determine effective permission source In Active directory

1
votes

How can I determine the source of a permission?

A user, from the root of the domain has write permission to all group objects and their properties. I can see this access in the effective permissions but I can't tell where it comes from.

Access in the ACLS shows accounts and groups with access but I can't figure out where this access is coming from.

Here's what I've tried

dsacls dc=contoso,dc=org|findstr "username"

but it doesn't do anything. 

get-acl AD:dc=contoso,dc=org
  1. How do you find the source of a user's privileges in Active Directory?
  2. How do you find what the "effective permissions tab used to calculate the access"?

A screenshot of the Advanced Security Settings dialog

1
powershellsecuritydirectory
Have a look at the NTFS Security module for PowerShell, it looks like it might have a few cmdlets that could get you want you need: gallery.technet.microsoft.com/scriptcenter/…Mark Wragg
stackoverflow.com/questions/27069043/…BenH
I imported that module. The ACEs that I see don't point me to the permission. I can see WHAT the permissions are but I can't see HOW they were determined.Uno

1 Answers

0
votes

Instead of this:

get-acl AD:dc=contoso,dc=org

Could you please try this:

get-acl "AD:\dc=contoso,dc=org"

If you pipe it to Get-Member, you would be able to see all the useful methods for the same. You can directly access them using Dot. That should fulfill your requirement I believe.

  (Get-Acl (Get-ADUser User).distinguishedname).access | select identityreference, accesscontroltype

For Non-inherited users, try the below ; else remove the where condition:

(Get-ACL "AD:CN=User,OU=Users,DC=Contoso,DC=com").Access | Where {$_.IsInherited -eq $FALSE}| Select IdentityReference,AccessControlType, IsInherited