited kind of breaks that well at that point you’ve said you want to a CL inheritance enable so but but yeah for the C access control entry you know that is something that could be changed for that I mean all of this stuff is open up and I’m sure a lot of you guys would actually have ideas for ways to make this better this stuff is by it I don’t use this nearly as much as I use the other stuff so you know if you guys have any suggestions or ideas I’m definitely open to hear them because there are a lot of ways this could be improved so but yeah right now it doesn’t do it that was a good question thank you so I think we’re so yeah the H type allow deny or audit the principal the access mask and for that you do have to give it something that’s kind of new married but remember we have the helper function the new PAC access mask so we’ll see that in a little bit you can use that your applies to so if you’re working with it some kind of an object it exists in a hierarchy like a folder or a registry key that’s when you control you know will this apply to the folder subfolders and files or just to the folder but you you don’t need to use those friendly names you have to use things like object child container and the audit flags if it’s for an audit ace you have to specify audit flags either success or failure so let’s let’s demo real quick this resource so if we look here let’s make sure that all this is imported so I’m going to use I’m not going to use DSC to set up the prerequisites and things like that but so we set set our environment up real quick so that we ended up and we’ll take a look at the you know the folder and stuff that we’re going to be working with here in just a second we’ll look at

it before we try to actually start this configuration but you’ll see that I have persistent iteration there’s basically there’s for access control entry definitions in here so this one is set so that it’s going to if you look we want to ensure so it’s present so we want to make sure that this ace exists in some form the path you know that’s that was to find up above we’ll take a look at that in a little bit it’s gonna be the same path for all of these resources resource definitions you have an ace type so this time we want to make sure I’ll just go through this quick we want to allow users the ability to modify so remember access mask really wants to be in like an integer or something like that this helper function is going to return an enumeration which will be coerced into an integer so you know we’re saying we want to allow users the ability to modify and the object type is going to be a directory we did not specify applies to and I’m actually starting anything applies to may eventually become a required parameter but right now it’s not so it’s defaulting to you didn’t tell you didn’t give me anything specific I’m going to default to applying to the folder subfolder and files so this next one ensures present this is a deny ace we want to make sure that there is an ace that denies users the to delete and if you notice applies to his object so that should apply only to the folder we have another ace that this one should be absent so this is one where we’re looking to make sure that us that something does not exist and this one we want to make sure that that everyone group cannot delete so yeah this is different from the deny on the last one this one we’re looking for the absence of that being allowed and finally we’re gonna do an audit ace so we want to make sure that that the everyone group is being audited for everything for all failed accesses essentially as what that is saying so let’s come in here let’s collapse that and run it we will compile the moth and this little pack SD option is kind of a shorthand way we want to look at the audit the thus Akal as well so you know this is something that we covered in the previous session but get PAC access control entry so this is the before view of this thing and inherited from this kind of making everything rap it looks a little ugly but you can see we have only inherited aces there are no explicit aces right now so that’s what it looks like let’s run that configuration and you’ll see that when we’re done so now that’s what we look like so I have I have some little reminders here so the first the first one we defined said that users needed to have modify rights well users already had modify rights they were being inherited but remember we didn’t do tests inherited aces so it just ignored that now users have modify rights right there all right so let’s change you know we’ll walk back through the other things but what happens if we take this and change that users modify rights that’s explicitly defined to full control so if we do that you’ll see that you know now users have full control rights right and we told it in the actual definition that we wanted them to have modified but we didn’t say specific so let’s test the DSC configuration you’ll see it comes back it’s still compliant and the reason it’s still compliant it’s because you know we said we wanted to make sure they have modifier rides they do they have full control modifies included in that since we didn’t specify specific its happy with that it has no problem keeping that so the second thing that we would do find was that users needed to have a deny right for delete and it needed to apply only to the folder as you can see up here we’ve got that applies only to the object only to the folder the third thing that we were checking for was that everyone did not have delete rights well when we started everyone had no access explicitly defined or inherited so yeah we met that condition just fine so what happens when you add in this command you know we’re gonna take that folder we’re gonna give an allow ace to everyone for full control right so let’s run that that’s what we end up with so you can see everyone has full control let’s test that DSC configuration again so now it’s mad we get false back you know we said you cannot have everyone cannot have delete rights so let’s run let’s start the configuration again and take a look at what we end up with so now you see

