Get-QADPermission
From PowerGUI Wiki
Retrieve access control entries (ACEs) that meet the conditions you want. Every object returned by this cmdlet represents an access control entry (ACE) in the discretionary access control list (DACL) of a certain directory object.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Get-QADPermission [-Identity] <IdentityParameter> [-Account <IdentityParameter[]>] [-Allow] [-ApplyTo <ArsSecurityInheritance[]>] [-ApplyToType <string[]>] [-ChildType <string[]>] [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Deny] [-ExtendedRight <string[]>] [-Inherited] [-Property <string[]>] [-PropertySet <string[]>] [-Proxy] [-Rights {CreateChild | DeleteChild | ListChildren | Self | ReadProperty | WriteProperty | DeleteTree | ListObject | ExtendedRight | Delete | ReadControl | GenericExecute | GenericWrite | GenericRead | WriteDacl | WriteOwner | GenericAll | Synchronize | AccessSystemSecurity}] [-SchemaDefault] [-Service <string>] [-UseExtendedMatch] [-UseGlobalCatalog] [-UseTokenGroups] [-ValidatedWrite <string[]>] [<CommonParameters>]
Detailed Description
Use this cmdlet to retrieve access control entries (ACEs) from the discretionary access control list (DACL) of a given object or objects in the directory (directory objects).
The directory objects can be specified using the Identity parameter. Another option is to use pipelining: pass the output of the appropriate Get-QAD cmdlet to this cmdlet, with the -SecurityMask Dacl parameter supplied for the Get- cmdlet.
The cmdlet returns the objects representing the ACEs that meet the conditions you define using parameters of the cmdlet. You can use pipelining to pass the objects returned by this cmdlet to another cmdlet. For example, you can pass them to the Remove-QADPermission cmdlet in order to delete the respective ACEs from the DACL.
The cmdlet has optional parameters that determine the server and the security context for the operation. The connection parameters could be omitted since a connection to a server is normally established prior to using this cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Account | Supply the identity (such as name, distinguished name, domain\name, SID, etc.) of a security principal (user, group, computer account, enc.). The cmdlet will retrieve ACEs that determine access rights of that account on the directory object specified. You can supply identities of multiple accounts. | false | false | |
| Allow | Retrieve ACEs that allow access to the directory object specified. | false | false | |
| ApplyTo | Retrieve ACEs that have a certain inheritance type set. Valid parameter values are:
'ThisObjectOnly' - Indicates no inheritance. The ACE information is only used on the object
on which the ACE is set.
ACE information is not inherited by any descendents of the object.
'All' - Indicates inheritance that includes the object on which the ACE is set,
the object's immediate children, and the descendents of the object's children.
'ChildObjects' - Indicates inheritance that includes the object's immediate children
and the descendants of the object's children, but not the object itself.
'ThisObjectAndImmediateChildObjects' - Indicates inheritance that includes the object itself
and its immediate children.
It does not include the descendents of its children.
'ImmediateChildObjectsOnly' - Indicates inheritance that includes the object's immediate children only,
not the object itself or the descendents of its children.
| false | false | |
| ApplyToType | Retrieve ACEs that can be inherited by objects of a specified class. Property value is the LDAP display name of the classSchema object for the object class you want. (This parameter causes the cmdlet to search by the InheritedObjectType setting on the ACEs.)
You can specify multiple classes, separating the name of the classes by commas. If you do so, the cmdlet retrieves ACEs that can be inherited by objects of any of the classes specified. | false | false | |
| ChildType | Retrieve ACEs that control the right to create or delete child objects of a specified class. Parameter value is the LDAP display name of the classSchema object for the child object's class. (This parameter causes the cmdlet to search by the ObjectType setting on the ACEs).
You can specify multiple classes, separating the names of the classes by commas. If you do so, the cmdlet retrieves ACEs that control the right to create or delete child objects of any of the classes specified. | false | false | |
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Deny | Retrieve ACEs that deny access to the directory object specified. | false | false | |
| ExtendedRight | Retrieve ACEs that determine the specified extended rights on the directory object. Specify the names of the extended rights you want, separating names by commas. For a list of possible extended rights, see the topic "Extended Rights" in the MSDN Library at http://msdn.microsoft.com. For more information about extended rights, see the topic "Control Access Rights" in the MSDN Library. | false | false | |
| Identity | Specify the identity (such as name, distinguished name, domain\name, etc.) of a directory object you want. The cmdlet will retrieve access control entries (ACEs) from the discretionary access control list (DACL) of that object.
