Find-InterestingDomainAcl
SYNOPSIS
Finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects.
Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName
SYNTAX
Find-InterestingDomainAcl [[-Domain] <String>] [-ResolveGUIDs] [-RightsFilter <String>] [-LDAPFilter <String>]
[-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
[-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
DESCRIPTION
This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl, and for each returned ACE entry it checks if principal security identifier is -1000 (meaning the account is not built in), and also checks if the rights for the ACE mean the object can be modified by the principal. If these conditions are met, then the security identifier SID is translated, the domain object is retrieved, and additional IdentityReference information is appended to the output object.
EXAMPLES
-------------------------- EXAMPLE 1 --------------------------
Finds interesting object ACLS in the current domain.
-------------------------- EXAMPLE 2 --------------------------
Finds interesting object ACLS in the ev.testlab.local domain and resolves rights GUIDs to display names.
-------------------------- EXAMPLE 3 --------------------------
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs
PARAMETERS
-Domain
Specifies the domain to use for the query, defaults to the current domain.
Type: String
Parameter Sets: (All)
Aliases: DomainName, Name
Required: False
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-ResolveGUIDs
Switch. Resolve GUIDs to their display names.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-RightsFilter
{{Fill RightsFilter Description}}
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-LDAPFilter
Specifies an LDAP query string that is used to filter Active Directory objects.
Type: String
Parameter Sets: (All)
Aliases: Filter
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SearchBase
The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" Useful for OU queries.
Type: String
Parameter Sets: (All)
Aliases: ADSPath
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Server
Specifies an Active Directory server (domain controller) to bind to.
Type: String
Parameter Sets: (All)
Aliases: DomainController
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SearchScope
Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Subtree
Accept pipeline input: False
Accept wildcard characters: False
-ResultPageSize
Specifies the PageSize to set for the LDAP searcher object.
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 200
Accept pipeline input: False
Accept wildcard characters: False
-ServerTimeLimit
Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
-Tombstone
Switch. Specifies that the searcher should also return deleted/tombstoned objects.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-Credential
A [Management.Automation.PSCredential] object of alternate credentials for connection to the target domain.
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
OUTPUTS
- PowerView.ACL
Custom PSObject with ACL entries.