-
Notifications
You must be signed in to change notification settings - Fork 2
/
Get-EffectiveAccess.ps1
111 lines (100 loc) · 3.92 KB
/
Get-EffectiveAccess.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<#
# Description:
# PowerShell function that tries to give a friendly translation of Get-Acl into human readable data. The function is designed exclusively for Active Directory, and requires the ActiveDirectory Module.
# From:
# https://github.com/santisq/Get-EffectiveAccess
# Examples:
# Get-ADOrganizationalUnit -Filter "Name -eq 'ExampleOU'" | Get-EffectiveAccess | Out-GridView
# Get-EffectiveAccess -Identity 'OU=ExampleOU,DC=domainName,DC=com' | Out-GridView
# Get-ADObject -Filter * | Get-EffectiveAccess | ft *
#>
function Get-EffectiveAccess {
[CmdletBinding()]
param(
[Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)]
[ValidatePattern('(?:(CN=([^,]*)),)?(?:((?:(?:CN|OU)=[^,]+,?)+),)?((?:DC=[^,]+,?)+)$')]
[alias('DistinguishedName')]
[string] $Identity,
[parameter()]
[alias('Domain')]
[string] $Server
)
begin {
$guid = [guid]::Empty
$GUIDMap = @{}
if($PSBoundParameters.ContainsKey('Server')) {
$domain = Get-ADRootDSE -Server $Server
}
else {
$domain = Get-ADRootDSE
}
$params = @{
SearchBase = $domain.schemaNamingContext
LDAPFilter = '(schemaIDGUID=*)'
Properties = 'name', 'schemaIDGUID'
ErrorAction = 'SilentlyContinue'
}
$adObjParams = @{
Properties = 'nTSecurityDescriptor'
}
if($PSBoundParameters.ContainsKey('Server')) {
$params['Server'] = $Server
$adObjParams['Server'] = $Server
}
$schemaIDs = Get-ADObject @params
$params['SearchBase'] = "CN=Extended-Rights,$($domain.configurationNamingContext)"
$params['LDAPFilter'] = '(objectClass=controlAccessRight)'
$params['Properties'] = 'name', 'rightsGUID'
$extendedRigths = Get-ADObject @params
foreach($i in $schemaIDs) {
if(-not $GUIDMap.ContainsKey([guid] $i.schemaIDGUID)) {
$GUIDMap.Add([guid] $i.schemaIDGUID, $i.name)
}
}
foreach($i in $extendedRigths) {
if(-not $GUIDMap.ContainsKey([guid] $i.rightsGUID)) {
$GUIDMap.Add([guid] $i.rightsGUID, $i.name)
}
}
}
process {
try {
$adObjParams['Identity'] = $Identity
$object = Get-ADObject @adObjParams
foreach($acl in $object.nTSecurityDescriptor.Access) {
if($guid.Equals($acl.ObjectType)) {
$objectType = 'All Objects (Full Control)'
}
elseif($GUIDMap.ContainsKey($acl.ObjectType)) {
$objectType = $GUIDMap[$acl.ObjectType]
}
else {
$objectType = $acl.ObjectType
}
if($guid.Equals($acl.InheritedObjectType)) {
$inheritedObjType = 'Applied to Any Inherited Object'
}
elseif($GUIDMap.ContainsKey($acl.InheritedObjectType)) {
$inheritedObjType = $GUIDMap[$acl.InheritedObjectType]
}
else {
$inheritedObjType = $acl.InheritedObjectType
}
[PSCustomObject]@{
DistinguishedName = $Identity
Name = $object.Name
IdentityReference = $acl.IdentityReference
AccessControlType = $acl.AccessControlType
ActiveDirectoryRights = $acl.ActiveDirectoryRights
ObjectType = $objectType
InheritedObjectType = $inheritedObjType
InheritanceType = $acl.InheritanceType
IsInherited = $acl.IsInherited
}
}
}
catch {
$PSCmdlet.WriteError($_)
}
}
}