Share via


Use PowerShell to List Active Directory Extended Rights

PowerShell providers allow us to traverse various data stores we encounter, as IT professionals, as if they were file systems. There is a PSProvider that allows us to navigate the smooth seas of the Active Directory PSDrive.

 

capture208

 

Thinking about a file system, we can talk about Access Control Entries (ACEs) that make up Access Control Lists (ACLs) to govern who can do what with the data in the file system. A similar type of Security Descriptors can be applied to Active Directory. We have trustees - the principals that can perform an action, e.g. users, groups. We have permissions - the actions that can be performed by the trustees, e.g. read, delete.

We also have Extended Rights - specific actions that can be performed on Active Directory objects, e.g. Change PDC, Send As.

Here's how we can look at what Extended Rights are available to us...
 

 
Get-ADObject -LDAPFilter '(objectClass=controlAccessRight)' -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -SearchScope Subtree | Sort-Object | Format-Wide

 

capture209