Return list of user and extended rights to an attribute on an AD object


I am attempting to list all of the user who have WRITE privileges to msds-oidToGroupLink property on all OID objects located in AD at “CN=<OID_Value>,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com”

I have numerous OID’s that I need to bring this information back in a form that allows me to review the privileges and ultimately remove some user rights for that property.


My initial attempt to test just one object was:

$root = get-adrootdse
$configNCDN = [String]$root.configurationNamingContext
get-adobject -Filter {(objectclass -eq “msPKI-Enterprise-Oid”)} -searchBase $configNCDN -properties * | select *

(get-acl ‘<Oid_Value>,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com’).access | ft

I will use a foreach loop to iterate through each returned OID value and output it to CSV for analysis. However, what is returned does not show who has write privileges on the property msds-oidToGroupLink property.

I may be attacking this from the wrong point, but I am hoping someone can help with what I am missing to get the information I need.

Any advise would be appreciated.

Thank you,