It’s been a while, gentle reader, since my last post. It isn’t that I haven’t been writing code, but rather that much of what I write is for internal use only. Recently I was asked to write a PowerShell script to show the advanced security for any AD object, without relying on the ActiveDirectory module. The challenge with enumerating the security of an AD object is that you have to do a lookup of the both the IdentityReference – the user or group with the delegated permission, plus a lookup of the Active Directory rights (which appear as GUIDs) from the the AD Schema. To make things, fun, there are “Extended Rights” in a different location from the ordinary list of rights delegated.
The natural impulse is to create a hashtable of all the GUID to rights names, but this can take an insufferable amount of time. Instead, I am looking them up as encountered. I found Convert-ADACL, written by Nathan Linley in 2012, and heavily modified it to form the lookup function of the script. When you view the code, you will see that there are two hashtables, one for the Schema GUID to name mapping, and another for SID to AD object name mapping. Each time a GUID or SID is looked up it it put into the proper hashtable to speed up subsequent lookups. I have pre-populated some values in the GUID hashtable, and in my production environment I have also pre-populated some known broken SIDs.
The result of this challenge is Get-ADobjPermissions.ps1. The script runs with reasonable speed, and takes a distinguishedName as input. This is because it was written to be called from another program, and because it is easy enough to get this information from AD for any object. When I tried dressing this up to take alternate inputs, it just got ugly. This works in a multi-domain forest, and is quicker than looking at the advanced security tab in ADUC.