Skip to content

Instantly share code, notes, and snippets.

@m8r1us
Created March 14, 2024 15:41
Show Gist options
  • Save m8r1us/59f0fb5e841305bc25f762a296917da3 to your computer and use it in GitHub Desktop.
Save m8r1us/59f0fb5e841305bc25f762a296917da3 to your computer and use it in GitHub Desktop.
ACl check
function Get-EffectiveAccess {
[CmdletBinding()]
param(
[Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)]
[ValidatePattern('(?:(CN=([^,]*)),)?(?:((?:(?:CN|OU)=[^,]+,?)+),)?((?:DC=[^,]+,?)+)$')]
[alias('DistinguishedName')]
[string] $Identity,
[parameter()]
[alias('Domain')]
[string] $Server
)
begin {
$guid = [guid]::Empty
$GUIDMap = @{}
if($PSBoundParameters.ContainsKey('Server')) {
$domain = Get-ADRootDSE -Server $Server
}
else {
$domain = Get-ADRootDSE
}
$params = @{
SearchBase = $domain.schemaNamingContext
LDAPFilter = '(schemaIDGUID=*)'
Properties = 'name', 'schemaIDGUID'
ErrorAction = 'SilentlyContinue'
}
$adObjParams = @{
Properties = 'nTSecurityDescriptor'
}
if($PSBoundParameters.ContainsKey('Server')) {
$params['Server'] = $Server
$adObjParams['Server'] = $Server
}
$schemaIDs = Get-ADObject @params
$params['SearchBase'] = "CN=Extended-Rights,$($domain.configurationNamingContext)"
$params['LDAPFilter'] = '(objectClass=controlAccessRight)'
$params['Properties'] = 'name', 'rightsGUID'
$extendedRigths = Get-ADObject @params
foreach($i in $schemaIDs) {
if(-not $GUIDMap.ContainsKey([guid] $i.schemaIDGUID)) {
$GUIDMap.Add([guid] $i.schemaIDGUID, $i.name)
}
}
foreach($i in $extendedRigths) {
if(-not $GUIDMap.ContainsKey([guid] $i.rightsGUID)) {
$GUIDMap.Add([guid] $i.rightsGUID, $i.name)
}
}
}
process {
try {
$adObjParams['Identity'] = $Identity
$object = Get-ADObject @adObjParams
foreach($acl in $object.nTSecurityDescriptor.Access) {
if($guid.Equals($acl.ObjectType)) {
$objectType = 'All Objects (Full Control)'
}
elseif($GUIDMap.ContainsKey($acl.ObjectType)) {
$objectType = $GUIDMap[$acl.ObjectType]
}
else {
$objectType = $acl.ObjectType
}
if($guid.Equals($acl.InheritedObjectType)) {
$inheritedObjType = 'Applied to Any Inherited Object'
}
elseif($GUIDMap.ContainsKey($acl.InheritedObjectType)) {
$inheritedObjType = $GUIDMap[$acl.InheritedObjectType]
}
else {
$inheritedObjType = $acl.InheritedObjectType
}
[PSCustomObject]@{
Name = $object.Name
IdentityReference = $acl.IdentityReference
AccessControlType = $acl.AccessControlType
ActiveDirectoryRights = $acl.ActiveDirectoryRights
ObjectType = $objectType
InheritedObjectType = $inheritedObjType
InheritanceType = $acl.InheritanceType
IsInherited = $acl.IsInherited
}
}
}
catch {
$PSCmdlet.WriteError($_)
}
}
}
Get-EffectiveAccess -Identity 'CN=..' | Out-GridView
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment