ACLs

Access Control List is a set of Access Control Entries (ACE).

ACE contains individual permissions or audits access.

There are two different type of entries:

DACL - Defines the permissions of a user or group on an object
SACL - Logs the success and failure audit messages when an object is accessed.

Get the ACLs associated with the specified object

Get-DomainObjectAcl -SamAccountName student1 -ResolveGUIDs

Get ACLs associated with Domain Admins Group

 Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose

Get the ACLs associated with the specified prefix to be used for search

Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose

Enumerate ACLs using ActiveDirectory module but without resolving GUIDs

(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local') .Access

Search for interesting ACEs

Find-InterestingDomainAcl -ResolveGUIDs

Search for interesting ACEs for a specific user

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "studentx"}

Search for interesting ACEs for a specific group

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Get the ACLs associated with the specified path

Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"

Last updated 2 months ago