< Back
Get-ADObjectAcl
Post
NAME Get-ADObjectAcl
SYNOPSIS
Gets the permissions from the specified Active Directory Object.
SYNTAX
Get-ADObjectAcl [-Identity] <Object> [-Server <String>] [-SendToClipboard] [-IsInherited <Boolean>]
[-IdentityReference <String>] [-IdentityReferenceName <String>] [-IdentityReferenceDomain <String>]
[-ActiveDirectoryRights <String[]>] [-ObjectTypeName <String>] [-InheritedObjectTypeName <String>]
[-InheritanceType <String[]>] [-AccessControlType <String>] [-Credential <PSCredential>] [<CommonParameters>]
DESCRIPTION
Gets the permissions / access control list (ACL) from the specified Active Directory Object.
The function can either write to the standard output stream, or copy the information to the clipboard in
tab-delimited format that can be pasted directly into a Microsoft Excel for review.
PARAMETERS
-Identity <Object>
The Identity of the Active Directory Object in either distinguishedName or GUID format or by reference.
Required? true
Position? 2
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Server <String>
The target Active Directory Server / Domain Controller.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-SendToClipboard [<SwitchParameter>]
Send the output to the Clipboard in tab-delimited format (can be pasted directly into Microsoft Excel for
review).
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-IsInherited <Boolean>
Filter the returned Access Control Entries based on IsInherited ($true / $false).
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-IdentityReference <String>
Filter the returned Access Control Entries based on the IdentityReference of the ACE (DOMAIN\\USERNAME).
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-IdentityReferenceName <String>
Filter the returned Access Control Entries based on the IdentityReference Name of the ACE (USERNAME).
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-IdentityReferenceDomain <String>
Filter the returned Access Control Entries based on the IdentityReference Domain of the ACE (DOMAIN / BUILTIN
/ NT AUTHORITY).
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ActiveDirectoryRights <String[]>
Filter the returned Access Control Entries based on the Active Directory Rights of the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ObjectTypeName <String>
Filter the returned Access Control Entries based on the Object Type Name of the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-InheritedObjectTypeName <String>
Filter the returned Access Control Entries based on the Inherited Object Type Name of the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-InheritanceType <String[]>
Filter the returned Access Control Entries based on the Inheritance Type of the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-AccessControlType <String>
Filter the returned Access Control Entries based on the Access Control Type of the ACE (Allow / Deny)
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Credential to use.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
The identity parameter of the CmdLet accepts either a distinguishedName or ObjectGUID or AD Objects. AD Objects
which are passed by reference must include either a distinguishedName or ObjectGUID property.
OUTPUTS
Outputs the Access Control List from the Active Directory Object or Objects.
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-AdUser -Identity JBloggs | Get-ADObjectAcl
Gets the permissions for the ADUser Object 'JBloggs' from the default Active Directory Domain.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-ADObjectAcl -Identity 29f0c9c7-aef4-4823-99a1-0f5f1df395d5
Gets the permissions for the ADObject with GUID '29f0c9c7-aef4-4823-99a1-0f5f1df395d5' from the default Acive
Directory Domain.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "OU=Domain Controllers,DC=contoso,DC=com"
Gets the permissions for the ADObject with distinguishedName 'OU=Domain Controllers,DC=contoso,DC=com' from the
default Acive Directory Domain.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>Get-ADUser -filter {surname -eq "Bloggs"} | Get-ADObjectAcl -Clip
Gets the permissions for all the ADUser objects with the surname 'Bloggs' from the default Active Directory Domain
and copies those permissions to the clipboard in tab delimited format which can be pasted directly into Microsoft
Excel.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>Get-AdUser -Identity JBloggs -Server dc1.contoso.com | Get-ADObjectAcl -Server dc1.contoso.com
Gets the permissions for the ADUser Object 'JBloggs' from the server 'dc1.contoso.com'.
-------------------------- EXAMPLE 6 --------------------------
PS C:\\>Get-ADOrganizationalUnit -filter {name -eq "Domain Controllers"} | Get-ADObjectAcl -IsInherited $false
Gets all non-inherited permissions from the 'Domain Controllers' Organizational Unit fom the default Active
Directory Domain.
-------------------------- EXAMPLE 7 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "OU=Domain Controllers,DC=contoso,DC=com" -IdentityReference
"BUILTIN\\Administrators"
Gets all permissions from the 'Domain Controllers' Organizational Unit from the default Active Directory Domain
which are granted to the identity reference 'BUILTIN\\Administrators'.
-------------------------- EXAMPLE 8 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "OU=Domain Controllers,DC=contoso,DC=com" -ActiveDirectoryRights GenericAll
Gets all permissions from the 'Domain Controllers' Organizational Unit from the default Active Directory Domain
which are granted the Active Directory Right 'GenericAll'.
-------------------------- EXAMPLE 9 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "cn=Users,DC=contoso,DC=com" -ObjectTypeName user
Gets all permissions from the 'Users' container from the default Active Directory Domain which are granted over
objects of type 'user'.
-------------------------- EXAMPLE 10 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "cn=Users,DC=contoso,DC=com" -ObjectTypeName RAS-Information
-InheritedObjectTypeName user
Gets all permissions from the 'Users' container from the default Active Directory Domain which are granted over
object type of 'RAS-Information' and inherited object of type of 'user'.
