ACL

Permissions to keep an eye on:

- GenericAll = FullControl

- GenericWrite

- WriteOwner

- WriteDACL

- AllExtendedRights

- ForceChangePassword

- Self (Self-Membership)

ADModule

(Get-ACL ‘AD:\CN=Administrator,CN=Users,DC=alunos,DC=local’).Access

Powerview

Get-ObjectAcl -samAccountName <user> [-ResolveGUIDs]
	Get-NetUser | select name, objectsid
	ConvertFrom-SID <sid>
	ConvertTo-SID “<user>”

	Get-DomainObjectAcl | select @{ Name='<object>'; Expression={ConvertFrom-SID $_.SecurityIdentifier}},ObjectDN,ActiveDirectoryRights
	
	Get-ObjectAcl -SamAccountName <user> | select @{ Name='<object>'; Expression={ConvertFrom-SID $_.SecurityIdentifier}},ActiveDirectoryRights
	
	Get-ObjectAcl | ? {$_.SecurityIdentifier -match $(ConvertTo-SID “Domain Admins”)} | select ObjectDN,ActiveDirectoryRights
	
	Get-ObjectAcl  -SamAccountName Administrator | ? {$_.ActiveDirectoryRights -match “GenericAll”)} | select @{} Name=”principal ";Expression={ConvertFrom-SID $_.SecurityIdentifier}}
	
Invoke-ACLScanner -ResolveGUIDs	
Get-PathAcl -path “\\dc.domain.local\sysvol”
Get-ObjectAcl -ADSPath “LDAP://CN=Domain Admins,CN=Group,DC=domain, DC=local”

PreviousGPO NextDomain Trusts

Last updated 1 year ago