Note
This module has been rewritten in C# for improved performance and maintainability. The original PowerShell version is available in this Gist.
ADEffectiveAccess is a PowerShell module that provides the Get-ADEffectiveAccess cmdlet, an enhanced alternative to Get-Acl for Active Directory. This cmdlet retrieves access control lists (ACLs) for AD objects, returning effective access and audit rules. It translates ObjectType and InheritedObjectType GUIDs into human-readable names using a per-session, per-domain map for improved performance and readability.
Unlike Get-Acl, there is no dependency on the Active Directory module and includes built-in LDAP search functionality to locate objects.
Check out the documentation for cmdlet usage and more examples.
The module is available through the PowerShell Gallery:
Install-Module ADEffectiveAccess -Scope CurrentUsergit clone 'https://github.com/santisq/ADEffectiveAccess.git'
Set-Location ./ADEffectiveAccess
./build.ps1This module requires Windows OS and is compatible with Windows PowerShell v5.1 and PowerShell 7+. No Active Directory module is required. Appropriate permissions are needed to read security descriptors.
Below are examples demonstrating how to use Get-ADEffectiveAccess to retrieve Active Directory ACLs:
Retrieves effective access rules for the user john.galt in the current domain.
PS /> $acl = Get-ADEffectiveAccess john.galt
PS /> $acl
Path: LDAP://CN=John Galt,CN=Users,DC=mylab,DC=local
IdentityReference ObjectType InheritedObjectType ActiveDirectoryRights
----------------- ---------- ------------------- ---------------------
NT AUTHORITY\SELF All Objects (Full Control) Any Inherited Object GenericRead
NT AUTHORITY\Authenticated Users All Objects (Full Control) Any Inherited Object ReadControl
NT AUTHORITY\SYSTEM All Objects (Full Control) Any Inherited Object GenericAll
BUILTIN\Account Operators All Objects (Full Control) Any Inherited Object GenericAll
mylab\Domain Admins All Objects (Full Control) Any Inherited Object GenericAll
Everyone User-Change-Password Any Inherited Object ExtendedRight
NT AUTHORITY\SELF Email-Information Any Inherited Object ReadProperty, WriteProperty
....
PS /> $acl[30] | Format-List
ActiveDirectoryRights : ReadProperty
InheritanceType : Descendents
ObjectType : 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
InheritedObjectType : 4828cc14-1437-45bc-9b07-ad6f015e5f28
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
Type : Access
Owner : mylab\Domain Admins
Group : mylab\Domain Admins
Path : LDAP://CN=John Galt,CN=Users,DC=mylab,DC=local
IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access
InheritanceFlags : ContainerInherit
IsInherited : True
PropagationFlags : InheritOnly
ObjectTypeToString : General-Information
InheritedObjectTypeToString : inetOrgPersonFetches access and audit rules for all users in the Users OU, including SACL rules.
PS /> Get-ADEffectiveAccess -LdapFilter "(objectCategory=person)" -SearchBase "OU=Users,DC=mylab,DC=local" -AuditUses pipeline input from Get-ADUser to get effective access rules for the user jdoe.
PS /> Get-ADUser -Identity "jdoe" | Get-ADEffectiveAccessRetrieves access rules for up to 10 deleted group objects.
PS /> Get-ADEffectiveAccess -LdapFilter "(&(isDeleted=TRUE)(objectClass=group))" -IncludeDeletedObjects -Top 10Retrieves access rules for a user using specified credentials.
PS /> Get-ADEffectiveAccess -Identity "john.galt" -Credential (Get-Credential)Contributions are welcome, if you wish to contribute, fork this repository and submit a pull request with the changes.