# ACLs

Access Control List is a set of **Access Control Entries (ACE).**

**ACE** contains individual permissions or audits access.

There are two different type of entries:

* **DACL** - Defines the permissions of a user or group on an object
* **SACL** - Logs the success and failure audit messages when an object is accessed.

**Get the ACLs associated with the specified object**

{% code overflow="wrap" %}

```powershell
Get-DomainObjectAcl -SamAccountName student1 -ResolveGUIDs
```

{% endcode %}

**Get ACLs associated with Domain Admins Group**

{% code overflow="wrap" %}

```powershell
 Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose
```

{% endcode %}

**Get the ACLs associated with the specified prefix to be used for search**

{% code overflow="wrap" %}

```powershell
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
```

{% endcode %}

**Enumerate ACLs using ActiveDirectory module but without resolving GUIDs**

{% code overflow="wrap" %}

```powershell
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local') .Access
```

{% endcode %}

**Search for interesting ACEs**

{% code overflow="wrap" %}

```powershell
Find-InterestingDomainAcl -ResolveGUIDs
```

{% endcode %}

**Search for interesting ACEs for a specific user**

{% code overflow="wrap" %}

```powershell
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "studentx"} 
```

{% endcode %}

**Search for interesting ACEs for a specific group**

{% code overflow="wrap" %}

```powershell
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
```

{% endcode %}

**Get the ACLs associated with the specified path**

{% code overflow="wrap" %}

```powershell
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
```

{% endcode %}