top of page

Report Active Directory ACL with PowerShell

  • romanvitsinskyi
  • 13 minutes ago
  • 2 min read
PowerShell, ACL, Active Directory permissions

Unfortunately, Active Directory PowerShell Module doesn't include any cmdlets to report Active Directory ACLs. However, the good ole Get-ACL comes in handy and can be used to report AD permissions for any object. All you have to do is use AD: drive as follows:

(Get-Acl -Path "AD:OU=ProdOU,DC=Contoso,DC=com").Access

There is a catch though - the output doesn't look exactly like we used to seeing in UI. For example:

ActiveDirectoryRights : ExtendedRights

InheritanceType : Descendents

ObjectType : 28630ebf-41d5-11d1-a9c1-0000f80367c1

InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2

ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent

AccessControlType : Allow

IdentityReference : Contoso\Admin1

IsInherited : False

InheritanceFlags : ContainerInherit

PropagationFlags : InheritOnly

ExtendedRights in example above can include any permission set for a specific AD object attribute, like Reset Password. This nice Microsoft devblogs article covers each property in great details. I just want to share complete script with Active Directory Rights GUIDs and Schema ID GUIDs. All you have to do is replace $path variable with DN of your object and you'll get nicely formatted Active Directory ACL report. You're welcome!


$domain = Get-ADRootDSE
$SearchBase = "CN=Extended-Rights,$($domain.configurationNamingContext)"
$RightGUIDs = Get-ADObject -SearchBase $SearchBase -LDAPFilter "(objectClass=controlAccessRight)" -Properties DisplayName, RightsGUID 
$SchemaIDGuids = Get-ADObject -SearchBase $domain.schemaNamingContext -LDAPFilter "(SchemaIDGUID=*)" -Properties Name, SchemaIDGUID
$path = "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/" + $(get-addomain).DistinguishedName
(get-acl $path).Access | select @{N="Type"; E={$_.AccessControlType}}, `
                                @{N="Principal"; E={$_.IdentityReference}}, `
                                ActiveDirectoryRights, `
                                @{N="controlAccessRight"; E={$ObjectType = $_.ObjectType; $controlAccessRight = ($RightGUIDs | ? {$_.RightsGUID -eq $ObjectType}).DisplayName; if (!$controlAccessRight) {$controlAccessRight = ($SchemaIDGuids |? {[Guid]$_.SchemaIDGUID -like $ObjectType}).Name}; if ($controlAccessRight) {$controlAccessRight} elseif ($ObjectType -eq "00000000-0000-0000-0000-000000000000") {"All"} else {$ObjectType}}}, `
                                InheritanceType,
                                @{N="InheritedObject"; E = {$InheritedObjectType = $_.InheritedObjectType; $InheritedObject = ($SchemaIDGuids |? {[Guid]$_.SchemaIDGUID -like $InheritedObjectType}).Name; if ($InheritedObject) {$InheritedObject} elseif ($InheritedObjectType -eq "00000000-0000-0000-0000-000000000000") {"All"} else {$InheritedObjectType} }}, `
                                IsInherited,InheritanceFlags

References:

 
 
bottom of page