Get-Acl Cheatsheet

(Get-Acl (Get-ADDomain).DistinguishedName).Access
  • What DangerousRights are
  • Automated querying if a given user holds them
  • Break this down Barney Style
  • GenericAll (grants all privileges)
  • WriteDACL (grants one the right to give oneself privileges)
  • WriteOwner (grants the right to seize ownership, and then give oneself privileges)
  • GenericWrite (Functionally the same thing as WriteProperty with ObjectType all 0s)
  • WriteProperty on anything with ObjectType = 00000000–0000–0000–0000–000000000000
  • WriteProperty on OUs with ObjectType = f30e3bbe-9ff0–11d1-b603–0000f80367c aka gPLink
  • WriteProperty on Groups with ObjectType = bf9679c0–0de6–11d0-a285–00aa003049e2 aka member
  • Self on Groups with ObjectType = bf9679c0–0de6–11d0-a285–00aa003049e2 aka self-membership
  • Self on Groups with ObjectType = 00000000–0000–0000–0000–000000000000 includes the above
  • ExtendedRight on Users with ObjectType = 00299570–246d-11d0-a768–00aa006e0529 aka ResetPassword
  • ExtendedRight on Users with ObjectType = 00000000–0000–0000–0000–000000000000 includes the above
  • ExtendedRight with ObjectType = 1131f6aa-9c07–11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
  • ExtendedRight with ObjectType = 1131f6ad-9c07–11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
  • ExtendedRight with ObjectType = 00000000–0000–0000–0000–000000000000 includes the above
  • Delete (self-explanatory)
  • DeleteChild (delete the items in the OU)
  • CreateChild (create items, aka users, in the OU)
  • DeleteTree (self-explanatory)
#Run/import Get-ADNestedGroups.ps1 first! (Available from: http://blog.tofte-it.dk/powershell-get-all-nested-groups-for-a-user-in-active-directory/)
Import-Module ActiveDirectory
Import-Module .\Get-ADNestedGroups.ps1
Set-Location AD:
$ADRoot = (Get-ADDomain).DistinguishedName
$Accounts = (Get-ADUserNestedGroups (Get-ADUser "$env:username" -Properties *).DistinguishedName).Name$MyGroups = $Accounts.ForEach{[regex]::Escape($_)} -join '|'
$MyGroups.Replace('\','')
$AlsoCheck = "$env:username|Everyone|Authenticated Users|Domain Users"$ADCS_Objects = (Get-ADObject -Filter * -SearchBase $ADRoot).DistinguishedName$DangerousRights = "GenericAll|WriteDACL|WriteOwner|GenericWrite|WriteProperty|Self"$DangerousGUIDs = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2|1131f6ad-9c07-11d1-f79f-00c04fc2dcd2|00000000-0000-0000-0000-000000000000|00299570-246d-11d0-a768-00aa006e0529"$FishyGUIDs = "ab721a56-1e2f-11d0-9819-00aa0040529b|ab721a54-1e2f-11d0-9819-00aa0040529b"ForEach ($object in $ADCS_Objects)
{
$BadACE = (Get-Acl $object -ErrorAction SilentlyContinue).Access | Where-Object {(($_.IdentityReference -match $MyGroups) -or ($_.IdentityReference -match $AlsoCheck)) -and (($_.ActiveDirectoryRights -match $DangerousRights) -or ((($_.ActiveDirectoryRights -like "*ExtendedRight*") -and (($_.ObjectType -match $DangerousGUIDs) -or ($_.ObjectType -match $FishyGUIDs))))) -and ($_.AccessControlType -eq "Allow")}If ($BadACE)
{
Write-Host "Object: $object" -ForegroundColor Red
$BadACE
}
}
$thing = (Get-ADUser $env:username –Prop *).DistinguishedName ; (Get-Acl “$thing”).Access
| Where-Object {$_.ObjectType -eq “00299570–246d-11d0-a768–00aa006e0529”}
| Where-Object {($_.ActiveDirectoryRights –eq “ExtendedRight”) -and ((ObjectType -eq “00299570–246d-11d0-a768–00aa006e0529”) -or (ObjectType -eq “00000000–0000–0000–0000–000000000000”))}
(Get-Acl (Get-ADGroup “Domain Admins”).DistinguishedName).Access | Where-Object {($_.ActiveDirectoryRights -like “*Self*”) -and (($_.ObjectType -eq “bf9679c0–0de6–11d0-a285–00aa003049e2”) -or ($_.ObjectType -eq “00000000–0000–0000–0000–000000000000”)) -and ($_.AccessControlType -eq “Allow”)}
$suspects = ((Get-ACL (Get-ADDomain).DistinguishedName).Access | Where {((($_.ActiveDirectoryRights -like “*ExtendedRight*”) -and (($_.ObjectType -eq “1131f6aa-9c07–11d1-f79f-00c04fc2dcd2”) -or ($_.ObjectType -eq “1131f6ad-9c07–11d1-f79f-00c04fc2dcd2”) -or ($_.ObjectType -eq “00000000–0000–0000–0000–000000000000”))) -or ($_.ActiveDirectoryRights -like “*GenericWrite*”) -or ($_.ActiveDirectoryRights -like “*GenericAll*”) -or ($_.ActiveDirectoryRights -like “*WriteDACL*”) -or ($_.ActiveDirectoryRights -like “*WriteOwner*”) -and ($_.AccessControlType -eq “Allow”))}).IdentityReference
(Get-Acl $object).Access | Where-Object {$_.ActiveDirectoryRights -match $DangerousRights}
(Get-Acl -Path “I:”).Owner
(Get-Acl -Path “I:”).Access
(Get-Acl -Path “I:”).Access | Where-Object {($_.FileSystemRights -eq “FullControl”) -and ($_.AccessControlType -eq “Allow”)}
  • ChangePermissions (NTFS version of WriteDACL, allows one to change the ACL)
  • FullControl (NTFS version of GenericAll, includes all rights)
  • TakeOwnership (NTFS version of WriteOwner, allows one to change the owner and then do anything)
  • Delete (self-explanatory)
  • DeleteSubdirectoriesandFiles
  • Modify (includes the rights Delete, Write, & ReadAndExecute)
  • ReadAndExecute (read, copy, run)
  • Write (pretty self-explanatory, allows one to change the data in a file)
  • WriteData (same as Write, but without the ability to write file attributes, file’s ACL, etc)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.