{"id":23379021,"url":"https://github.com/santisq/ADEffectiveAccess","last_synced_at":"2025-10-29T06:30:19.396Z","repository":{"id":41435736,"uuid":"320591626","full_name":"santisq/Get-EffectiveAccess","owner":"santisq","description":null,"archived":false,"fork":false,"pushed_at":"2022-09-15T17:46:23.000Z","size":269,"stargazers_count":12,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-12-21T19:16:01.934Z","etag":null,"topics":["active-directory","powershell"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/santisq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-12-11T14:09:14.000Z","updated_at":"2024-11-13T07:04:07.000Z","dependencies_parsed_at":"2023-01-18T09:15:38.234Z","dependency_job_id":null,"html_url":"https://github.com/santisq/Get-EffectiveAccess","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/santisq%2FGet-EffectiveAccess","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/santisq%2FGet-EffectiveAccess/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/santisq%2FGet-EffectiveAccess/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/santisq%2FGet-EffectiveAccess/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/santisq","download_url":"https://codeload.github.com/santisq/Get-EffectiveAccess/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238778003,"owners_count":19528821,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","powershell"],"created_at":"2024-12-21T19:16:10.962Z","updated_at":"2025-10-29T06:30:19.388Z","avatar_url":"https://github.com/santisq.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eADEffectiveAccess\u003c/h1\u003e\n\n\u003cdiv align=\"center\"\u003e\n\u003csub\u003eAD ACLs with readable rights, flexible LDAP and no AD module needed\u003c/sub\u003e\n\u003cbr /\u003e\u003cbr /\u003e\n\n[![build](https://github.com/santisq/ADEffectiveAccess/actions/workflows/ci.yml/badge.svg)](https://github.com/santisq/ADEffectiveAccess/actions/workflows/ci.yml)\n[![PowerShell Gallery](https://img.shields.io/powershellgallery/v/ADEffectiveAccess?label=gallery)](https://www.powershellgallery.com/packages/ADEffectiveAccess)\n[![LICENSE](https://img.shields.io/github/license/santisq/ADEffectiveAccess)](https://github.com/santisq/ADEffectiveAccess/blob/main/LICENSE)\n\n\u003c/div\u003e\n\n\u003e [!NOTE]\n\u003e This module has been rewritten in C# for improved performance and maintainability. The original PowerShell version is available in [this Gist](https://gist.github.com/santisq/a84af707780b1168f1fa390632096a5a).\n\nADEffectiveAccess is a PowerShell module that provides the `Get-ADEffectiveAccess` cmdlet, an enhanced alternative to `Get-Acl` for Active Directory. This cmdlet retrieves access control lists (ACLs) for AD objects, returning effective access and audit rules. It translates `ObjectType` and `InheritedObjectType` GUIDs into human-readable names using a per-session, per-domain map for improved performance and readability.\n\nUnlike `Get-Acl`, there is no dependency on the Active Directory module and includes built-in LDAP search functionality to locate objects.\n\n## Documentation\n\nCheck out [__the documentation__](./docs/en-US/Get-ADEffectiveAccess.md) for cmdlet usage and more examples.\n\n## Installation\n\n### Gallery\n\nThe module is available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/ADEffectiveAccess):\n\n```powershell\nInstall-Module ADEffectiveAccess -Scope CurrentUser\n```\n\n### Source\n\n```powershell\ngit clone 'https://github.com/santisq/ADEffectiveAccess.git'\nSet-Location ./ADEffectiveAccess\n./build.ps1\n```\n\n## Requirements\n\nThis module requires __Windows OS__ and is compatible with __Windows PowerShell v5.1__ and [__PowerShell 7+__](https://github.com/PowerShell/PowerShell). No Active Directory module is required. Appropriate permissions are needed to read security descriptors.