update docs... still needs work

Author: santisq

docs/en-US/Get-ADEffectiveAccess.md

@@ -9,7 +9,7 @@ schema: 2.0.0
 
 ## SYNOPSIS
 
-{{ Fill in the Synopsis }}
+Retrieves effective access and audit rules for Active Directory objects, translating `ObjectType` and `InheritedObjectType` GUIDs into human-readable names.
 
 ## SYNTAX
 
@@ -45,7 +45,9 @@ Get-ADEffectiveAccess
 
 ## DESCRIPTION
 
-{{ Fill in the Description }}
+An enhanced alternative to `Get-Acl` for Active Directory, this cmdlet retrieves access control lists (ACLs) for AD objects, returning effective access and audit rules. It translates `ObjectType` and `InheritedObjectType` GUIDs into human-readable names using a per-session, per-domain map for improved performance and readability.
+
+Unlike `Get-Acl`, there is no dependency on the Active Directory module and includes built-in LDAP search functionality to locate objects.
 
 ## EXAMPLES
 
@@ -61,7 +63,11 @@ PS C:\> {{ Add example code here }}
 
 ### -Audit
 
-Use this switch to include audit rules for the security descriptor from the system access control list (SACL).
+Use this switch to include audit rules from the System Access Control List (SACL).
+
+> [!NOTE]
+>
+> Usage of this switch may impact performance in large directories.
 
 ```yaml
 Type: SwitchParameter
@@ -77,9 +83,7 @@ Accept wildcard characters: False
 
 ### -Credential
 
-Specifies a user account that has permission to perform this action. The default is the current user.
-
-Type a user name, such as `User01` or `myDomain\User01`, or enter a [`PSCredential`](https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential) object generated by the [`Get-Credential` cmdlet](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential). If you type a user name, you're prompted to enter the password.
+Specifies a user account with permission to perform this action. Default is the current user. Accepts a username (e.g., `User01`, `myDomain\User01`) or a [`PSCredential`](https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential) object from [`Get-Credential`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential). Prompts for a password if a username is provided.
 
 ```yaml
 Type: PSCredential
@@ -95,9 +99,7 @@ Accept wildcard characters: False
 
 ### -IncludeDeletedObjects
 
-Use this switch to include deleted objects in your search. This switch is also required when getting the ACL for a deleted Identity.
-
-For more details, see [`DirectorySearcher.Tombstone` Property](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.tombstone#system-directoryservices-directorysearcher-tombstone).
+Includes deleted objects in the search. Required when retrieving ACLs for deleted objects. See [`DirectorySearcher.Tombstone`](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.tombstone#system-directoryservices-directorysearcher-tombstone) for details.
 
 ```yaml
 Type: SwitchParameter
@@ -113,7 +115,7 @@ Accept wildcard characters: False
 
 ### -LdapFilter
 
-Specifies an LDAP query string that is used to filter Active Directory objects you want to get the ACL from.
+Specifies an LDAP query to filter Active Directory objects (e.g., `(objectClass=user)`).
 
 For more details, see the [__Remarks__ section from `DirectorySearcher.Filter`](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.filter#remarks).
 
@@ -131,11 +133,11 @@ Accept wildcard characters: False
 
 ### -SearchScope
 
-Specifies the scope of an Active Directory search. The acceptable values for this parameter are:
+Specifies the Active Directory search scope:
 
-- `Base` or `0` - Searches only the current path or object
-- `OneLevel` or `1` - Searches the immediate children of that path or object
-- `Subtree` or `2` - Searches the current path or object and all children of that path or object
+- `Base` (`0`): Searches only the current path.
+- `OneLevel` (`1`): Searches immediate children.
+- `Subtree` (`2`): Searches the current path and all children.
 
 ```yaml
 Type: SearchScope
@@ -152,23 +154,14 @@ Accept wildcard characters: False
 
 ### -Server
 
-Specifies the AD DS instance to connect to by providing one of the following values for a corresponding domain name or directory server.
-
-Domain name values:
+Specifies the AD DS instance to connect to. Accepts:
 
 - Fully qualified domain name
 - NetBIOS name
+- Directory server name (with optional port, e.g. `myDC01:636`)
+- Global Catalog (e.g. `GC://myChildDomain`)
 
-Directory server values:
-
-- Fully qualified directory server name
-- NetBIOS name
-- Fully qualified directory server name and port
-
-> [!TIP]
->
-> - You can use `GC://` prefix to search in the Global Catalog, e.g.: `-Server GC://myChildDomain`.
-> - Including the port to use with your query is valid using the syntax `<HOST>:<PORT>`, e.g.: `-Server myDC01:636`.
+Defaults to the current domain if not specified.
 
 ```yaml
 Type: String
@@ -184,9 +177,7 @@ Accept wildcard characters: False
 
 ### -Top
 
-The maximum number of objects you want to get the ACL from. The default value is `0`, meaning that the maximum number of object you will be getting the ACL from is determined by your LDAP filter or lack of it (all objects).
-
-See also [`DirectorySearcher.SizeLimit` Property](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.sizelimit#system-directoryservices-directorysearcher-sizelimit).
+Limits the number of objects to retrieve ACLs for. Default is `0` (no limit, determined by LDAP filter). See [`DirectorySearcher.SizeLimit`](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.sizelimit#system-directoryservices-directorysearcher-sizelimit) for details.
 
