One of the biggest advances of AD cmdlets 1.1 is support for AD security operations. In this post we will look at the Get-QADPermission cmdlet and how you can use it to read permissions set on AD objects.
To get a list of permissions set on an AD objects directly you just need to use:
Get-QADPermission Identity – where identity is Name, DN, Canonical name, Domain\Name, and so on. For example:
Get-QADPermission ‘Dmitry Sotnikov‘
As usual you can pipeline a set of objects into the cmdlet to get results for all of them, e.g.:
Get-QADUser -SearchRoot domain.local/employees/chicago -SecurityMask DACL | Get-QADPermission
Here I am getting access control for all permissions directly set on users in the domain.local/employees/chicago OU. Note that I am also using the -SecurityMask parameter to tell the Get-QADUser cmdlet to retrieve the access list (DACL – Discretionary Account Control List). This is optionally but highly recommended because if you use this parameter Get-QADPermission does not have to retrieve the DACL again – less calls to the DC, better performance.
The examples above deal only with the permissions set on the object directly, you can add inherited permissions by simply adding -Inherited. In a similar fashion, the -SchemaDefault parameter adds Account Control Entries (ACE) that came from the default security descriptor. So this will give you everything:
Get-QADPermission “Dmitry Sotnikov“ -Inherited -SchemaDefault
Or the same but much faster:
Get-QADUser -Name “Dmitry Sotnikov“ -SecurityMask DACL | Get-QADPermission -Inherited -SchemaDefault
You can look for the rights which specific trusties have:
Get-QADPermission “Dmitry Sotnikov“ -Account (‘domain\bill‘, ‘self‘) -UseTokenGroups
Note that I have added -UseTokenGroups to make sure I get Bill’s rights even if he got those via group membership.
Or for specific rights set on specific properties:
Get-QADPermission “Dmitry Sotnikov“ -Rights ‘WriteProperty‘ -Property (‘samAccountName‘,‘name‘)
You can also check for extended rights. Let’s see if I can change my password:
Get-QADPermission “Dmitry Sotnikov“ -account “self“,“everyone“ -Allow -ExtendedRight “User-Change-Password“ -Inherited –SchemaDefault
-Allow and -Deny parameters allow to check specifically for allowing and denying ACEs.
And there’s much much more: just check out:
get-help Get-QADPermission -detailed
Good job by the team trying to cover each and every case they could think of. If you can think of something they have not covered or implemented in a suboptimal way – please provide your feedback in the AD PowerShell forum – the team is there and listening.
Here’s the AD cmdlets download page which has the latest 1.1 beta drop.
Tags: AD, AD cmdlets, Active Directory, Examples, Password management, PowerShell, Security, cmdlets, one-liner, oneliner
Subscribe by email
I’m looking to query the perms on all the OU’s in my domain in order get a comprehensive list of ‘who’ has the rights to create user accounts. I’m stumbling….can anyone provide me some direction?
-Geoff
Geoff,
Will probably be something along the lines of:
Get-QADObject -Type ‘organizationalUnit’ | Get-QADPermission
But you will probably want to tweak some parameters – see get-help for the cmdlets or the online version here: http://wiki.powergui.org/index.php/QAD_cmdlets_reference
Also, feel free to post any questions which might arise on the way at the AD PowerShell forum here: http://www.powergui.org/forum.jspa?forumID=173
Dmitry
Dmitry,
Thank you for the speedy response! I will investigate.
Love the QAD cmdlets…
-Geoff
Hi, If i run this command Get-QADPermission ‘usertest’ I wiew the next error:
Get-QADPermission : La cadena SDDL contiene un sid no válido que no puede traducirse.
Nombre del parámetro: sddlForm
En línea:1 carácter:18
Can you say me where is my error?
Thanks
Paco,
I don’t have the answer off the top of my head. Please post to the PowerShell AD forum here: http://www.powergui.org/forum.jspa?forumID=173
Dmitry