Reputation: 10171
Retrieve an AD-LDS object ACL with Powershell get-acl
I have manually set some custom DACL on some AD-LDS objects using LDP. I am trying to write a script that exports those ACL (only DACL for now) in SDDL form.
I can retrieve a AD-LDS object with this code:
$obj = Get-ADOrganizationalUnit -Filter {Name -Like 'stuff'} -searchbase "OU=apps,DC=example,DC=com" -server 'localhost:389'
$obj[0].distinguishedName
OU=stuff,OU=apps,DC=example,DC=com
I am aware of the the get-acl Powershell command and its Active Directory aware syntax, but when I try it on my AD-LDS object, it fails with
Get-Acl : Cannot find path 'OU=stuff,OU=apps,DC=example,DC=com' because
it does not exist.
At line:1 char:9
+ (Get-Acl <<<< "DC=example,DC=com").access
+ CategoryInfo : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
+ FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetAclCommand
I tried to prefix the get-acl command with the AD: prefix, as well as ldap://localhost/, but the error stays the same. I also failed to retreive the DACL of other types of objects (like user and group).
How can I use Powershell to retrieve the DACL of a AD-LDS object in SDDL form?
Upvotes: 1
Views: 5374
Answers (2)
Reputation:
I had the same question without finding an proper answer on the Internet. It took me quite a while to figure out a working solution. Since this discussion comes up as one of the top results on the usual seach engines, but does not provide an actual answer, I decided to post it here:
The following question nudged me into the right direction: How do I set-location ad: to a different active directory domain with Powershell
I tested it with Windows 2012R2 (which I think has Powershell 4.0)
Assuming you have an AD LDS instance running on "server:port" with the suffix "dc=root,dc=com", the following code will screen-print the ACLs of this suffix node using 'get-acl':
- add the activedirectory module:
Import-Module activedirectory
- you need to define an new access identifier similar to "AD:". This identifier is bound to your current Powershell session: (This example uses "myLDS:", but you can define any identifierstring you want)
New-PSDrive -Name myLDS -PSProvider ActiveDirectory -Server "server:port" -Scope Global -Root "//RootDSE/"
- and finally you can use this new identifier to access the LDS stored acls and e.g. print them onscreen:
(Get-ACL 'myLDS:\dc=root,dc=com').access
Note that 'get-acl' and dsacls.exe differ in its output. 'get-acl' will return raw SIDs of subjects, while dsacls internally converts SIDs to DNs and returns DNs. So if you use 'get-acl', but need DNs, you need to do this conversion yourself with an extra LDAP query.
Upvotes: 1
Reputation: 51
Try:
dsacls 'OU=stuff,OU=apps,DC=example,DC=com'
I am seeing some interesting things with PowerShell and suspect it is permissions related. That said, try:
Get-ADOrganizationalUnit -Filter 'name -eq "stuff"'
This may work, play around with the methods and attributes on Get-ADOrganizationalUnit that may help isolate the problem
When I find the root cause of my issues I will update this post.
Upvotes: 0
Related Questions
- Can't Get-ACL Active Directory OU
- Powershell Get-Acl Owner Reference
- SET-ACL via powershell for computer object
- Fetch all the AD Objects having OperatingSystem as attribute
- Get-ADGroupMember from list
- Set-ACL on AD Computer Object
- Querying AD from Powershell
- How can I Get ADUser
- Tricky use of Get-Acl
- How to get effective permissions with PowerShell for an attribute on the AD user object