Determine ACLs on AD object

jeff-taylor · September 5, 2017, 3:38pm

I’d like to determine what kind of permissions a specific user (service account) has on a particular AD user object. I have this one liner:

(Get-ACL ‘AD:\CN=ME,OU=Users,DC=childDomain,DC=forestRoot,DC=com’).Access | ft IdentityReference,AccessControlType -A

…and get this kind of output

IdentityReference AccessControlType

NT AUTHORITY\SELF Allow
NT AUTHORITY\Authenticated Users Allow
NT AUTHORITY\SYSTEM Allow
S-1-5-32-548 Allow

…but wish for i.e. shows the service account has Write permission to attribute TargetAddress, etc. on the User object.

Any help is certainly appreciated here.

thanks

donj · September 5, 2017, 3:40pm

So, most of those permissions actually inherit from the base schema objects, not the actual AD objects. You’d have to get this from the schema, somehow, I suspect. The bigger problem is that the -ACL commands probably won’t get this for you - they’re not designed for the level of granularity that AD uses.

jeff-taylor · September 6, 2017, 7:35pm

so PowerShell 6?

Topic		Replies	Views
AD Object Type PowerShell Help	5	191	May 16, 2024
Check if an Object is a User or Group PowerShell Help	1	955	May 16, 2024
Active Directory User Properties Security Information PowerShell Help	3	217	May 16, 2024
AD Object Type PowerShell Help	4	146	May 16, 2024
Get User ACL inheritance settings (SDHolder) PowerShell Help	4	488	May 16, 2024

Determine ACLs on AD object

Related topics