More on Get-Acl with Active Directory

In June I posted about searching Active Directory for principals that have the “Write Members” permission on a Distribution List. I had a follow-up question, from an internal source, about deciphering each Access Control Entry (ACE) returned by Get-Acl against the Active Directory PS drive. I thought I’d convey the same information to the outside…

1

Get Active Directory “Write Members” WriteProperty

A messaging colleague asked how to check which principals have the Write Members permission on distribution lists. I sent him a sample of how to query the WriteProperty for the Member property of a distribution group imaginatively called, er, DistributionGroup…     #Get Member WriteProperty $MemberGuid = “bf9679c0-0de6-11d0-a285-00aa003049e2” (Get-Acl -Path “AD:CN=Distribution Group,OU=Groups”).access | Where-Object {($_.ActiveDirectoryRights -eq…


Security Focus: Check the AdminSDHolder ACL – Part 1

In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a means of protecting high…


Using Get-Acl to Identify Administrator Permissions

A good friend – a certain Mr X – asked me the following:   “…Do you happen to have a PowerShell command or script that would look at a Fileserver and dump out all the files and folders that the Administrator has permissions on?…”   Well, I didn’t have a snippet to do that, but I…

1