One of the biggest advances of AD cmdlets 1.1 is support for AD security operations. In this post we will look at the
Get-QADPermission cmdlet and how you can use it to read permissions set on AD objects.
To get a list of permissions set on an AD objects directly you just need to use:
Get-QADPermission Identity – where identity is Name, DN, Canonical name, Domain\Name, and so on. For example:
Get-QADPermission ‘Dmitry Sotnikov‘
As usual you can pipeline a set of objects into the cmdlet to get results for all of them, e.g.:
Get-QADUser -SearchRoot domain.local/employees/chicago -SecurityMask DACL | Get-QADPermission
Here I am getting access control for all permissions directly set on users in the
domain.local/employees/chicago OU. Note that I am also using the
-SecurityMask parameter to tell the
Get-QADUser cmdlet to retrieve the access list (
DACL – Discretionary Account Control List). This is optionally but highly recommended because if you use this parameter
Get-QADPermission does not have to retrieve the DACL again – less calls to the DC, better performance.
The examples above deal only with the permissions set on the object directly, you can add inherited permissions by simply adding -Inherited. In a similar fashion, the
-SchemaDefault parameter adds Account Control Entries (ACE) that came from the default security descriptor. So this will give you everything:
Get-QADPermission “Dmitry Sotnikov“ -Inherited -SchemaDefault
Or the same but much faster:
Get-QADUser -Name “Dmitry Sotnikov“ -SecurityMask DACL | Get-QADPermission -Inherited -SchemaDefault
You can look for the rights which specific trusties have:
Get-QADPermission “Dmitry Sotnikov“ -Account (‘domain\bill‘, ‘self‘) -UseTokenGroups
Note that I have added
-UseTokenGroups to make sure I get Bill’s rights even if he got those via group membership.
Or for specific rights set on specific properties:
Get-QADPermission “Dmitry Sotnikov“ -Rights ‘WriteProperty‘ -Property (‘samAccountName‘,‘name‘)
You can also check for extended rights. Let’s see if I can change my password:
Get-QADPermission “Dmitry Sotnikov“ -account “self“,“everyone“ -Allow -ExtendedRight “User-Change-Password“ -Inherited –SchemaDefault
-Deny parameters allow to check specifically for allowing and denying ACEs.
And there’s much much more: just check out:
get-help Get-QADPermission -detailed
Good job by the team trying to cover each and every case they could think of. If you can think of something they have not covered or implemented in a suboptimal way – please provide your feedback in the AD PowerShell forum – the team is there and listening.
Here’s the AD cmdlets download page which has the latest 1.1 beta drop.