\n\n## Usage\n\nBelow are examples demonstrating how to use `Get-ADEffectiveAccess` to retrieve Active Directory ACLs:\n\n### Get ACL for a specific user by sAMAccountName\n\nRetrieves effective access rules for the user `john.galt` in the current domain.\n\n```powershell\nPS /\u003e $acl = Get-ADEffectiveAccess john.galt\nPS /\u003e $acl\n\n   Path: LDAP://CN=John Galt,CN=Users,DC=mylab,DC=local\n\nIdentityReference                 ObjectType                      InheritedObjectType  ActiveDirectoryRights\n-----------------                 ----------                      -------------------  ---------------------\nNT AUTHORITY\\SELF                 All Objects (Full Control)      Any Inherited Object GenericRead\nNT AUTHORITY\\Authenticated Users  All Objects (Full Control)      Any Inherited Object ReadControl\nNT AUTHORITY\\SYSTEM               All Objects (Full Control)      Any Inherited Object GenericAll\nBUILTIN\\Account Operators         All Objects (Full Control)      Any Inherited Object GenericAll\nmylab\\Domain Admins               All Objects (Full Control)      Any Inherited Object GenericAll\nEveryone                          User-Change-Password            Any Inherited Object ExtendedRight\nNT AUTHORITY\\SELF                 Email-Information               Any Inherited Object ReadProperty, WriteProperty\n....\n\nPS /\u003e $acl[30] | Format-List\n\nActiveDirectoryRights       : ReadProperty\nInheritanceType             : Descendents\nObjectType                  : 59ba2f42-79a2-11d0-9020-00c04fc2d3cf\nInheritedObjectType         : 4828cc14-1437-45bc-9b07-ad6f015e5f28\nObjectFlags                 : ObjectAceTypePresent, InheritedObjectAceTypePresent\nAccessControlType           : Allow\nType                        : Access\nOwner                       : mylab\\Domain Admins\nGroup                       : mylab\\Domain Admins\nPath                        : LDAP://CN=John Galt,CN=Users,DC=mylab,DC=local\nIdentityReference           : BUILTIN\\Pre-Windows 2000 Compatible Access\nInheritanceFlags            : ContainerInherit\nIsInherited                 : True\nPropagationFlags            : InheritOnly\nObjectTypeToString          : General-Information\nInheritedObjectTypeToString : inetOrgPerson\n```\n\n### Get ACLs for all users in an OU with audit rules\n\nFetches access and audit rules for all users in the `Users` OU, including SACL rules.\n\n```powershell\nPS /\u003e Get-ADEffectiveAccess -LdapFilter \"(objectCategory=person)\" -SearchBase \"OU=Users,DC=mylab,DC=local\" -Audit\n```\n\n### Pipe AD user object to retrieve ACL\n\nUses pipeline input from `Get-ADUser` to get effective access rules for the user `jdoe`.\n\n```powershell\nPS /\u003e Get-ADUser -Identity \"jdoe\" | Get-ADEffectiveAccess\n```\n\n### Get ACLs for deleted groups with a limit\n\nRetrieves access rules for up to 10 deleted group objects.\n\n```powershell\nPS /\u003e Get-ADEffectiveAccess -LdapFilter \"(\u0026(isDeleted=TRUE)(objectClass=group))\" -IncludeDeletedObjects -Top 10\n```\n\n### Query ACLs with specific credentials\n\nRetrieves access rules for a user using specified credentials.\n\n```powershell\nPS /\u003e Get-ADEffectiveAccess -Identity \"john.galt\" -Credential (Get-Credential)\n```\n\n## Changelog\n\n- [CHANGELOG.md](./CHANGELOG.md)\n- [Releases](https://github.com/santisq/ADEffectiveAccess/releases)\n\n## Contributing\n\nContributions are welcome, if you wish to contribute, fork this repository and submit a pull request with the changes.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsantisq%2FADEffectiveAccess","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsantisq%2FADEffectiveAccess","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsantisq%2FADEffectiveAccess/lists"}