everyone still has rights on there we don’t care that they have rights we just wanted to make sure they can’t delete from just the folder so you can see this is very similar to the scenario we walk through in the previous session where everyone now has two ways instead of the one full control ways they have two aces that first one over there the first one is highlighted you know all that crap that’s listed under access masked that’s that’s full control – delete and you can see that that is set to apply to the the folder subfolders and files this this object child containers and child objects and everyone still has delete rights but you notice the O is missing under applies – that’s for the folder itself we told it we don’t want them to have the delete right for the folder so the DSC configuration fix that for us so and then the last one you know we were we were looking for an actual cycle to be set and as you can see there you know again we’re in the same boat we’re test inherited aces wasn’t set so it didn’t care that that ace that oughta days already existed it made one for us right so let’s start over this is a going to basically remove all that stuff that we just did so we’re back to only our inherited aces right let’s take a look at another configuration let me so this should be the exact same thing that we just did except for each one of them we’re gonna set specific to true and we’re gonna set and test inherited a sista true otherwise well it’s not exactly Sam I’m sorry it there’s a there’s two things so we are we’re doing we want to make sure that users can modify and right now this is kind of this having to do this modify and synchronize to make it match exactly that that will go away in a future version you will be able to just say modify but right now you do have to put the synchronize right in there but in this case we’re not look full control won’t meet this requirement you must have modify and synchronized because we’re setting specific to true but if it’s inherited that’s fine because test inherited asus is true and then this one is similar to the everyone can’t delete that was in the previous one but again we’re looking for it to be specific and if if that is being inherited this is basically the opposite of the one if we were inheriting a delete that would cause us to fail so let’s take a look let’s run that compile them off one more time before we run it let’s take a look at what it looks like so let’s run it now so if we take a look oh it’s exactly the same as it was we didn’t have to create any explicit ASIS remember we said users need to have modify synchronize they do it’s being inherited we also said you everyone cannot delete well they can’t so I this this one here is an audit ace so that’s basically saying well even if this was allowing everyone to full control that wouldn’t have matched that they specifically so or exactly so it still would have been happy with it so let’s go ahead here and add let’s give users full control like I was just saying I kind of gave the secret away though so if you look everyone now is explicitly allowed full control right and we’re filtering this time I told it to it’s not showing the actual shackles so that’s why there’s just three still but if we test the configuration it still comes back true like I said everyone can have full control we said we want to make sure everyone doesn’t have a specific ace that grants delete it that way so what happens if we go in and play with the parent folder so we’re gonna split path on that folder we’ve been looking at we’re gonna call add access control entry to give everyone the delete that we were talking about and we’re gonna have this one apply to child containers and direct children only this this is basically telling it so that the thing that inherits it it’s going to apply just to it it’s not gonna apply to any of us children so let’s run this if we take a look at that you can see that now everyone does have that express its not explicit it’s inherited but everyone does have that ace that applies just to the folder and then grants delete and synchronize rights so if we do a test it should come back as false it does let’s go ahead and tell it to fix it we got a warning so you know it can’t fix that as of now you know we could potentially make it go in and disable a CL inheritance and just preserve the existing aces that would be one option but as of right now it it you know it’s it’s just gonna write a warning it can’t fix it so that is the access can access control entry resource

