Determine ACLs on AD object

Welcome Forums General PowerShell Q&A Determine ACLs on AD object

This topic contains 2 replies, has 2 voices, and was last updated by

1 year, 4 months ago.

  • Author
  • #78886

    Points: 71
    Rank: Member

    I'd like to determine what kind of permissions a specific user (service account) has on a particular AD user object. I have this one liner:

    (Get-ACL 'AD:\CN=ME,OU=Users,DC=childDomain,DC=forestRoot,DC=com').Access | ft IdentityReference,AccessControlType -A

    ..and get this kind of output

    IdentityReference                               AccessControlType
    -----------------                               -----------------
    NT AUTHORITY\SELF                                           Allow
    NT AUTHORITY\Authenticated Users                            Allow
    NT AUTHORITY\SYSTEM                                         Allow
    S-1-5-32-548                                                Allow

    ....but wish for i.e. shows the service account has Write permission to attribute TargetAddress, etc. on the User object.

    Any help is certainly appreciated here.


  • #78887

    Points: 1,759
    Helping HandTeam Member
    Rank: Community Hero

    So, most of those permissions actually inherit from the base schema objects, not the actual AD objects. You'd have to get this from the schema, somehow, I suspect. The bigger problem is that the -ACL commands probably won't get this for you – they're not designed for the level of granularity that AD uses.

    • #78995

      Points: 71
      Rank: Member

      so PowerShell 6? 🙂

The topic ‘Determine ACLs on AD object’ is closed to new replies.