-
Notifications
You must be signed in to change notification settings - Fork 162
5. Syntax
Robin Granberg edited this page Aug 28, 2022
·
6 revisions
ADACLScan.ps1 [[-Base] <String>] [[-Targets] <String>] [[-Filter] <String>] [[-Scope] <String>] [[-Server] <String>] [[-Port] <String>] [[-EffectiveRightsPrincipal] <String>][[-Output] <String>] [[-OutputFolder] <String>] [[-Template] <String>] [[-Returns] <String>] [-ExcelFile <String>] [-Criticality <String>] [-ShowCriticalityColor] [-SkipDefaults] [-SkipBuiltIn] [-RecursiveFind] [-RecursiveObjectType <String>] [-Translate] [-GPO] [-Show] [-SDDate] [-Owner] [-CanonicalNames] [-Protected] [-DefaultSecurityDescriptor] [-ObjectName <String>] [-OnlyModified] [-IncludeInherited] [-RAW] [-AccessType <String>] [-Permission <String>] [-ApplyTo <String>] [-FilterTrustee <String>] [<CommonParameters>]
-Base <String>
DistinguishedName to start your search at or type RootDSE for the domain root. Will be included in the result if your filter matches the object.
Required? false
Position? 1
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Targets <String>
Targets allows you to use a predefined search for specific objects
Required? false
Position? 1
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Filter <String>
Filter. Specify your custom filter. Default is OrganizationalUnit.
Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Scope <String>
Scope. Set your scope. Default is base.
Required? false
Position? 3
Default value base
Accept pipeline input? false
Accept wildcard characters? false
-Server <String>
Server. Specify your specific server to target your search at.
Required? false
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Port <String>
Port. Specify your custom port.
Required? false
Position? 5
Default value
Accept pipeline input? false
Accept wildcard characters? false
-EffectiveRightsPrincipal <String>
Specify the samAccountName of a security principal to check for its effective permissions
Required? false
Position? 6
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Output <String>
Generates a HTML report, default is a CSV.
Required? false
Position? 7
Default value
Accept pipeline input? false
Accept wildcard characters? false
-OutputFolder <String>
Output folder path for where results are written.
Required? false
Position? 8
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Template <String>
Template to compare with.
This parameter will allow you compare the current state of a security descriptor with a previos created tempate.
Required? false
Position? 9
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Returns <String>
Filter what to return when comparing with a template.
This parameter will allow you to filter the out put on "ALL", "MATCH", "MISSING","NEW"
Example 1. -Returns "ALL"
Example 2. -Returns "MATCH"
Example 3. -Returns "MISSING"
Example 4. -Returns "NEW"
Required? false
Position? 9
Default value ALL
Accept pipeline input? false
Accept wildcard characters? false
-ExcelFile <String>
User ExcelFile to defined your own path for the excel output
This parameter will allow you to type the excel file path.
Example 1. -ExcelFile "C:\Temp\ExcelOutput.xlsx"
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Criticality <String>
Filter on Criticality.
This parameter will filter the result based on a defined criticality level
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ShowCriticalityColor [<SwitchParameter>]
Show color of criticality
This parameter will add colors to the report if you selected HTML or EXCEL using the -OUTPUT parameter
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-SkipDefaults [<SwitchParameter>]
Skip default permissions
This parameter will skip permissions that match the permissions defined in the schema partition for the object
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-SkipBuiltIn [<SwitchParameter>]
Skip Built-in security principals
This parameter will skip permissions that match the built in groups
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-RecursiveFind [<SwitchParameter>]
Expand groups
This parameter will search any nested groups to show all security prinicpals that have access.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-RecursiveObjectType <String>
Filter on RecursiveObjectType.
This parameter will filter the nested groups to show only users that have access.
Required? false
Position? named
Default value *
Accept pipeline input? false
Accept wildcard characters? false
-Translate [<SwitchParameter>]
Translate GUIDs
This parameter will translate any GUIDs if necessary
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-GPO [<SwitchParameter>]
Get Group Policy Objects linked
This parameter will let you search permissions on group policy objects that are linked to the path you have selected
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Show [<SwitchParameter>]
Open HTML report
This parameter will open the out report if you selected one using the -OUTPUT parameter
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-SDDate [<SwitchParameter>]
Include Security Descriptor modified date in report
This parameter will include the date when the security descriptor was last changed
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Owner [<SwitchParameter>]
Include Owner in report
This parameter will make the scan to search the owner section in the security descriptor.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-CanonicalNames [<SwitchParameter>]
Include Canonical Names in report
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Protected [<SwitchParameter>]
Include if inheritance is disabled in report
This parameter will add information in the report whether the object have disabled it's inheritnace
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-DefaultSecurityDescriptor [<SwitchParameter>]
Scan Default Security Descriptor
This parameter will make AD ACL Scanner to search the schema partition for security descriptors of all objects.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-SchemaObjectName <String>
Filter Default Security Descriptor on a schema object
This parameter let you select the schema object you would like to see the default security descriptor on.
Example 1. -SchemaObjectName "User"
Example 2. -SchemaObjectName "Computer"
Required? false
Position? named
Default value *
Accept pipeline input? false
Accept wildcard characters? false
-OnlyModified [<SwitchParameter>]
Filter Default Security Descriptor on modified with version number higher than 1
This parameter will check the metadata of the NTSecurityDescriptor if it have ever been changed, basically have a version number higher than 1.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-IncludeInherited [<SwitchParameter>]
Include inherited permissions
By default only explicit permissions are shown
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-RAW [<SwitchParameter>]
Returns ACE's in the format that .Net presents access permissions
Use this option if you would like to create a template for compairson
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AccessType <String>
Filter ACL for access type
Example 1. -AccessType "Allow"
Example 2. -AccessType "Deny"
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Permission <String>
Filter ACL for a specific permission
Example 1. -Permissions "WriteProperty"
Example 2. -Permissions "GenericAll"
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ApplyTo <String>
Filter ACL ObjectName
Example 1. -ApplyTo computer
Example 2. -ApplyTo user
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-FilterTrustee <String>
Filter ACL for matching strings in Trustee
Example 1 -FilterTrustee "*Domain*"
Example 1 -FilterTrustee "contoso\user1"
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Credentials <PSCredential>
Add Credentials to the command by first creating a pscredential object like for example $CREDS = get-credential
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false