如何使用 PowerShell 为 AD 用户对象上的属性获取有效权限 [英] How to get effective permissions with PowerShell for an attribute on the AD user object

问题描述

有谁知道如何为 AD 用户属性的 ACL 生成报告.例如，谁拥有 Active Directory 用户读取姓名缩写"或写入姓名缩写"属性的权限.我找到了 PowerShell 命令来获取 AD 用户对象本身的 ACL，但不是在属性级别.

Does anyone know how to generate a report for ACLs on the AD user's attributes. for example who has rights to Active Directory users "read Initials" or "write Initials" attributes. I have found PowerShell Commands to get ACLs on the AD user object itself, but not at attribute level.

推荐答案

查看 PowerShell访问控制模块.3.0 版几乎完全在 PowerShell 中实现，这使得它与使用 Get-Acl 相比非常慢，但我认为它可以满足您的要求(我正在解决速度问题).

Check out the PowerShell Access Control module. Version 3.0 is implemented almost completely in PowerShell, which makes it pretty slow compared to using Get-Acl, but I think it can do what you're asking for (and I'm working on the speed issue).

它有一个名为 Get-EffectiveAccess 的函数，可以计算主体对安全对象的有效访问，但我认为这不是您要寻找的.听起来您想获得一个 ACE 列表，这些 ACE 提供对首字母"属性的读/写访问.为此，您可以使用 Get-AccessControlEntry:

It has a function named Get-EffectiveAccess that can compute the effective access of a principal over a securable object, but I don't think that's what you're looking for. It sounds like you want to get a list of ACEs that provide access to read/write the 'initials' property. To do that, you would use Get-AccessControlEntry:

# Get any ACEs that grant or deny read or write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials

# Get any ACEs that grant or deny write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials -ActiveDirectoryRights WriteProperty

# Get any ACEs that grant write access to the 'initials' property:
Get-ADUser TestUser | Get-AccessControlEntry -ObjectAceType initials -ActiveDirectoryRights WriteProperty -AceType AccessAllowed

那些示例都使用 Get-ADUser 来查找单个用户.无论您使用 AD 模块还是 DirectorySearcher，您都应该能够为该函数提供任何 AD 对象.您甚至可以提供可分辨名称作为函数的 -Path 参数.

Those examples all used Get-ADUser to lookup a single user. You should be able to feed the function any AD object, whether you use the AD module or a DirectorySearcher. You can even provide the distinguished name as the -Path parameter to the function.

-ObjectAceType 参数应该能够接受一个 GUID，或者您可以放入一个或多个属性/属性集/验证写入/扩展权限/类对象名称(您可以使用 * 作为通配符).

The -ObjectAceType parameter should be able to take a GUID, or you can put in one or more property/property set/validated write/extended right/class object names (you can use * as a wildcard).

如果您确实想计算实际有效访问，以下是 Get-EffectiveAccess 函数的一些示例:

If you did want to compute the actual effective access, here are some examples of the Get-EffectiveAccess function:

# Get effective access that 'AnotherUser' has over 'TestUser' object (this doesn't include property, property set, validated write, etc effective permissions):
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser

# Same as before, but this time include effective access down to the ObjectAceType level:
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser -ObjectAceTypes initials
Get-ADUser TestUser | Get-EffectiveAccess -Principal AnotherUser -ObjectAceTypes init*

在处理最后几个示例时，我注意到在使用带有 -ObjectAceTypes 参数的 Get-EffectiveAccess 时会写入一些错误，即使该函数似乎可以正常工作.如果我周末有时间，我可能会解决这个问题，但我可能会等待 4.0 版本.

While working on the last few examples, I noticed that there are some errors that are written when using Get-EffectiveAccess with the -ObjectAceTypes parameter, even though the function appears to work correctly. If I have time over the weekend, I may fix that, but I'll probably just wait for version 4.0.

这篇关于如何使用 PowerShell 为 AD 用户对象上的属性获取有效权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！