Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 24, 2019 11:33 AM
I am creating a script to get a report of what permissions a group has on multiple OU's. However I want to get the displayname of the extendedrights ( like Reset Password) in the report, when I run
(Get-ACL -Path 'OU=testou,dc=lab,dc=local').Access | Where-Object { $_.IdentityReference -like '*testgroup123' }
I do not get the displayname of the extendedright. How can I get the displayname of the extendedright for my report.
I have referred to the below, however I want to get the actual name of the extended right in my report:
All replies (17)
Thursday, October 24, 2019 4:49 PM ✅Answered
This will explain how to retrieve the rights from AD.
https://blogs.technet.microsoft.com/poshchap/2017/10/06/more-on-get-acl-with-active-directory/
\(ツ)_/
Friday, October 25, 2019 7:09 AM
Hi,
Was your issue resolved?
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Best Regards,
Lee
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Saturday, October 26, 2019 4:13 AM
Thanks for your reply. I have went through this article. However using this I can list out all the extended rights and schema guids and so on. However my question is how I can get these display names to show up when I am getting a report of the permissions a particular group has on an OU?
One more related question is that when I am trying to use something like below:
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$s,"ExtendedRight","Allow",$extendedrightsmap["Write all properties"],"Descendents",$guidmap["user"]))
When I use Write all properties or delete all child objects permissions in the above command, it returns an error.
Even when I use the link: https://blogs.technet.microsoft.com/poshchap/2017/10/06/more-on-get-acl-with-active-directory/ to see what extendedrights are starting in write, I see only these two. However in GUI I can see a lot of extended rights.
PS AD:\> $ExtendedRightsGuids.Name | Select-String "Write*"
DS-Write-Partition-Secrets
DS-Validated-Write-Computer
Saturday, October 26, 2019 4:17 AM
Extended rights are GUIDs and nit strings. There is an enum that exposes these. THre is also this AD CmdLet.
\(ツ)_/
Saturday, October 26, 2019 4:22 AM
Here is how to find all of the extended rights on an AD system:
Get-ADObject -LDAPFilter '(objectClass=controlAccessRight)' -SearchBase (Get-ADRootDSE).ConfigurationNamingContext |
Sort-Object |
Format-Wide
\(ツ)_/
Saturday, October 26, 2019 4:32 AM
Here ar4e the rights available to an ACE:
[enum]::GetNames([System.DirectoryServices.ActiveDirectoryRights])
\(ツ)_/
Saturday, October 26, 2019 4:37 AM
Thanks for the reply. I see that the Add-ADPermission requires exchange module. Will it work for OU permissions?
Also I ran the above command, however I did not see the Write all properties and the delete all child objects permissions listed out. Are Write all properties and delete all child objects extended rights or there is some other way to list these?
Saturday, October 26, 2019 4:40 AM
I cannot find the list of GUIDs or the code to retrieve the GUID list. We need to use a GUID for the rights.
Here is a partial example of how to work with extended rights.
https://itworldjd.wordpress.com/2016/10/16/ad-powershell-script-to-dump-extended-rights/
\(ツ)_/
Saturday, October 26, 2019 5:04 AM
Here are the lists of GUIDs mostly. I suggest placing them in a Csv or dictionary to decode:
/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
Here is a quick rewrite of the very old code ibn the blog.
# GUID list https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
function Get-AdExtendedRight{
Param(
[Microsoft.ActiveDirectory.Management.ADObject]$adobject
)
Foreach($access in $adobject.ntsecurityDescriptor.access){
# Ignore well known and normal permissions
if($access.AccessControlType -eq 'Deny' -or
$access.IdentityReference -match 'NT AUTHORITY\\SYSTEM|NT AUTHORITY\\SELF' -or
$access.IsInherited){
}else{
# Check extended right
if ($access.ActiveDirectoryRights -band 'ExtendedRight'){
# This is the list of dangerous extended attributs
# see : https://technet.microsoft.com/en-us/library/ff405676.aspx
$right = switch ($access.ObjectType){
'00299570-246d-11d0-a768-00aa006e0529' {'User-Force-Change-Password' }
'45ec5156-db7e-47bb-b53f-dbeb2d03c40' {'Reanimate-Tombstones' }
'bf9679c0-0de6-11d0-a285-00aa003049e2' {'Self-Membership' }
'ba33815a-4f93-4c76-87f3-57574bff8109' {'Manage-SID-History' }
'1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' {'DS-Replication-Get-Changes-All'}
default {$_ }
}
"$($access.IdentityReference) can act on the permission of $($adobject.name) ($($adobject.DistinguishedName)) with extended right: $right"
}
}
}
} #End Function
Get-ADUser -Filter * -Properties ntSecurityDescriptor |
ForEach-Object{ Get-ADExtendedRight $_ }
\(ツ)_/
Saturday, October 26, 2019 11:18 AM
Thanks jrv. I am not sure if I am doing anything wrong here. However when I run the above code and export to csv, I get some numbers in the file only and when I export to text file, I get something like below:
BUILTIN\Administrators can act on the permission of Administrator (CN=Administrator,CN=Users,DC=lab,DC=local) with extended right: 00000000-0000-0000-0000-000000000000
