ACL
Permissions to keep an eye on:
- GenericAll = FullControl
- GenericWrite
- WriteOwner
- WriteDACL
- AllExtendedRights
- ForceChangePassword
- Self (Self-Membership)
ADModule
(Get-ACL ‘AD:\CN=Administrator,CN=Users,DC=alunos,DC=local’).AccessPowerview
Get-ObjectAcl -samAccountName <user> [-ResolveGUIDs]
Get-NetUser | select name, objectsid
ConvertFrom-SID <sid>
ConvertTo-SID “<user>”
Get-DomainObjectAcl | select @{ Name='<object>'; Expression={ConvertFrom-SID $_.SecurityIdentifier}},ObjectDN,ActiveDirectoryRights
Get-ObjectAcl -SamAccountName <user> | select @{ Name='<object>'; Expression={ConvertFrom-SID $_.SecurityIdentifier}},ActiveDirectoryRights
Get-ObjectAcl | ? {$_.SecurityIdentifier -match $(ConvertTo-SID “Domain Admins”)} | select ObjectDN,ActiveDirectoryRights
Get-ObjectAcl -SamAccountName Administrator | ? {$_.ActiveDirectoryRights -match “GenericAll”)} | select @{} Name=”principal ";Expression={ConvertFrom-SID $_.SecurityIdentifier}}
Invoke-ACLScanner -ResolveGUIDs
Get-PathAcl -path “\\dc.domain.local\sysvol”
Get-ObjectAcl -ADSPath “LDAP://CN=Domain Admins,CN=Group,DC=domain, DC=local”Last updated