1

I have manually set some custom DACL on some AD-LDS objects using LDP. I am trying to write a script that exports those ACL (only DACL for now) in SDDL form.

I can retrieve a AD-LDS object with this code:

$obj = Get-ADOrganizationalUnit -Filter {Name -Like 'stuff'} -searchbase "OU=apps,DC=example,DC=com" -server 'localhost:389'
$obj[0].distinguishedName
OU=stuff,OU=apps,DC=example,DC=com

I am aware of the the get-acl Powershell command and its Active Directory aware syntax, but when I try it on my AD-LDS object, it fails with

Get-Acl : Cannot find path 'OU=stuff,OU=apps,DC=example,DC=com' because 
it does not exist.
At line:1 char:9
+ (Get-Acl <<<<  "DC=example,DC=com").access
    + CategoryInfo          : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
    + FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetAclCommand

I tried to prefix the get-acl command with the AD: prefix, as well as ldap://localhost/, but the error stays the same. I also failed to retreive the DACL of other types of objects (like user and group).

How can I use Powershell to retrieve the DACL of a AD-LDS object in SDDL form?

Cœur
  • 37,241
  • 25
  • 195
  • 267
ixe013
  • 9,559
  • 3
  • 46
  • 77
  • Maybe here some help: http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx – CB. Nov 20 '12 at 11:06
  • Thanks @Christian, I had found that link, but I can only make it work with AD. not AD-LDS. – ixe013 Nov 20 '12 at 15:25

2 Answers2

1

I had the same question without finding an proper answer on the Internet. It took me quite a while to figure out a working solution. Since this discussion comes up as one of the top results on the usual seach engines, but does not provide an actual answer, I decided to post it here:

The following question nudged me into the right direction: How do I set-location ad: to a different active directory domain with Powershell

I tested it with Windows 2012R2 (which I think has Powershell 4.0)

Assuming you have an AD LDS instance running on "server:port" with the suffix "dc=root,dc=com", the following code will screen-print the ACLs of this suffix node using 'get-acl':

  1. add the activedirectory module:

Import-Module activedirectory

  1. you need to define an new access identifier similar to "AD:". This identifier is bound to your current Powershell session: (This example uses "myLDS:", but you can define any identifierstring you want)

New-PSDrive -Name myLDS -PSProvider ActiveDirectory -Server "server:port" -Scope Global -Root "//RootDSE/"

  1. and finally you can use this new identifier to access the LDS stored acls and e.g. print them onscreen:

(Get-ACL 'myLDS:\dc=root,dc=com').access

Note that 'get-acl' and dsacls.exe differ in its output. 'get-acl' will return raw SIDs of subjects, while dsacls internally converts SIDs to DNs and returns DNs. So if you use 'get-acl', but need DNs, you need to do this conversion yourself with an extra LDAP query.

Community
  • 1
  • 1
Alex
  • 191
  • 1
  • 7
0

Try:

dsacls 'OU=stuff,OU=apps,DC=example,DC=com'

I am seeing some interesting things with PowerShell and suspect it is permissions related. That said, try:

Get-ADOrganizationalUnit -Filter 'name -eq "stuff"'

This may work, play around with the methods and attributes on Get-ADOrganizationalUnit that may help isolate the problem

When I find the root cause of my issues I will update this post.

Paul Cayley
  • 51
  • 2