en-US/ADEffectiveAccess.dll-Help.xml
|
<?xml version="1.0" encoding="utf-8"?>
<helpItems schema="maml" xmlns="http://msh"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-ADEffectiveAccess</command:name> <command:verb>Get</command:verb> <command:noun>ADEffectiveAccess</command:noun> <maml:description> <maml:para>Retrieves effective access and audit rules for Active Directory objects, translating `ObjectType` and `InheritedObjectType` GUIDs into human-readable names.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>An enhanced alternative to `Get-Acl` for Active Directory, this cmdlet retrieves access control lists (ACLs) for AD objects, returning effective access and audit rules. It translates `ObjectType` and `InheritedObjectType` GUIDs into human-readable names using a per-session, per-domain map for improved performance and readability.</maml:para> <maml:para>Unlike `Get-Acl`, there is no dependency on the Active Directory module and includes built-in LDAP search functionality to locate objects.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-ADEffectiveAccess</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="0" aliases="none"> <maml:name>LdapFilter</maml:name> <maml:description> <maml:para>Specifies an LDAP query to filter Active Directory objects (e.g., `(objectClass=user)`).</maml:para> <maml:para>For more details, see the __Remarks__ section from `DirectorySearcher.Filter` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.filter#remarks).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Audit</maml:name> <maml:description> <maml:para>Use this switch to include audit rules from the System Access Control List (SACL).</maml:para> <maml:para>> [!NOTE] > > Usage of this switch may impact performance in large directories.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Credential</maml:name> <maml:description> <maml:para>Specifies a user account with permission to perform this action. Default is the current user. Accepts a username (e.g., `User01`, `myDomain\User01`) or a `PSCredential` (https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential) object from [`Get-Credential`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential). Prompts for a password if a username is provided.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue> <dev:type> <maml:name>PSCredential</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeDeletedObjects</maml:name> <maml:description> <maml:para>Includes deleted objects in the search. Required when retrieving ACLs for deleted objects. See `DirectorySearcher.Tombstone` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.tombstone#system-directoryservices-directorysearcher-tombstone)for details.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SearchScope</maml:name> <maml:description> <maml:para>Specifies the Active Directory search scope:</maml:para> <maml:para>- `Base` (`0`): Searches only the current path.</maml:para> <maml:para>- `OneLevel` (`1`): Searches immediate children.</maml:para> <maml:para>- `Subtree` (`2`): Searches the current path and all children.</maml:para> </maml:description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Base</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">OneLevel</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Subtree</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">SearchScope</command:parameterValue> <dev:type> <maml:name>SearchScope</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>Subtree</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Server</maml:name> <maml:description> <maml:para>Specifies the AD DS instance to connect to. Accepts:</maml:para> <maml:para>- Fully qualified domain name</maml:para> <maml:para>- NetBIOS name</maml:para> <maml:para>- Directory server name (with optional port, e.g. `myDC01:636`)</maml:para> <maml:para>- Global Catalog (e.g. `GC://myCatalogServer`)</maml:para> <maml:para></maml:para> <maml:para>Defaults to the current domain if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Top</maml:name> <maml:description> <maml:para>Limits the number of objects to retrieve ACLs for. Default is `0` (no limit, determined by LDAP filter). See `DirectorySearcher.SizeLimit` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.sizelimit#system-directoryservices-directorysearcher-sizelimit)for details.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>AuthenticationTypes</maml:name> <maml:description> <maml:para>Specifies the authentication method. Default is `Secure`.</maml:para> <maml:para>> [!TIP] > > `AuthenticationTypes` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.authenticationtypes)is a `Flags` Enum, you can combine values as needed, e.g.: `-AuthenticationTypes 'Secure, FastBind'`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AuthenticationTypes</command:parameterValue> <dev:type> <maml:name>AuthenticationTypes</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>Secure</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Sets the maximum number of objects returned per page in a paged search. Default is `1000`.</maml:para> <maml:para>See `DirectorySearcher.PageSize` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.pagesize)for more details.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>1000</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SearchBase</maml:name> <maml:description> <maml:para>Specifies the `DistinguishedName` of an Organizational Unit or Container as the search base. Defaults to the domain root if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ADEffectiveAccess</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Audit</maml:name> <maml:description> <maml:para>Use this switch to include audit rules from the System Access Control List (SACL).</maml:para> <maml:para>> [!NOTE] > > Usage of this switch may impact performance in large directories.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Credential</maml:name> <maml:description> <maml:para>Specifies a user account with permission to perform this action. Default is the current user. Accepts a username (e.g., `User01`, `myDomain\User01`) or a `PSCredential` (https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential) object from [`Get-Credential`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential). Prompts for a password if a username is provided.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue> <dev:type> <maml:name>PSCredential</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeDeletedObjects</maml:name> <maml:description> <maml:para>Includes deleted objects in the search. Required when retrieving ACLs for deleted objects. See `DirectorySearcher.Tombstone` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.tombstone#system-directoryservices-directorysearcher-tombstone)for details.</maml:para> </maml:description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Server</maml:name> <maml:description> <maml:para>Specifies the AD DS instance to connect to. Accepts:</maml:para> <maml:para>- Fully qualified domain name</maml:para> <maml:para>- NetBIOS name</maml:para> <maml:para>- Directory server name (with optional port, e.g. `myDC01:636`)</maml:para> <maml:para>- Global Catalog (e.g. `GC://myCatalogServer`)</maml:para> <maml:para></maml:para> <maml:para>Defaults to the current domain if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>AuthenticationTypes</maml:name> <maml:description> <maml:para>Specifies the authentication method. Default is `Secure`.</maml:para> <maml:para>> [!TIP] > > `AuthenticationTypes` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.authenticationtypes)is a `Flags` Enum, you can combine values as needed, e.g.: `-AuthenticationTypes 'Secure, FastBind'`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AuthenticationTypes</command:parameterValue> <dev:type> <maml:name>AuthenticationTypes</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>Secure</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Identity</maml:name> <maml:description> <maml:para>Specifies an Active Directory object by:</maml:para> <maml:para>- A DistinguishedName</maml:para> <maml:para>- A GUID (`objectGuid`)</maml:para> <maml:para>- A SID (`objectSid`)</maml:para> <maml:para>- A sAMAccountName</maml:para> <maml:para></maml:para> <maml:para>> [!TIP] > > Accepts pipeline input from ActiveDirectory cmdlets (https://learn.microsoft.com/en-us/powershell/module/activedirectory)with `objectGuid` or `DistinguishedName` properties.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Audit</maml:name> <maml:description> <maml:para>Use this switch to include audit rules from the System Access Control List (SACL).</maml:para> <maml:para>> [!NOTE] > > Usage of this switch may impact performance in large directories.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Credential</maml:name> <maml:description> <maml:para>Specifies a user account with permission to perform this action. Default is the current user. Accepts a username (e.g., `User01`, `myDomain\User01`) or a `PSCredential` (https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential) object from [`Get-Credential`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential). Prompts for a password if a username is provided.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PSCredential</command:parameterValue> <dev:type> <maml:name>PSCredential</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>IncludeDeletedObjects</maml:name> <maml:description> <maml:para>Includes deleted objects in the search. Required when retrieving ACLs for deleted objects. See `DirectorySearcher.Tombstone` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.tombstone#system-directoryservices-directorysearcher-tombstone)for details.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="0" aliases="none"> <maml:name>LdapFilter</maml:name> <maml:description> <maml:para>Specifies an LDAP query to filter Active Directory objects (e.g., `(objectClass=user)`).</maml:para> <maml:para>For more details, see the __Remarks__ section from `DirectorySearcher.Filter` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.filter#remarks).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SearchScope</maml:name> <maml:description> <maml:para>Specifies the Active Directory search scope:</maml:para> <maml:para>- `Base` (`0`): Searches only the current path.</maml:para> <maml:para>- `OneLevel` (`1`): Searches immediate children.</maml:para> <maml:para>- `Subtree` (`2`): Searches the current path and all children.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SearchScope</command:parameterValue> <dev:type> <maml:name>SearchScope</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>Subtree</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Server</maml:name> <maml:description> <maml:para>Specifies the AD DS instance to connect to. Accepts:</maml:para> <maml:para>- Fully qualified domain name</maml:para> <maml:para>- NetBIOS name</maml:para> <maml:para>- Directory server name (with optional port, e.g. `myDC01:636`)</maml:para> <maml:para>- Global Catalog (e.g. `GC://myCatalogServer`)</maml:para> <maml:para></maml:para> <maml:para>Defaults to the current domain if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Top</maml:name> <maml:description> <maml:para>Limits the number of objects to retrieve ACLs for. Default is `0` (no limit, determined by LDAP filter). See `DirectorySearcher.SizeLimit` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.sizelimit#system-directoryservices-directorysearcher-sizelimit)for details.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>AuthenticationTypes</maml:name> <maml:description> <maml:para>Specifies the authentication method. Default is `Secure`.</maml:para> <maml:para>> [!TIP] > > `AuthenticationTypes` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.authenticationtypes)is a `Flags` Enum, you can combine values as needed, e.g.: `-AuthenticationTypes 'Secure, FastBind'`.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AuthenticationTypes</command:parameterValue> <dev:type> <maml:name>AuthenticationTypes</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>Secure</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Identity</maml:name> <maml:description> <maml:para>Specifies an Active Directory object by:</maml:para> <maml:para>- A DistinguishedName</maml:para> <maml:para>- A GUID (`objectGuid`)</maml:para> <maml:para>- A SID (`objectSid`)</maml:para> <maml:para>- A sAMAccountName</maml:para> <maml:para></maml:para> <maml:para>> [!TIP] > > Accepts pipeline input from ActiveDirectory cmdlets (https://learn.microsoft.com/en-us/powershell/module/activedirectory)with `objectGuid` or `DistinguishedName` properties.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Sets the maximum number of objects returned per page in a paged search. Default is `1000`.</maml:para> <maml:para>See `DirectorySearcher.PageSize` (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.pagesize)for more details.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>1000</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>SearchBase</maml:name> <maml:description> <maml:para>Specifies the `DistinguishedName` of an Organizational Unit or Container as the search base. Defaults to the domain root if not specified.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para>Accepts a string representing a `DistinguishedName`, `objectGuid`, `objectSid`, or `sAMAccountName` via pipeline for the `-Identity` parameter (#-identity). You can also pipe objects from Active Directory cmdlets having `DistinguishedName` or `objectGuid` properties.</maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>ADEffectiveAccess.EffectiveAccessRule</maml:name> </dev:type> <maml:description> <maml:para>Represents effective access rules with resolved `ObjectType` and `InheritedObjectType` GUIDs.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>ADEffectiveAccess.EffectiveAuditRule</maml:name> </dev:type> <maml:description> <maml:para>Represents effective audit rules with resolved `ObjectType` and `InheritedObjectType` GUIDs (when `-Audit` is specified).</maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para>- This cmdlet maintains a per-session, per-domain map to translate `ObjectType` and `InheritedObjectType` into human-readable names, improving usability and performance.</maml:para> <maml:para>- Querying audit rules (`-Audit`) or deleted objects (`-IncludeDeletedObjects`) may impact performance on large directories.</maml:para> <maml:para>- Ensure the account used has sufficient permissions to read security descriptors.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>--- Example 1: Get ACL for a specific user by sAMAccountName ---</maml:title> <dev:code>PS /> Get-ADEffectiveAccess -Identity john.galt</dev:code> <dev:remarks> <maml:para>Retrieves the effective access rules for the user `john.galt` in the current domain.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>- Example 2: Get ACLs for all users in an OU with audit rules -</maml:title> <dev:code>PS /> Get-ADEffectiveAccess -LdapFilter "(objectCategory=person)" -SearchBase "OU=Users,DC=mylab,DC=local" -Audit</dev:code> <dev:remarks> <maml:para>Retrieves access and audit rules for all user objects in the `Users` OU, including system access control list (SACL) rules.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------- Example 3: Pipe AD user object to retrieve ACL --------</maml:title> <dev:code>PS /> Get-ADUser -Identity "jdoe" | Get-ADEffectiveAccess</dev:code> <dev:remarks> <maml:para>Uses pipeline input from `Get-ADUser` to retrieve effective access rules for the user `jdoe`.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>----- Example 4: Get ACLs for deleted objects with a limit -----</maml:title> <dev:code>PS /> Get-ADEffectiveAccess -LdapFilter "(objectClass=group)" -IncludeDeletedObjects -Top 10</dev:code> <dev:remarks> <maml:para>Retrieves access rules for up to 10 deleted `group` objects in the domain, including tombstone objects.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 5: Query ACLs on a specific server with custom authentication</maml:title> <dev:code>PS /> Get-ADEffectiveAccess -LdapFilter "(objectClass=computer)" -Server "myChildDomain.local:636" -AuthenticationTypes Secure, FastBind</dev:code> <dev:remarks> <maml:para>Retrieves access rules for all `computer` objects in a child domain with secure authentication and fast bind.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>------- Example 6: Query ACLs with specific credentials -------</maml:title> <dev:code>PS /> Get-ADEffectiveAccess -Identity "john.galt" -Credential (Get-Credential)</dev:code> <dev:remarks> <maml:para></maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://github.com/santisq/ADEffectiveAccess/blob/main/docs/en-US/Get-ADEffectiveAccess.md</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>__ActiveDirectoryAccessRule__</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>__ActiveDirectoryAuditRule__</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryauditrule</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>__Active Directory Module__</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/powershell/module/activedirectory</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>__DirectorySearcher__</maml:linkText> <maml:uri>https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> </helpItems> |