Determine ACLs on AD object

Welcome Forums General PowerShell Q&A Determine ACLs on AD object

This topic contains 2 replies, has 2 voices, and was last updated by

1 year, 8 months ago.

  • Author
  • #78886

    Topics: 108
    Replies: 233
    Points: 58
    Rank: Member

    I'd like to determine what kind of permissions a specific user (service account) has on a particular AD user object. I have this one liner:

    (Get-ACL 'AD:\CN=ME,OU=Users,DC=childDomain,DC=forestRoot,DC=com').Access | ft IdentityReference,AccessControlType -A

    ..and get this kind of output

    IdentityReference                               AccessControlType
    -----------------                               -----------------
    NT AUTHORITY\SELF                                           Allow
    NT AUTHORITY\Authenticated Users                            Allow
    NT AUTHORITY\SYSTEM                                         Allow
    S-1-5-32-548                                                Allow

    ....but wish for i.e. shows the service account has Write permission to attribute TargetAddress, etc. on the User object.

    Any help is certainly appreciated here.


  • #78887

    Topics: 13
    Replies: 4872
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    So, most of those permissions actually inherit from the base schema objects, not the actual AD objects. You'd have to get this from the schema, somehow, I suspect. The bigger problem is that the -ACL commands probably won't get this for you – they're not designed for the level of granularity that AD uses.

    • #78995

      Topics: 108
      Replies: 233
      Points: 58
      Rank: Member

      so PowerShell 6? 🙂

The topic ‘Determine ACLs on AD object’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort