Use PowerShell to List Active Directory Extended Rights

PowerShell providers allow us to traverse various data stores we encounter, as IT professionals, as if they were file systems. There is a PSProvider that allows us to navigate the smooth seas of the Active Directory PSDrive.




Thinking about a file system, we can talk about Access Control Entries (ACEs) that make up Access Control Lists (ACLs) to govern who can do what with the data in the file system. A similar type of Security Descriptors can be applied to Active Directory. We have trustees - the principals that can perform an action, e.g. users, groups. We have permissions - the actions that can be performed by the trustees, e.g. read, delete.

We also have Extended Rights - specific actions that can be performed on Active Directory objects, e.g. Change PDC, Send As.

Here's how we can look at what Extended Rights are available to us...

Get-ADObject -LDAPFilter '(objectClass=controlAccessRight)' -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -SearchScope Subtree | Sort-Object | Format-Wide