RELATED LINKS
SYNOPSIS
Gets the permissions from the specified Active Directory Object.
SYNTAX
Get-ADObjectAcl [-Identity] <Object> [-Server <String>] [-SendToClipboard] [-IsInherited <Boolean>]
[-IdentityReference <String>] [-IdentityReferenceName <String>] [-IdentityReferenceDomain <String>]
[-ActiveDirectoryRights <String[]>] [-ObjectTypeName <String>] [-InheritedObjectTypeName <String>]
[-InheritanceType <String[]>] [-AccessControlType <String>] [-Credential <PSCredential>] [<CommonParameters>]
DESCRIPTION
Gets the permissions / access control list (ACL) from the specified Active Directory Object.
The function can either write to the standard output stream, or copy the information to the clipboard in
tab-delimited format that can be pasted directly into a Microsoft Excel for review.
PARAMETERS
-Identity <Object>
The Identity of the Active Directory Object in either distinguishedName or GUID format or by reference.
Required? true
Position? 2
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Server <String>
The target Active Directory Server / Domain Controller.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-SendToClipboard [<SwitchParameter>]
Send the output to the Clipboard in tab-delimited format (can be pasted directly into Microsoft Excel for
review).
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-IsInherited <Boolean>
Filter the returned Access Control Entries based on IsInherited ($true / $false).
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-IdentityReference <String>
Filter the returned Access Control Entries based on the IdentityReference of the ACE (DOMAIN\\USERNAME).
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-IdentityReferenceName <String>
Filter the returned Access Control Entries based on the IdentityReference Name of the ACE (USERNAME).
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-IdentityReferenceDomain <String>
Filter the returned Access Control Entries based on the IdentityReference Domain of the ACE (DOMAIN / BUILTIN
/ NT AUTHORITY).
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ActiveDirectoryRights <String[]>
Filter the returned Access Control Entries based on the Active Directory Rights of the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ObjectTypeName <String>
Filter the returned Access Control Entries based on the Object Type Name of the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-InheritedObjectTypeName <String>
Filter the returned Access Control Entries based on the Inherited Object Type Name of the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-InheritanceType <String[]>
Filter the returned Access Control Entries based on the Inheritance Type of the ACE.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-AccessControlType <String>
Filter the returned Access Control Entries based on the Access Control Type of the ACE (Allow / Deny)
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Credential to use.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
The identity parameter of the CmdLet accepts either a distinguishedName or ObjectGUID or AD Objects. AD Objects
which are passed by reference must include either a distinguishedName or ObjectGUID property.
OUTPUTS
Outputs the Access Control List from the Active Directory Object or Objects.
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-AdUser -Identity JBloggs | Get-ADObjectAcl
Gets the permissions for the ADUser Object 'JBloggs' from the default Active Directory Domain.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-ADObjectAcl -Identity 29f0c9c7-aef4-4823-99a1-0f5f1df395d5
Gets the permissions for the ADObject with GUID '29f0c9c7-aef4-4823-99a1-0f5f1df395d5' from the default Acive
Directory Domain.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "OU=Domain Controllers,DC=contoso,DC=com"
Gets the permissions for the ADObject with distinguishedName 'OU=Domain Controllers,DC=contoso,DC=com' from the
default Acive Directory Domain.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>Get-ADUser -filter {surname -eq "Bloggs"} | Get-ADObjectAcl -Clip
Gets the permissions for all the ADUser objects with the surname 'Bloggs' from the default Active Directory Domain
and copies those permissions to the clipboard in tab delimited format which can be pasted directly into Microsoft
Excel.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>Get-AdUser -Identity JBloggs -Server dc1.contoso.com | Get-ADObjectAcl -Server dc1.contoso.com
Gets the permissions for the ADUser Object 'JBloggs' from the server 'dc1.contoso.com'.
-------------------------- EXAMPLE 6 --------------------------
PS C:\\>Get-ADOrganizationalUnit -filter {name -eq "Domain Controllers"} | Get-ADObjectAcl -IsInherited $false
Gets all non-inherited permissions from the 'Domain Controllers' Organizational Unit fom the default Active
Directory Domain.
-------------------------- EXAMPLE 7 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "OU=Domain Controllers,DC=contoso,DC=com" -IdentityReference
"BUILTIN\\Administrators"
Gets all permissions from the 'Domain Controllers' Organizational Unit from the default Active Directory Domain
which are granted to the identity reference 'BUILTIN\\Administrators'.
-------------------------- EXAMPLE 8 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "OU=Domain Controllers,DC=contoso,DC=com" -ActiveDirectoryRights GenericAll
Gets all permissions from the 'Domain Controllers' Organizational Unit from the default Active Directory Domain
which are granted the Active Directory Right 'GenericAll'.
-------------------------- EXAMPLE 9 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "cn=Users,DC=contoso,DC=com" -ObjectTypeName user
Gets all permissions from the 'Users' container from the default Active Directory Domain which are granted over
objects of type 'user'.
-------------------------- EXAMPLE 10 --------------------------
PS C:\\>Get-ADObjectAcl -Identity "cn=Users,DC=contoso,DC=com" -ObjectTypeName RAS-Information
-InheritedObjectTypeName user
Gets all permissions from the 'Users' container from the default Active Directory Domain which are granted over
object type of 'RAS-Information' and inherited object of type of 'user'.
RELATED LINKS