they might have any questions about that before we move on to the next one sure now this actually the DSC so this works in PowerShell 3 the DSC stuff obviously doesn’t them the the DSC resources are part of a module that I’ve made so the module itself works in version 3 the these DSC resources were actually written a good you know the the early versions of them were written a long time ago so they’re not using the class-based stuff so this actually should work in version 4 just fine what’s that yes yes this module so the target machine would have a requirement for this and it’s my understanding I’m by no means a DSC expert it’s my understanding if you’re doing the push configuration it would be on you to make sure it’s there if you’re doing a pull configuration then you know the actual servers should be able to handle that dependency for you yes exactly so now when the question was I’m sorry was uh is what the module be dependent with the target machine have a dependency on the module so let’s move on then to this see security descriptor resource so this one you know this doesn’t control just access control entries this can control any part of a security descriptor the owner the group the the dackel itself thus Akal and also the inheritance for both of those accuracy when you define something in it it’s only going to care about the parts you define so if you define or a configuration that says this thing right here is owner must be this it doesn’t care what the other parts look like it only cares about what you’ve defined so it’s gonna have some parameters so the first three are going to be exactly the same you these three parameters exist on all of the resources so you know I’m not going to cover those very much same limitation on the object type and then you know the owner and group those are going to be you should be able to use string representation I should be able to put a security identifier in there if you’d like but basically I think they they technically take strings but the actual resources will take care of converting those if possible into the proper principles and then there’s an access and access inheritance property and an audit and audit inherits property so those inheritance properties are going to be true or false I’m sorry they’re enabled or disabled is or the ballot values for those and the access and audit properties are CSVs of how you want these to look and it’s very forgiving maybe a little too forgiving you kind of have to look in the help to see what’s allowed on what it allows you to put the headers we’ll cover that in just a second well right now actually I guess so if we take a look at see security descriptor demo up here let’s read all this stuff in don’t tell anybody I’m not using DSC to do this alright so our first configuration is going to do exactly what I was just saying that it only cares about what you define so this one we’re just gonna say the owner must be the administrators group so you know we’re giving it a path and we’re telling it’s the object type is directory so let’s come up here and run this compile them off and let’s go ahead I’m not sure what the owner is actually let’s see what the owner currently is so the currently the owner already is administrator so let’s go ahead and change that let’s take ownership of that take a look and of course yeah I’m actually using the administrator or account notice there’s no s there so the administrators group is not currently the owner if we run that configuration you’ll notice that it comes back there we go the owner was changed I have a little bit of code here you know where I think I play around with the dackel a little bit and show that it really doesn’t care we’ll skip over that it really this configuration only cares that the owner is administrators you can do whatever you want whatever else you want to that security descriptor so this one sorry applies to everything that you defined in your yes so well yeah the other properties we’re basically telling you how to get to it so they weren’t security descriptor sections so the other properties that I defined were path and object type I believe so this next one is going to be it’s Dan it cares about yes yes so this is a new configuration and this one we’re still putting owner must be administrators in there you’ll have to take my word I’m not going to show that anymore that it would fix that if you changed it but now

we’re putting access in there right I didn’t mean to collapse that so you can see you know this is a real simple CSV you got principal you got folder rights and there’s nothing else and so what this is doing if we were to do an import or actually this will be a convert from CSV yeah so you know we get a CSV there if you pipe that again I hope I didn’t actually plan to just putting something I decided I was gonna I just did this on the fly hopefully though you send that through the new PAC access control entry and that was a format table or mat so what this is doing the CSV just really has to work for this whatever you define there you have to be able to get a valid access control entry out of it principal and folder rights are really all that’s required for that commandment if you don’t provide an ace type and you don’t provide audit flags it’s gonna assume that you want to allow ace if you don’t specify applies to its gonna look at in this case we had folder rights so it says hey you know this is for the file system it’s for a folder so I know that it should be object child containers and child objects so this one is really short because you’re taking a lot of that stuff you know you’re letting it do the defaults so this is we’re saying we want four aces to exist we want an ace that grants all of these are allows we want an ace that allows everyone read and execute we want one that allows administrators full control and we want one that allows system full control and users read and execute so collapse that down run it compile them off let’s take a look before we run anything so you’ll see here and remember tests inherited Asus was not set there so this is going to ignore inherited a system right now we have two inherited aces that’s it we were defining four phases earlier so if we run that and take a look at what we have well now we have six phases we have the four it explicitly defined that we said we wanted and note here that you know we already had inherited