ACLs
Access Control List is a set of Access Control Entries (ACE).
ACE contains individual permissions or audits access.
There are two different type of entries:
DACL - Defines the permissions of a user or group on an object
SACL - Logs the success and failure audit messages when an object is accessed.
Get the ACLs associated with the specified object
Get-DomainObjectAcl -SamAccountName student1 -ResolveGUIDs
Get ACLs associated with Domain Admins Group
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose
Get the ACLs associated with the specified prefix to be used for search
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
Enumerate ACLs using ActiveDirectory module but without resolving GUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local') .Access
Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs
Search for interesting ACEs for a specific user
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "studentx"}
Search for interesting ACEs for a specific group
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
Get the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Last updated