Read Active Directory Permissions

One of the biggest advances of AD cmdlets 1.1 is support for AD security operations. In this post we will look at the Get-QADPermission cmdlet and how you can use it to read permissions set on AD objects.

To get a list of permissions set on an AD objects directly you just need to use:

Get-QADPermission Identity – where identity is Name, DN, Canonical name, Domain\Name, and so on. For example:

Get-QADPermission Dmitry Sotnikov

As usual you can pipeline a set of objects into the cmdlet to get results for all of them, e.g.:

Get-QADUser -SearchRoot domain.local/employees/chicago -SecurityMask DACL | Get-QADPermission

Here I am getting access control for all permissions directly set on users in the domain.local/employees/chicago OU. Note that I am also using the -SecurityMask parameter to tell the Get-QADUser cmdlet to retrieve the access list (DACL – Discretionary Account Control List). This is optionally but highly recommended because if you use this parameter Get-QADPermission does not have to retrieve the DACL again – less calls to the DC, better performance.

The examples above deal only with the permissions set on the object directly, you can add inherited permissions by simply adding -Inherited. In a similar fashion, the -SchemaDefault parameter adds Account Control Entries (ACE) that came from the default security descriptor. So this will give you everything:

Get-QADPermission Dmitry Sotnikov -Inherited -SchemaDefault

Or the same but much faster:
Get-QADUser -Name Dmitry Sotnikov -SecurityMask DACL | Get-QADPermission -Inherited -SchemaDefault

You can look for the rights which specific trusties have:

Get-QADPermission Dmitry Sotnikov -Account (domain\bill, self) -UseTokenGroups

Note that I have added -UseTokenGroups to make sure I get Bill’s rights even if he got those via group membership.

Or for specific rights set on specific properties:

Get-QADPermission Dmitry Sotnikov -Rights WriteProperty -Property (samAccountName,name)

You can also check for extended rights. Let’s see if I can change my password:

Get-QADPermission Dmitry Sotnikov -account self,everyone -Allow -ExtendedRight User-Change-Password -InheritedSchemaDefault

-Allow and -Deny parameters allow to check specifically for allowing and denying ACEs.

And there’s much much more: just check out:

get-help Get-QADPermission -detailed

Good job by the team trying to cover each and every case they could think of. If you can think of something they have not covered or implemented in a suboptimal way – please provide your feedback in the AD PowerShell forum – the team is there and listening.

Here’s the AD cmdlets download page which has the latest 1.1 beta drop.

Tags: , , , , , , , , ,


6 Responses to “Read Active Directory Permissions”

  1. 1 DJ Jazzy Geoff April 6, 2009 at 2:16 pm

    I’m looking to query the perms on all the OU’s in my domain in order get a comprehensive list of ‘who’ has the rights to create user accounts. I’m stumbling….can anyone provide me some direction?


  2. 2 Dmitry Sotnikov April 6, 2009 at 3:14 pm


    Will probably be something along the lines of:

    Get-QADObject -Type ‘organizationalUnit’ | Get-QADPermission

    But you will probably want to tweak some parameters – see get-help for the cmdlets or the online version here:

    Also, feel free to post any questions which might arise on the way at the AD PowerShell forum here:


  3. 3 DJ Jazzy Geoff April 6, 2009 at 5:20 pm


    Thank you for the speedy response! I will investigate.

    Love the QAD cmdlets…


  4. 4 Paco June 12, 2009 at 5:22 pm

    Hi, If i run this command Get-QADPermission ‘usertest’ I wiew the next error:

    Get-QADPermission : La cadena SDDL contiene un sid no válido que no puede traducirse.
    Nombre del parámetro: sddlForm
    En línea:1 carácter:18

    Can you say me where is my error?


  5. 5 Dmitry Sotnikov June 12, 2009 at 8:47 pm


    I don’t have the answer off the top of my head. Please post to the PowerShell AD forum here:


  1. 1 Changing AD permissions « Dmitry’s PowerBlog: PowerShell and beyond Trackback on May 30, 2008 at 3:42 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

May 2008
« Apr   Jun »

%d bloggers like this: