Get user effective permissions on domain (Network Steve Forum)

Get user effective permissions on domain

Is there a simple way to use PowerShell to determine a users effective permissions on a domain?

I have the user name and domain and want to check if the user has the "Replicate Directory Changes" permission on my domain either assigned directly or through a group the user is a member of.

Edit: What if I want to check for multiple domains in a full-trust forest?

Edited by Thomas Rudfoss 23 hours 25 minutes ago Additional

August 28th, 2015 3:44am

Here is a good discussion ondoing this with PowerShell:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/66db4d59-1f86-4a66-a76b-e9e818092145/replicate-directory-changes-permission

Free Windows Admin Tool Kit Click here and download it now

August 28th, 2015 4:07am

Cool, thanks. I'll check it out.

August 28th, 2015 4:27am

You might try version 4 of this module. Then you could run something like this:

Get-PacEffectiveAccess -Path "DC=domain,DC=com" -Principal UserName -ObjectAceType "Replicating Directory Changes" -ListAllRights | 
	select -last 1

You can also use these commands to answer the question "Which ACEs grant/deny the 'Replicating Directory Changes' extended right?":

Get-PacAccessControlEntry -Path "DC=domain,DC=com" -ObjectAceType "Replicating Directory Changes"

# This won't show ACEs that grant all extended rights...
Get-PacAccessControlEntry -Path "DC=domain,DC=com" -ObjectAceType "Replicating Directory Changes" -Specific

Free Windows Admin Tool Kit Click here and download it now

August 28th, 2015 8:12am

Thanks, but were trying to avoid using third party modules due to security concerns.

August 28th, 2015 8:14am

This topic is archived. No further replies will be accepted.