PowerShell providers allow us to traverse various data stores we encounter, as IT professionals, as if they were file systems. There is a PSProvider that allows us to navigate the smooth seas of the Active Directory PSDrive.
Thinking about a file system, we can talk about Access Control Entries (ACEs) that make up Access Control Lists (ACLs) to govern who can do what with the data in the file system. A similar type of Security Descriptors can be applied to Active Directory. We have trustees – the principals that can perform an action, e.g. users, groups. We have permissions – the actions that can be performed by the trustees, e.g. read, delete.
We also have Extended Rights – specific actions that can be performed on Active Directory objects, e.g. Change PDC, Send As.
Here’s how we can look at what Extended Rights are available to us…
Get-ADObject -LDAPFilter '(objectClass=controlAccessRight)' -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -SearchScope Subtree | Sort-Object | Format-Wide