administrators full control so you know this is kind of redundant here we had users modify well actually users had modified we were looking for read and execute so but we’re not looking at inherited ASIS so everything is happy let’s see what happens though when we take the exact same configuration so owner administrators if you look you have the exact same CSV there but this time test inherited aces is true so let’s compile that and run it you immediately see we just got a warning message why did we get a warning message well we got a warning because we said we wanted the dackel to have four aces we wanted everyone in users to have read and execute we wanted system and administrator to have full control we’re almost there but we’re not quite there if you look we have instead of four we have five aces one of them has inherited so this administrators notice there’s only three that are explicitly defined the administrators full control didn’t have to be explicitly defined because it’s already being inherited but this users one here that’s that’s what’s messing it up because users is only supposed to have read and execute we’re only supposed to have four aces right now we have five that’s a problem so and you know as of right now I haven’t quite decided how how it would be fixed so right now it just gives you a warning message and it’s on you to go fix it if you were to do test the SE configuration it’s mad I can’t do anything about it but what happens if we come in and we change so we’re users has modified rights right there let’s go in we’re gonna do split paths so that says take me to the parent and let’s take that users ace and you know we’re this add access control entry this over rights which means take whatever users already allowed to do because it’s an allow ace and just overwrite that so we’ll run that and you’ll see so now things are looking a little bit better we’re inheriting this read and execute pace so that should make everything happy the only thing is we remember the configuration said we needed four aces right now we have five so if you run the test you’ll see that it’s it’s still false it’s still not compliant if you were to manually delete that explicit users then the test configuration would be happy without rerunning the the start DSC configuration but we’ll go ahead and let the DSC the LCM fix it for us so if you take a look all right now we’re down we have our four aces and so you know the the big thing to note here I guess is that with tests and Harry today’s to set

the true the see security descriptor resource doesn’t care where it gets the ace it’s just at the end of the day it needs to have if you were to just remove that inherited from so select ace to type principle that should be enough access mask applies to at the end of the day if you look at what it’s supposed to be said and what it currently is as long as this part matches it’s happy and remember if Tess inherited aces is false or not present then it you know it would just ignore any inherited aces and make everything explicit so I believe oh okay apparently I did have a couple more things there’s also some stuff if you if you walk through these when you get this source material I also kind of go over some registry keys and stuff like that but let’s look at this one’s going back to the one where tests inherited aces was false so the one we had already defined it’s the same we the same thing we were just looking at the test inherited aces is false so run this again okay and yeah this is basically just showing again I I didn’t mention it it’s that hey test inherited aces is false so I went ahead and just put those four aces back there again it’s it’s as if when it’s checking it it just drops off anything that’s being inherited so that’s about it for this resource any questions or suggestions all right so we’ll move on to the last one and this one’s actually going to be pretty short only because it’s a it’s very close to being the exact same thing as the other one except you provide how you want it to look differently so anybody familiar with SD DL the security descriptor definition language it’s it’s really uh it’s hard to read it’s hard to work with but it’s really really good at representing a security descriptor in a really short form so this thing lets you control exactly the same stuff almost except the severy thing specified by this uh you know through the string that is very very very hard to interpret you know if you’re looking at it with your eyes so the one big difference is remember in the last resource it basically just it ignored the flag that said whether or not the ace was inherited SD DL when you specify an STD else training each ace that’s defined in there we’ll take a look at a strip one of those strings in a minute it it says whether or not that ace is inherited so it’s almost like if if we made the security descriptor resource that we just showed it’s almost like if in that CSV you know we had a column that said is inherited and I’m to be perfectly honest on that might not be a bad idea to do something like that to where that resource had the ability to say you know I want the dackel to look this way and know these better be inherited right now I can’t do that but this one can and that’s just because you know SD DL says whether or not each ace is inherited or not and I’ll cover what that means a little bit more in a second the parameters are really easy you have those same three that we had on the other two path object type and test inherited aces and you you provide the actual security descriptor with one input s DD l it does still share the part about if you only define certain sections and it only cares about those