Test-MDIDSA

  • Reference
Module:
DefenderForIdentity

Validates the permissions and delegation of a Directory Service Account (DSA).

Syntax

Test-MDIDSA
    [-Identity] <String>
    [-Detailed]
    [<CommonParameters>]

Description

This function validates the permissions and delegation of a Directory Service Account (DSA) by checking its ACLs, manager assignments, and sensitive group membership.

Examples

EXAMPLE 1

Test-MDIDSA -Identity "mdiSvc01"

This example returns a boolean value indicating whether the specified Directory Service Account (DSA) has any issues with its permissions and delegation.

EXAMPLE 2

Test-MDIDSA -Identity "mdiSvc01" -Detailed

Test                              Status Details
----                              ------ -------
SensitiveGroupsMembership          False {CN=Administrators,CN=Builtin,DC=CONTOSO,DC=COM, CN=Domain Adm...
ExplicitDelegation                 False {OU=Marketing,DC=CONTOSO,DC=COM}
ManagerOf                          False {CN=Martin Schvartzman,CN=Users,DC=CONTOSO,DC=COM}
DeletedObjectsContainerPermission   True {SPECIAL ACCESS, LIST CONTENTS, READ PROPERTY}

This example returns a detailed output for the Directory Service Account (DSA) permissions and delegation validations.

Parameters

-Detailed

If specified, returns detailed information about the validation status.

Type:System.Management.Automation.SwitchParameter
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Identity

Specifies the identity of the Directory Service Account (DSA) to test.

Type:System.String
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

Outputs

System.Boolean

By default, the cmdlet returns $true when the specified Directory Service Account (DSA) has the correct permissions and delegation.

System.Management.Automation.PSCustomObject

When you use the Detailed parameter, the cmdlet returns a custom object containing the status and details of each test.