Share via

Enumerating permissions in Active Directory

ritmo2k 706 Reputation points
2023-02-02T19:25:33.1966667+00:00

I am trying to map the ObjectType attribute type on an access control entry for objects in Active Directory on Windows Server 2022 to the related property set, validated write, or extended right. Many tools attempt this using the same guidance on an MS blog at https://devblogs.microsoft.com/powershell-community/understanding-get-acl-and-ad-drive-output.

However, there are duplicate schema ID GUIDs on objects between the CN=Schema,CN=Configuration,DC=example,DC=com and CN=Extended-Rights,CN=Configuration,DC=example,DC=com containers, for example:

$rootDse = Get-ADRootDSE
$domain = Get-ADDomain

$schemaIds = @{}
Get-ADObject `
    -SearchBase $rootDse.schemaNamingContext `
    -LDAPFilter '(schemaIDGUID=*)' `
    -Properties 'lDAPDisplayName','schemaIDGUID' |
    ForEach-Object { $schemaIds.add([GUID]$_.schemaIDGUID, $_.lDAPDisplayName) }

Get-ADObject `
    -SearchBase ('CN=Extended-Rights,{0}' -f $rootDse.configurationNamingContext) `
    -LDAPFilter '(objectClass=controlAccessRight)' `
    -Properties 'name','rightsGUID' |
    ForEach-Object {
        $dupe = $schemaIds[[guid]$_.rightsGUID]
        if ($null -ne $dupe)
        {
            Write-Host ('{0} :: {1}' -f $dupe, $_.name)
        }
    }

Which produces the following:

member :: Self-Membership
dNSHostName :: Validated-DNS-Host-Name
servicePrincipalName :: Validated-SPN
dNSHostName :: DNS-Host-Name-Attributes
msDS-Behavior-Version :: Validated-MS-DS-Behavior-Version
msDS-AdditionalDnsHostName :: Validated-MS-DS-Additional-DNS-Host-Name

What is the correct convention required to identify what the object type refers to when a GUID matches an attribute name and a validated write? Or, do validated writes work by leveraging the same GUID?

Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,121 Reputation points
    2023-02-03T17:25:16.08+00:00

    Hello there,

    However, there are duplicate schema ID GUIDs-

    ObjectType GUID is either an extended right rightsGUID or a schema schemaIDGuid. However, the values of rightsGUID and schemaIDGUID are not always unique by design.

    GUIDs can be generated by calling the Transact-SQL NEWID function, and is guaranteed to be unique throughout the world.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments