1

I want to understand the basic structure of Get-ObjectAcl PowerView cmdlet. I want to learn about enumerating permissions on the object, and I come to know with PowerView we can easily do that. All the things I am doing in my local environment to understand and practicing on things. 

cmdlet> Get-ObjectAcl -SamAccountName demop -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"} 

PropagationFlags      : None
InheritanceFlags      : None
ObjectType            : All
AccessControlType     : Allow
ObjectSID             : S-1-5-21-1285468711-2817400986-4257114310-1106
InheritedObjectType   : All
IsInherited           : False
ObjectDN              : CN=demo permission,CN=Users,DC=adlab,DC=local
IdentityReference     : NT AUTHORITY\SYSTEM
ObjectFlags           : None
ActiveDirectoryRights : GenericAll
InheritanceType       : None

PropagationFlags      : None
InheritanceFlags      : None
ObjectType            : All
AccessControlType     : Allow
ObjectSID             : S-1-5-21-1285468711-2817400986-4257114310-1106
InheritedObjectType   : All
IsInherited           : False
ObjectDN              : CN=demo permission,CN=Users,DC=adlab,DC=local
IdentityReference     : S-1-5-32-548
ObjectFlags           : None
ActiveDirectoryRights : GenericAll
InheritanceType       : None

PropagationFlags      : None
InheritanceFlags      : None
ObjectType            : All
AccessControlType     : Allow
ObjectSID             : S-1-5-21-1285468711-2817400986-4257114310-1106
InheritedObjectType   : All
IsInherited           : False
ObjectDN              : CN=demo permission,CN=Users,DC=adlab,DC=local
IdentityReference     : ADLAB\Domain Admins
ObjectFlags           : None
ActiveDirectoryRights : GenericAll
InheritanceType       : None

PropagationFlags      : None
InheritanceFlags      : ContainerInherit
ObjectType            : All
AccessControlType     : Allow
ObjectSID             : S-1-5-21-1285468711-2817400986-4257114310-1106
InheritedObjectType   : All
IsInherited           : True
ObjectDN              : CN=demo permission,CN=Users,DC=adlab,DC=local
IdentityReference     : ADLAB\Enterprise Admins
ObjectFlags           : None
ActiveDirectoryRights : GenericAll
InheritanceType       : All

I read on a blog by using that cmdlet we will know that our user has GenericAll permissions or not, So I tried that cmdlet and above are the results.

Now I want to know that how can I identify that my user has GenericAll permissions or not? Yes, I have no single idea about these keys and values? I hope you got my point here.

Utkarsh Agrawal
  • 65
  • 1
  • 1
  • 8
  • 1
    I fail to see what is unclear about `ActiveDirectoryRights : GenericAll`. I don't think SO is the right place for giving a general introduction into Windows ACLs in general or AD ACLs in particular. You may want to do some research on that. – Ansgar Wiechers Oct 13 '19 at 13:28

0 Answers0