How to find extended rights that apply to a schema class object

Recently, I came across this question (how to find extended rights that apply to a schema class) in our internal mailing lists. Extended rights are special permissions that denote a special task or function. These rights apply to one or more object classes and can be found stamped in the security descriptor of an object.

There are KB articles that describe how to find extended rights that apply to a given objectClass using VBScript or C++.

I was curious to find out how easy or difficult it is to do this in AD Powershell. It turned out to be pretty straightforward, just a few lines of code. Compare this with the ~81 lines of VB Script code in the above KB article.

Here is the script in AD Powershell:

 $inputObjectClass = "group"

$rootDSE = Get-ADRootDSE
$configNCDN = $rootDSE.ConfigurationNamingContext
$schemaNCDN = $rootDSE.SchemaNamingContext
$extendedRightsDN = "CN=Extended-Rights," + $configNCDN
$classObject = get-adobject -SearchBase $schemaNCDN -Filter { name -eq $inputObjectClass -and objectClass -eq "classSchema"} -Properties SchemaIDGUID
if ($classObject -ne $null) {

    $schemaIDGuid = [System.Guid] $classObject.SchemaIDGUID
    Get-ADObject -SearchBase $extendedRightsDN -Filter { appliesTo -eq $schemaIDGuid  } -Properties RightsGuid,cn,displayname | Select RightsGuid,cn,displayname

} else {

    Write-Error ("Specified class object not found! : " + $inputObjectClass)


Although SchemaIDGuid is stored as a Octet String (i.e. Byte[]), look how easy it is to convert that into a System.Guid object. Just a simple type-cast in Powershell does that.

     $schemaIDGuid = [System.Guid] $classObject.SchemaIDGUID