STD l will let you have a valid string that only defines an owner or only defines an owner and a dackel or or defines all four if you’d like so let’s go into the demo for that all right so I’m not sure everything looks good so here you know we’re kind of kind of do the same thing that we did on the previous we have one that just defines an owner this one is I think I can explain this one without having to use a little helper command lit so this is saying that o : means this is the owner ba is a shorthand way of saying built-in administrators so it’s the same exact test that we did the last time or the same configuration we did the last time just using this security restore this DSE resource here we only care that the owner is built in admins so compile them off let’s set this time it looks like we’re setting the owner to the users group so if we look at that security descriptor we should see the owner is users so if we run the DSC configuration and get the security descriptor you’ll see now the owner is administrators so this time we’re gonna do one that sets the owner and the deco now if you look at this so like I said that’s this is a really short one too that’s kind of tough to read I mean you can see this

part’s telling you the owner and then this D colon is saying this is the dackel here are some flags you know that apply to the dackel itself and then each one of these that’s an ace and that’s an ace this is really really you know obviously hard to read but it’s a good form to have something you know if you want it kind of short you know it accurately represents a security descriptor we’re gonna take a look at what that means in just a second I’m gonna briefly cover the configuration definition though like I said it’s very simple we’re defining the path and the object type which are required tests inherited aces is not being set so this is going to do the same thing where it just ignores yeah and the difference here is if you if you give it an STD L string that has inherited aces when it tries to go and look at everything it’s gonna model like when it has it’s a when it goes to compare what’s current the current configuration is with what the desired configuration is it’s in both of those streams going to just act like inherited aces did not exist so if any of those aces that are in those parentheses had the flag that said they were inherited they’re just gonna be lopped off that string when it does the comparison so let’s let’s take a look at what that actual STD L strain means so there’s a there’s a command let in the module called new pack security descriptor and you you all you really need to provide it is this STD L parameter you can also do if you have a binary form you it’ll take that and this time around so that it shows so that it properly shows the actual what the numeric access mask means we tell it it’s a file object and this also since since this is a folder you have to do the is container otherwise it treats a file a little bit differently it would so so we create that and we get this security descriptor that looks just like we call it get packed security descriptor I mean you’ll see like up here path is unknown group is unknown but if you call just the access property or if you run get PAC access control entry against it you’ll see okay so this looks familiar this is alright we have for explicit aces so that this is doing the exact same thing that our second configuration did in the previous demo we have four aces everyone in users have read and execute system an administrator have full control and they’re all explicit none of them are inherited so let’s do the before-and-after again so right now we have on this on this folder we have two inherited aces we’re gonna start the configuration and we’re going to take a look and I mean the same thing so yeah this it’s gonna be there’s not much more to show you because I mean this literally is it does the exact same thing as the last one just in a different way well almost the exact same thing so let’s see what happens with the test inherited aces though so if we set it to true so this is you’ll have to take my word for it that well I mean it’s the same variable so this stdio nerd that will test this DVL string and we are going to run that and compile them off so let’s run it now oh so we got a warning and let’s take a look at what we’re left with so it’s upset because you know we’re testing inherited aces and again we specify four four aces that must be explicitly defined those are but it’s inherited in those two access control insurance and also in this case I didn’t mention this so for this one that STD L strain to define the dackel it did also have to include whether or not it was enabled inheritance was enabled or disabled in this case the flags specified that inheritance is enabled so this would be you know another instance for this one we can’t just disable inheritance but again I think that would work for the access control entry resource so for this one we need a way pretty much to change the parent and that’s what let’s see what is this guy doing so this is going to get all of the inherited I mean all of the explicit aces for the parent and this is basically gonna wipe out everything and then it’s gonna go through later so that we still have a little bit of access and see this is going to copy access right tight looking for access so it should put all of these on the parent let’s take a look and the sc/st DL test folder like access control entry so yeah so now right now so right now we’re looking at you know we basically copied that we

