Clever Geek Handbook

How to get effective permissions using PowerShell for an AD user object attribute

Does anyone know how to generate ACL report for AD user attributes. for example, who has "read initials" or "write initials" rights to Active Directory users. I found PowerShell commands to get the ACL for the AD custom object itself, but not at the attribute level.

+3


source to share


1 answer


Check PowerShell Access Control Module . Version 3.0 is implemented almost entirely in PowerShell, which makes it quite slow compared to using Get-Acl, but I think it might do what you're asking (and I'm working on the speed issue).

It has a function called Get-EffectiveAccess that can calculate the effective access of the principal over the securable, but I don't think what you are looking for. It sounds like you want to get the ACEs that provide read / write access to the "initials" property. To do this, you must use Get-AccessControlEntry:

# Get any ACEs that grant or deny read or write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials

# Get any ACEs that grant or deny write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials -ActiveDirectoryRights WriteProperty

# Get any ACEs that grant write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials -ActiveDirectoryRights WriteProperty -AceType AccessAllowed

All of these examples use Get-ADUser to find a single user. You should be able to serve the function to any AD object, regardless of whether you are using the AD module or the DirectorySearcher. You can even specify the distinguished name as the -Path parameter to the function.



The -ObjectAceType parameter must be able to use a GUID, or you can put in one or more property / property / asserted names of the entry / extended right / class (you can use * as a wildcard).

If you really want to calculate the actual effective access, here are some examples of the Get-EffectiveAccess function:

# Get effective access that 'AnotherUser' has over 'TestUser' object (this doesn't include property, property set, validated write, etc effective permissions):
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser

# Same as before, but this time include effective access down to the ObjectAceType level:
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser -ObjectAceTypes initials
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser -ObjectAceTypes init*

While working on the last few examples, I noticed that there are some errors that get logged when using Get-EffectiveAccess with the -ObjectAceTypes parameter, even though the function is working correctly. If I have time on the weekend, I can fix this, but I'll probably just wait for version 4.0.

+2


source






More articles:


All Articles