I am trying to map the ObjectType
attribute type on an access control entry for objects in Active Directory on Windows Server 2022 to the related property set, validated write, or extended right. Many tools attempt this using the same guidance on an MS blog at https://devblogs.microsoft.com/powershell-community/understanding-get-acl-and-ad-drive-output.
However, there are duplicate schema ID GUIDs on objects between the CN=Schema,CN=Configuration,DC=example,DC=com
and CN=Extended-Rights,CN=Configuration,DC=example,DC=com
containers, for example:
$rootDse = Get-ADRootDSE
$domain = Get-ADDomain
$schemaIds = @{}
Get-ADObject `
-SearchBase $rootDse.schemaNamingContext `
-LDAPFilter '(schemaIDGUID=*)' `
-Properties 'lDAPDisplayName','schemaIDGUID' |
ForEach-Object { $schemaIds.add([GUID]$_.schemaIDGUID, $_.lDAPDisplayName) }
Get-ADObject `
-SearchBase ('CN=Extended-Rights,{0}' -f $rootDse.configurationNamingContext) `
-LDAPFilter '(objectClass=controlAccessRight)' `
-Properties 'name','rightsGUID' |
ForEach-Object {
$dupe = $schemaIds[[guid]$_.rightsGUID]
if ($null -ne $dupe)
{
Write-Host ('{0} :: {1}' -f $dupe, $_.name)
}
}
Which produces the following:
member :: Self-Membership
dNSHostName :: Validated-DNS-Host-Name
servicePrincipalName :: Validated-SPN
dNSHostName :: DNS-Host-Name-Attributes
msDS-Behavior-Version :: Validated-MS-DS-Behavior-Version
msDS-AdditionalDnsHostName :: Validated-MS-DS-Additional-DNS-Host-Name
What is the correct convention required to identify what the object type refers to when a GUID matches an attribute name and a validated write? Or, do validated writes work by leveraging the same GUID?
Thanks.