Saturday 12 October 2013

Setting the Correct Permissions On An OU for Cluster Name Objects (CNO) Using PowerShell

I'm busy automating a lot of things at the moment so expect a few of these "snippets".

When you create a Failover Cluster during the process a Cluster Name Object (CNO) is created to enable the use of Kerberos authentication during operation.

When you then create a role such as a Clustered File Server Role, a Virtual Cluster Object (VCO) will attempt to be created in the OU that the parent CNO resides in.

Unlike the CNO which is created using the security permissions of the account forming the cluster, the VCO uses the security rights of the parent CNO.

You can read more on CNO's and the changes made in Windows Server 2012 here: http://blogs.technet.com/b/askcore/archive/2012/09/25/cno-blog-series-increasing-awareness-around-the-cluster-name-object-cno.aspx

Below is a quick and dirty script/function that allows you to provide the Organisational Unit distinguished path (OU=Name of OU, DC=Domain, DC=DomainFQDN) and the CNO Computer Account Name.

 function Set-CNOOUPermissions {
    Param (
           [Parameter(Mandatory=$true)]
           [String[]]$OUPath,
           [parameter(Mandatory=$true)]
           [String]$CNO
           )
    Set-Location AD:
    $ADObject = [ADSI]("LDAP://" + $OUPath)
    $ClusterSID=[System.Security.Principal.SecurityIdentifier](Get-ADComputer -Filter "name -eq `"$CNO`"").SID
    # SchemaIDGuid for the Computer Class: bf967a86-0de6-11d0-a285-00aa003049e2
    $ObjectGUID = New-Object guid bf967a86-0de6-11d0-a285-00aa003049e2
    $guidNull = New-Object guid 00000000-0000-0000-0000-000000000000
    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $ClusterSID,"ReadProperty,WriteProperty,GenericExecute","Allow",$guidNull,"All",$ObjectGUID
    $ADObject.ObjectSecurity.AddAccessRule($ace)
    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $ClusterSID,"CreateChild, DeleteChild","Allow",$ObjectGUID,"All",$guidNull
    $ADObject.ObjectSecurity.AddAccessRule($ace)
    $ADObject.CommitChanges()
    }

I've also uploaded the script to my SkyDrive here: http://sdrv.ms/19FCp8K

Usage Example:

$OUTarget=(Get-ADOrganizationalUnit -Filter 'name -eq "Clusters"').distinguishedname

Set-CNOOUPermissions -OUPath $OUTarget -CNO "PowerONCMA"
Posted by at
Labels: , , , , , , ,

1 comment:

Anonymous said...

Hi, how can i set advanced permissions?
I want to allow the cno to create vcos in the same OU by allowing the "Create computer objects" permission in the advanced tab, via powershell

21 September 2021 at 09:41

Post a Comment

Subscribe to: Post Comments (Atom)