Using the function Get-ObjectAcl we can see the SecurityIdentifier (SID) that allow the actions, maybe force change password or generic all, in order to identify the SID better.
Maybe the script can add a new colum to identify the user/group (resolv) the SID using the function Get-DomainUser object-sid? in order to identify the user or group that can perform the actions.
Using the function Get-ObjectAcl we can see the SecurityIdentifier (SID) that allow the actions, maybe force change password or generic all, in order to identify the SID better.
Maybe the script can add a new colum to identify the user/group (resolv) the SID using the function Get-DomainUser object-sid? in order to identify the user or group that can perform the actions.