have for inherited aces that are exactly the same as the for explicitly defined aces so you know obviously we would get a warning if we ran that it probably was something else I meant to kind of convey here because this looks but if we remove all that you know now we don’t have any inherited aces without rerunning the start DSC configuration we can run test and test will come back and say okay I’m good you know we didn’t have to rerun everything it was just it took somebody coming in and fixing it themselves so finally this is going to show you we’re getting short on time so we’re going to let’s see No so in this one we output it I had it out put up basis two times so this time around we did go ahead and disable a CL inheritance and remember the STD L specified that a CL inheritance had to be enabled so if you look here declan heritage is disabled currently and if we come in here and run this configuration inheritance is enabled again and you know since we weren’t inheriting anything it was happy it could fix everything it got rid of all that extra stuff so let’s do one more it looks like this is for a sac ‘l okay yeah we’re getting into a registry key anyway so i mean we can we can go ahead and walk through this unless anybody has any questions this is basically you know we can look at what this is trying to do so if we do a new pack security descriptor STD l is dr test string ignore the name of the variable the object type is a registry key and i think it would set his container automatically for that one but i’m not positive so you can see we we want to Haunted property so this one we’re basically saying that these two entries should not be inherited we want to audit all failed accesses for everyone and we want to audit successful deletes for everyone so if you look at what it’s currently set to there’s no aces right there are no audit entries currently so if we run this now we have the two audit entries any questions so if there’s no question I will I’ll show you there’s honestly and truly I have no idea if this is even gonna work but on Monday we had the DSC hackathon so I talked with Ashley Ashley mcglone and Steve Murawski and we kind of got something together that almost works with Active Directory stuff so if I I see resources I didn’t mean to open them off as well but we have this is kind of what it what it might look like if we get this working later for how to configure Active Directory objects and again this is one of those things where it’ll probably be a long time before I’m ever telling anybody I’m comfortable with them running something like this but if you got a test machine and you don’t mind what happens and then have at it and this is actually nobody’s answered yes once I get it up on github so I meant to go into I need to move these examples under the DSC folder itself but I did not mean to show the definition of them I mean to actually show something that will use it so for this you can see collapse that what we’re gonna try to do here is where is it right so you know obviously this is this the user had better exist I’m not putting any kind of like anything to make sure to create it or anything like that but we have some of the same things in sure instead of path we have a distinguished name ace allow and this time we want to for this one we’re gonna give an extended right we’re gonna actually try to give somebody the ability to reset a password so this is kind of an example of Active Directory is very very granular with what it will allow so and this should be for the limited user so let’s real quick look at a get 80 user limited user and we’re gonna get PAC access control entry we’re looking for Active Directory rights extended right and we’re looking for any object ace type it has the word password in it so this should show us I’m actually we’re gonna do this for everyone so there’s the add-on let me specifically so right now you can see that everyone has changed password and self has change

password and you know the administrators have the ability to do all that do all extended rights so they can reset password as well so if this works this is going to when we run this the next time we should see that everyone has reset rights all right like I said this might not work I probably shouldn’t run it but and it’s gonna prompt me for credentials and pretty sure y’all saw the password that was there saying go in that comment that’s fine and when we yeah so we just ran that and let’s go to this where did I do okay yeah there’s the alphabet so start DST resource or DSC configuration and wait for Bo’s cross our fingers and it does take a look what it’s gonna have to do is take those credentials and it wraps them in an in boat command so and it’s gonna have to do that twice it has to do it for the test and then again for the set so this part you’ll notice is a ton slower than the other one if the LCM was if I could just get it to run and it’s in the context of the credential that I’ve provided it would be much faster it looks like oh and it’s also and in that invoke command is also having to load the active directory module so it does that twice so yeah we’re talking about a good amount of time and with any luck it looks like it’s in the set if this doesn’t work I’ll see if Donald take this out of the video so let’s take a look there we go everyone now has that’s not a good thing by the way but everyone to reset yeah yeah just for limited user nobody cares about that guy anyway so any questions all right well if you guys have suggestions or anything you know come find me afterwards and yeah I do plan in the next couple of weeks to get this stuff up on github like the actual source code itself get a good build process I’m not actually a developer I just play one on the weekends so alright well push the button