LAB\Domain Admins can act on the permission of Administrator (CN=Administrator,CN=Users,DC=lab,DC=local) with extended right: 00000000-0000-0000-0000-000000000000
LAB\Enterprise Admins can act on the permission of Administrator (CN=Administrator,CN=Users,DC=lab,DC=local) with extended right: 00000000-0000-0000-0000-000000000000
Everyone can act on the permission of Administrator (CN=Administrator,CN=Users,DC=lab,DC=local) with extended right: ab721a53-1e2f-11d0-9819-00aa0040529b
BUILTIN\Account Operators can act on the permission of Guest (CN=Guest,CN=Users,DC=lab,DC=local) with extended right: 00000000-0000-0000-0000-000000000000
LAB\Domain Admins can act on the permission of Guest (CN=Guest,CN=Users,DC=lab,DC=local) with extended right: 00000000-0000-0000-0000-000000000000
Everyone can act on the permission of Guest (CN=Guest,CN=Users,DC=lab,DC=local) with extended right: ab721a53-1e2f-11d0-9819-00aa0040529b
BUILTIN\Administrators can act on the permission of krbtgt (CN=krbtgt,CN=Users,DC=lab,DC=local) with extended right: 00000000-0000-0000-0000-000000000000
LAB\Domain Admins can act on the permission of krbtgt (CN=krbtgt,CN=Users,DC=lab,DC=local) with extended right: 00000000-0000-0000-0000-000000000000
LAB\Enterprise Admins can act on the permission of krbtgt (CN=krbtgt,CN=Users,DC=lab,DC=local) with extended right: 00000000-0000-0000-0000-000000000000
Everyone can act on the permission of krbtgt (CN=krbtgt,CN=Users,DC=lab,DC=local) with extended right: ab721a53-1e2f-11d0-9819-00aa0040529b
Saturday, October 26, 2019 5:05 PM
I recommend learning some PowerShell before continuing. The code does not produce output that can be exported. It just provides a demo of how this might be done. Note that it does not convert the one extended right because you have to create a method to check all rights that against a full list of known rights.
\(ツ)_/
Saturday, October 26, 2019 5:58 PM
I had some time so I extended the example to make it easier to understand.
I stumbled across this better explanation of how rights work too bad the blogger uses a dark them. Dark themes should never be used in technical blogs. http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm
function Get-AdExtendedRights{
Param(
[Microsoft.ActiveDirectory.Management.ADObject]$adobject
)
Foreach($access in $adobject.ntsecurityDescriptor.access){
# Ignore well known and normal permissions
if($access.IdentityReference -match 'NT AUTHORITY\\SYSTEM|NT AUTHORITY\\SELF'){
}else{
# Check extended right
if ($access.ActiveDirectoryRights -match 'ExtendedRight'){
# see : https://technet.microsoft.com/en-us/library/ff405676.aspx
$right = switch ($access.ObjectType){
'00299570-246d-11d0-a768-00aa006e0529' {'User-Force-Change-Password' }
'45ec5156-db7e-47bb-b53f-dbeb2d03c40f' {'Reanimate-Tombstones' }
'bf9679c0-0de6-11d0-a285-00aa003049e2' {'Self-Membership' }
'ba33815a-4f93-4c76-87f3-57574bff8109' {'Manage-SID-History' }
'1131f6ab-9c07-11d1-f79f-00c04fc2dcd2' {'DS-Replication-Synchronize' }
'ab721a54-1e2f-11d0-9819-00aa0040529b' {'SendAs' }
'ab721a53-1e2f-11d0-9819-00aa0040529b' {'User-Change-Password' }
'00000000-0000-0000-0000-000000000000' {'Null-GUID' }
default {'Unknown' }
}
[pscustomobject]@{
ADObjectDistinguishedName = $adobject.DistinguishedName
IdentityReference = $access.IdentityReference
ActiveDirectoryRights = $access.ActiveDirectoryRights
AccessControlType = $access.AccessControlType
IsInherited = $access.IsInherited
ObjectFlags = $access.ObjectFlags
ObjectType = $access.ObjectType
ObjectTypeDisplayName = $right
InheritedObjectType = $access.InheritedObjectType
}
}
}
}
} #End Function
\(ツ)_/
Sunday, October 27, 2019 4:35 AM
Thanks. I am trying to add some permissions, all other permissions are getting added however the below code gets executed without errors, however these permissions are not checked when I look through the GUI, any idea why this is not working:
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"ExtendedRight","Allow",$extendedrightsmap["Validated write to DNS host name"],"Descendents",$guidmap["computer"]))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
$p,"ExtendedRight","Allow",$extendedrightsmap["Validated write to service principal name"],"Descendents",$guidmap["computer"]))
Set-ACL -ACLObject $acl -Path ("AD:\"+($ou.DistinguishedName))
Sunday, October 27, 2019 5:03 AM
You know that you need to refresh the GUI to see changes.
\(ツ)_/
Sunday, October 27, 2019 5:12 AM
This would be the vest and current way to do this:
$ace1 = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($p,'ExtendedRight','Allow',$extendedrightsmap['Validated write to DNS host name'],'Descendents',$guidmap['computer'])
$ace2 = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($p,'ExtendedRight','Allow',$extendedrightsmap['Validated write to service principal name'],'Descendents',$guidmap["computer"])
$acl.AddAccessRule($ace1)
$acl.AddAccessRule($ace2)
Set-ACL -AclObject $acl -Path "AD:\$($ou.DistinguishedName)"
\(ツ)_/
Sunday, October 27, 2019 5:14 AM
Your last question has nothing to do with your original ask. If you have new questions please open a new topic.
\(ツ)_/
Sunday, October 27, 2019 1:38 PM
Thanks jrv. I will open a new topic as this is not working as expected.