question

RubenVazquez-7903 avatar image
0 Votes"
RubenVazquez-7903 asked DaisyZhou-MSFT commented

List extended permissions on AD

Hello I'm searching for a way to list the permissions and extended permissions on my active directory root.

I've tried with the get-acl command and some others, but I’m not able to get it. Is it the correct way?

windows-server-powershellwindows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RubenVazquez-7903

Have you tried the script I provided?

Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @RubenVazquez-7903,

I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this case, please let me know.

Have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
1 Vote"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello RubenVazquez-7903,

Thank you for posting here.

We can try the PowerShell script in attachment export-permissions.txt, and it works in my lab.

1.Open PowerShell ISE (run as administrator) and copy the PS script in it.
2.We should change the domain name and export path in your AD environment.
16672-permission1.png
3.And click run button.
16584-scr1.png
4.Open the export file and check the permissions.

Hope the information above is help. If anything is unclear, please feel free to let us know.


Best Regards,
Daisy Zhou



permission1.png (83.1 KiB)
scr1.png (34.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi,

You can also use the following command :

 (get-acl (Get-ADOrganizationalUnit -Filter {name -eq “DomainName”}).distinguishedname).access | ft identityreference, accessControlType –AutoSize
    
 ##############################""
    
 dsacls “dc=domain,dc=com”

You can refer to the following link to get more details:

https://devblogs.microsoft.com/scripting/use-powershell-to-explore-active-directory-security/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

bastien-perez avatar image
0 Votes"
bastien-perez answered

Hello,
AD ACL scanner is the best and easiest tool (powershell) you can find : ADACLScanner


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.