You can use pipelining to identify a directory object: pass the output of the appropriate Get- cmdlet to this cmdlet. If you do so, the Identity parameter is not to be supplied on the command line. See examples. | true | true (ByValue) | |
| Inherited | Retrieve ACEs that come from security descriptors of the ancestors of the directory object (ACEs that are inherited from the parent container object). | false | false | |
| Property | Retrieve ACEs that determine access to the specified properties of the directory object. Specify the LDAP display names of the properties you want, separating names by commas. | false | false | |
| PropertySet | Retrieve ACEs that determine access to the specified property sets of the directory object. Specify the names of the property sets you want, separating names by commas. For a list of possible property sets, see the topic "Property Sets" in the MSDN Library at http://msdn.microsoft.com. | false | false | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Rights | Retrieve ACEs that have certain access rights set.Valid parameter values are (for descriptions of these access rights see the topic "ActiveDirectoryRights Enumeration" in the MSDN Library at http://msdn.microsoft.com):
'ReadProperty' 'WriteProperty' 'GenericRead' 'GenericWrite' 'GenericExecute' 'GenericAll' 'CreateChild' 'DeleteChild' 'DeleteTree' 'ReadControl' 'WriteDacl' 'WriteOwner' 'Synchronize' 'AccessSystemSecurity' 'ListChildren' 'ListObject' 'ExtendedRight' 'Self' Parameter value can be any combination of the listed values, separated by commas. For example, the parameter value of 'ReadProperty,WriteProperty' causes the cmdlet to retrieve ACEs that have both the ReadProperty and WriteProperty access rights set. The following values are permitted for this object type. | false | false | |
| SchemaDefault | Retrieve ACEs that came from the default security descriptor defined in the classSchema object for the directory object's class. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| UseExtendedMatch | Retrieve not only ACEs with the specified access rights setting but also ACEs with other access rights settings that effectively give the same level of access as the rights setting specified.
For example, the -Rights 'ReadProperty' parameter alone causes the cmdlet to retrieve only ACEs that have the ReadProperty access right set, whereas the combination of parameters such as -Rights 'ReadProperty' -UseExtendedMatch also retrieves ACEs that have the GenericRead or GeneriAll access right set. | false | false | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| UseTokenGroups | Retrieve ACEs that apply not only to the specified account (SID) itself but also to any of the groups to which the account belongs whether directly or because of group nesting. | false | false | |
| ValidatedWrite | Retrieve ACEs that determine the specified validated writes on the directory object. Specify the names of the validated writes you want, separating names by commas. For a list of possible validated writes, see the topic "Validated Writes" in the MSDN Library at http://msdn.microsoft.com. | false | false |
Examples
EXAMPLE 1
Get-QADObject 'DistinguishedNameOfTheObject' -SecurityMask Dacl | Get-QADPermission
Description
Retrieve the ACEs that are explicitly set on a given object (the ACEs that are neither inherited from the parent container nor received from the default security descriptor of the respective classSchema object).
EXAMPLE 2
Get-QADObject 'DistinguishedNameOfTheObject' -SecurityMask Dacl | Get-QADPermission -Inherited -SchemaDefault
Description
Retrieve all ACEs from the DACL of a given object (including the ACEs that are inherited from the parent container or received from the default security descriptor of the respective classSchema object).
EXAMPLE 3
Get-QADObject 'DistinguishedNameOfTheObject' -SecurityMask Dacl |
Get-QADPermission -Account ('domainName\groupName1','domainName\groupName2')
Description
Retrieve the ACEs on a given object that have any of the specified groups set as the trustee.
EXAMPLE 4
Get-QADObject 'DistinguishedNameOfTheObject' -SecurityMask Dacl | Get-QADPermission -Account 'domainName\userName' -UseTokenGroups
Description
Retrieve the ACEs on a given object that have the trustee set either to the specified user account or to any of the groups to which the user account belongs (whether directly or because of group nesting).
EXAMPLE 5
Get-QADObject 'DistinguishedNameOfTheObject' -SecurityMask Dacl | Get-QADPermission -Rights 'ReadProperty'
Description
Retrieve the ACEs on a given object that determine Read access to properties of the object.
EXAMPLE 6
Get-QADUser 'domain\user' -SecurityMask Dacl |
Get-QADPermission -Rights 'WriteProperty' -Property ('sAMAccountName','name')
Description
Retrieve the ACEs on a given user account that are configured with the WriteProperty access right for the 'sAMAccountName' or 'name' properties.
EXAMPLE 7
Get-QADUser 'domain\user' -SecurityMask Dacl |
Get-QADPermission -Rights 'WriteProperty' -UseExtendedMatch -Inherited -SchemaDefault -Allow -Property ('sAMAccountName','name')
Description
Retrieve all the ACEs that allow write access to the 'sAMAccountName' or 'name' properties of a given user account.
EXAMPLE 8
Get-QADPermission 'DistinguishedNameOfSourceObject' | Add-QADPermission 'DistinguishedNameOfDestinationObject'
Description
Copy the ACEs that are configured on a given directory object (not including the inherited ACEs or the schema default ACEs) to another directory object.
EXAMPLE 9
Get-QADPermission 'DistinguishedNameOfObject' -Deny | Remove-QADPermission
Description
Delete all the deny-type ACEs that are configured on a given directory object (not including the inherited ACEs or the schema default ACEs).
