4
votes

Does anyone know how to generate a report for ACLs on the AD user's attributes. for example who has rights to Active Directory users "read Initials" or "write Initials" attributes. I have found PowerShell Commands to get ACLs on the AD user object itself, but not at attribute level.

1

1 Answers

2
votes

Check out the PowerShell Access Control module. Version 3.0 is implemented almost completely in PowerShell, which makes it pretty slow compared to using Get-Acl, but I think it can do what you're asking for (and I'm working on the speed issue).

It has a function named Get-EffectiveAccess that can compute the effective access of a principal over a securable object, but I don't think that's what you're looking for. It sounds like you want to get a list of ACEs that provide access to read/write the 'initials' property. To do that, you would use Get-AccessControlEntry:

# Get any ACEs that grant or deny read or write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials

# Get any ACEs that grant or deny write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials -ActiveDirectoryRights WriteProperty

# Get any ACEs that grant write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials -ActiveDirectoryRights WriteProperty -AceType AccessAllowed

Those examples all used Get-ADUser to lookup a single user. You should be able to feed the function any AD object, whether you use the AD module or a DirectorySearcher. You can even provide the distinguished name as the -Path parameter to the function.

The -ObjectAceType parameter should be able to take a GUID, or you can put in one or more property/property set/validated write/extended right/class object names (you can use * as a wildcard).

If you did want to compute the actual effective access, here are some examples of the Get-EffectiveAccess function:

# Get effective access that 'AnotherUser' has over 'TestUser' object (this doesn't include property, property set, validated write, etc effective permissions):
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser

# Same as before, but this time include effective access down to the ObjectAceType level:
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser -ObjectAceTypes initials
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser -ObjectAceTypes init*

While working on the last few examples, I noticed that there are some errors that are written when using Get-EffectiveAccess with the -ObjectAceTypes parameter, even though the function appears to work correctly. If I have time over the weekend, I may fix that, but I'll probably just wait for version 4.0.