Active Directory delegation in PowerShell

Question

I'm trying to delegate permissions 'Create all child objects' and 'Delete all child objects' on 'All descendant object'. When giving the permissions in GUI, the ACL looks like this:

ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType : All
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : DOMAINGROUP
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None

I've been trying to replicate that ACL with System.DirectoryServices.ActiveDirectoryAccessRule

Any help would be much appreciated

Tried:

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", '00000000-0000-0000-0000-000000000000'

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", "00000000-0000-0000-0000-000000000000"

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "Descendents", '00000000-0000-0000-0000-000000000000'

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", '00000000-0000-0000-0000-000000000000', "Allow", "All", '00000000-0000-0000-0000-000000000000'

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", '00000000-0000-0000-0000-000000000000'

$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($GroupSID, "CreateChild, DeleteChild", "Allow", '00000000-0000-0000-0000-000000000000', "Descendents")

Got:

New-Object : Multiple ambiguous overloads found for "ActiveDirectoryAccessRule" and the argument count: "5".
    At line:1 char:9
    + $ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ...
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
        + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

Answer 1

Your 5 string arguments don't match any overload signature for the rule constructor exactly, but might match 2 of them if the arguments were converted to the correct argument type.

Providing arguments of the correct type will allow PowerShell to pick the right one:

$ace2 = [System.DirectoryServices.ActiveDirectoryAccessRule]::new(
  [System.Security.Principal.SecurityIdentifier]$GroupSID, 
  [System.DirectoryServices.ActiveDirectoryRights]"CreateChild, DeleteChild",
  [System.Security.AccessControl.AccessControlType]::Allow, 
  [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All, 
  [guid]::Empty)