 ```yaml
 Type: Int32
@@ -202,11 +193,11 @@ Accept wildcard characters: False
 
 ### -AuthenticationTypes
 
-Specifies the authentication method to use. The default value is `Secure`.
+Specifies the authentication method. Default is `Secure`.
 
-> [!NOTE]
+> [!TIP]
 >
-> [`AuthenticationTypes`](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.authenticationtypes) is a Flags Enum, meaning that you can combine values, for example `-AuthenticationTypes 'Secure, FastBind'` is valid.
+> [`AuthenticationTypes`](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.authenticationtypes) is a `Flags` Enum, you can combine values as needed, e.g.: `-AuthenticationTypes 'Secure, FastBind'`.
 
 ```yaml
 Type: AuthenticationTypes
@@ -222,7 +213,7 @@ Accept wildcard characters: False
 
 ### -Identity
 
-Specifies an Active Directory object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.
+Specifies an Active Directory object by:
 
 - A DistinguishedName
 - A GUID (`objectGuid`)
@@ -231,7 +222,7 @@ Specifies an Active Directory object by providing one of the following property
 
 > [!TIP]
 >
-> This parameter takes pipeline input. You can pipe the output from [ActiveDirectory cmdlets](https://learn.microsoft.com/en-us/powershell/module/activedirectory) to this parameter whenever the output has an `objectGuid` or a `DistinguishedName` property.
+> Accepts pipeline input from [ActiveDirectory cmdlets](https://learn.microsoft.com/en-us/powershell/module/activedirectory) with `objectGuid` or `DistinguishedName` properties.
 
 ```yaml
 Type: String
@@ -247,9 +238,9 @@ Accept wildcard characters: False
 
 ### -PageSize
 
-Determines the maximum number of objects the server can return in a paged search. The default is `1000`.
+Sets the maximum number of objects returned per page in a paged search. Default is `1000`.
 
-See also [`DirectorySearcher.PageSize` Property](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.pagesize) for more details.
+See [`DirectorySearcher.PageSize`](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.pagesize) for more details.
 
 ```yaml
 Type: Int32
@@ -265,7 +256,7 @@ Accept wildcard characters: False
 
 ### -SearchBase
 
-Specifies the `DistinguishedName` of an Organization Unit or Container as the base for your search.
+Specifies the `DistinguishedName` of an Organizational Unit or Container as the search base. Defaults to the domain root if not specified.
 
 ```yaml
 Type: String
@@ -287,12 +278,29 @@ This cmdlet supports the common parameters. For more information, see [about_Com
 
 ### System.String
 
+Accepts a string representing a `DistinguishedName`, `objectGuid`, `objectSid`, or `sAMAccountName` via pipeline for the [`-Identity` parameter](#-identity). You can also pipe objects from Active Directory cmdlets having `DistinguishedName` or `objectGuid` properties.
+
 ## OUTPUTS
 
 ### ADEffectiveAccess.EffectiveAccessRule
 
+Represents effective access rules with resolved `ObjectType` and `InheritedObjectType` GUIDs.
+
 ### ADEffectiveAccess.EffectiveAuditRule
 
+Represents effective audit rules with resolved `ObjectType` and `InheritedObjectType` GUIDs (when `-Audit` is specified).
+
 ## NOTES
 
+- This cmdlet maintains a per-session, per-domain map to translate `ObjectType` and `InheritedObjectType` into human-readable names, improving usability and performance.
+- Querying audit rules (`-Audit`) or deleted objects (`-IncludeDeletedObjects`) may impact performance on large directories.
+- Ensure the account used has sufficient permissions to read security descriptors.
+
 ## RELATED LINKS
+
+- [ActiveDirectoryAccessRule](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule)
+- [ActiveDirectoryAuditRule](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryauditrule)
+- [Active Directory Module](https://learn.microsoft.com/en-us/powershell/module/activedirectory)
+- [Get-Credential](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential)
+- [DirectorySearcher](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher)
+- [Get-ADEffectiveAccess on GitHub](https://github.com/santisq/ADEffectiveAccess)