Thursday, October 22, 2009

List permissions on Active Directory objects

Here is a common need:
" List the permissions for a specific user / security group on a specific Active Directory object. "

You probably already know the dsacls command.
But let us face it: it is too much verbose and hard to filter.

Powershell is the key, once more.
On the Indeted! blog, the author explains us its Get-DsAcl powershell implementation.

Here is an example to display the FIMcmCertmgrs rights on the objects named FIMcmUsers : (which in our case is a security group):


Get-DSAcl -searchRoot "DC=contoso,DC=com" -LdapFilter "(name=FIMcmUsers)" select-string FIMcmCertmgrs

Output:

No comments:

Post a Comment