Enumerating ACLs

PowerView

Get list of all ACLs from current domain

Get-ObjectACL

Get list of all ACLs from current domain with resolved GUIDs

Get-ObjectACL -ResolveGUIDs

Get list of all ACLs from another domain

Get-ObjectACL -Domain <DOMAIN NAME>

Get list of all ACLs associated with the specific SAM account name

Get-ObjectAcl -SamAccountName <SAM ACCOUNT NAME>

Get list of ACLs associated with specified prefix used for filtering

Get-ObjectAcl -ADSprefix  <ADs PATH PREFIX VALUE>
// Any prefix value could be passed Eg: 'CN=Administrator,CN=Users'

Get list of all ACLs associated with the specific LDAP ADs path

Get-ObjectAcl -ADSpath <LDAP ADs PATH>

Get list of all ACLs assocaited with GPOs

(Get-NetGPO).name | %{Get-ObjectAcl -ResolveGUIDs -Name $_}

Get list of all ACLs assocaited with GPOs where an object ("KEYWORD") has interesting permissions

(Get-NetGPO).Name | %{Get-ObjectAcl -ResolveGUIDs -Name $_} | ?{$_.IdentityReference -match "<KEYWORD>"}

Get ACLs from the specified path

Get-PathAcl -Path "\\<DC>.<DOMAIN>.<FOREST>.local\<SHARE>"

Get interesting ACEs from ACLs of current domain

Invoke-ACLScanner

Get interesting ACEs from ACLs of current domain with resolved GUIDs

Invoke-ACLScanner -ResolveGUIDs

Get interesting ACEs from ACLs of another domain

Invoke-ACLScanner -Domain <DOMAIN NAME>

Get interesting ACEs from ACLs with specific SAM account name

Invoke-ACLScanner -SamAccountName <SAM ACCOUNT NAME>

Get interesting ACEs from ACLs with specified prefix used for filtering

Invoke-ACLScanner -ADSprefix  <ADs PATH PREFIX VALUE>
// Any prefix value could be passed Eg: 'CN=Administrator,CN=Users'

Get interesting ACEs from ACLs with specified path used for filtering

Get-PathACL -Path  <PATH>
// Any path value could be passed Eg: '\\domain.local\SYSVOL'

Get interesting ACEs from ACLs with the specific LDAP ADs path

Invoke-ACLScanner -ADSpath <LDAP ADs PATH>

Get modify rights/permissions for an object to match (Object may be user or an group)

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match <OBJECT> }

Active Directory Module

Enumerating ACLs without resolving GUIDs

(Get-Acl 'AD:\CN=Administrator,CN=Users,CN=<DOMAIN>,CN=local').Access
PreviousEnumerating GPOsNextEnumerating Domain Trusts & Forest Trusts

Last updated