Determine ACLs on AD object

This topic contains 2 replies, has 2 voices, and was last updated by  Jeff Taylor 10 months, 2 weeks ago.

  • Author
  • #78886

    Jeff Taylor

    I'd like to determine what kind of permissions a specific user (service account) has on a particular AD user object. I have this one liner:

    (Get-ACL 'AD:\CN=ME,OU=Users,DC=childDomain,DC=forestRoot,DC=com').Access | ft IdentityReference,AccessControlType -A

    ..and get this kind of output

    IdentityReference                               AccessControlType
    -----------------                               -----------------
    NT AUTHORITY\SELF                                           Allow
    NT AUTHORITY\Authenticated Users                            Allow
    NT AUTHORITY\SYSTEM                                         Allow
    S-1-5-32-548                                                Allow

    ....but wish for i.e. shows the service account has Write permission to attribute TargetAddress, etc. on the User object.

    Any help is certainly appreciated here.


  • #78887

    Don Jones

    So, most of those permissions actually inherit from the base schema objects, not the actual AD objects. You'd have to get this from the schema, somehow, I suspect. The bigger problem is that the -ACL commands probably won't get this for you – they're not designed for the level of granularity that AD uses.

You must be logged in to reply to this topic.