search

canix1 / ADACLScanner

Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory
Microsoft Public License
957 stars 162 forks source link

-FilterTrustee does not work with -RecursiveFind #49

Closed MichaelGrafnetter closed 2 years ago

MichaelGrafnetter commented 2 years ago

Hello @canix1 , I have stumbled upon this behavior of ADACLScanner 7.3 and I am not sure if it is a bug or expected behavior. It seems that the -FilterTrustee parameter gets evaluated before the -RecursiveFind parameter.

For example, I am trying to look up the permissions to create computer objects. If I run this:

 .\ADACLScan.ps1 -Base 'DC=contoso,DC=com' `
                 -Scope onelevel `
                 -Filter '(|(objectClass=domainDNS)(objectClass=organizationalUnit)(objectClass=container))' `
                 -AccessType Allow `
                 -ApplyTo computer `
                 -Permission create `
                 -RecursiveFind `
                 -Output HTML `
                 -Show

I get the following results, as john is a member of Account Operators:

image

But if I add the -FilterTrustee parameter:

 .\ADACLScan.ps1 -Base 'DC=contoso,DC=com' `
                 -Scope onelevel `
                 -Filter '(|(objectClass=domainDNS)(objectClass=organizationalUnit)(objectClass=container))' `
                 -AccessType Allow `
                 -ApplyTo computer `
                 -Permission create `
                 -FilterTrustee 'CONTOSO\john' `
                 -RecursiveFind `
                 -Output HTML `
                 -Show

I just get No Permissions found!

canix1 commented 2 years ago

Good point! Thanks! Rearranged the order for filtering the "Trustee".

Result: image