i think this is done

santisq · santisq · commit b6f4f74545b9 · 2025-10-19T15:04:34.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,8 @@
+# CHANGELOG
+
+## [0.0.1] - 2025-10-19
+
+- Rewritten in C# for improved performance and uploaded to the PowerShell Gallery.
+- Added enhanced functionality compared to the [original PowerShell version](https://gist.github.com/santisq/a84af707780b1168f1fa390632096a5a), including LDAP search (`-LdapFilter`), audit rules (`-Audit`), deleted object support (`-IncludeDeletedObjects`), and pipeline input from AD cmdlets. See the [Parameters section](./docs/en-US/Get-ADEffectiveAccess.md#parameters) for details.
+- Implemented per-session, per-domain caching for GUID translation (`ObjectType` and `InheritedObjectType`), improving efficiency and reducing LDAP queries.
+- Enhanced error handling for invalid search bases and identity resolution, ensuring robust validation.
diff --git a/README.md b/README.md
@@ -1,52 +1,130 @@
-# Get-EffectiveAccess
+<h1 align="center">ADEffectiveAccess</h1>
 
-## Description
+<div align="center">
+<sub>AD ACLs with readable rights, flexible LDAP and no AD module needed</sub>
+<br /><br />
+
+[![build](https://github.com/santisq/ADEffectiveAccess/actions/workflows/ci.yml/badge.svg)](https://github.com/santisq/ADEffectiveAccess/actions/workflows/ci.yml)
+[![PowerShell Gallery](https://img.shields.io/powershellgallery/v/ADEffectiveAccess?label=gallery)](https://www.powershellgallery.com/packages/ADEffectiveAccess)
+[![LICENSE](https://img.shields.io/github/license/santisq/ADEffectiveAccess)](https://github.com/santisq/ADEffectiveAccess/blob/main/LICENSE)
+
+</div>
 
 > [!NOTE]
-> This function is being rewritten to C#, you can find the original version in [this Gist](https://gist.github.com/santisq/a84af707780b1168f1fa390632096a5a)
+> This module has been rewritten in C# for improved performance and maintainability. The original PowerShell version is available in [this Gist](https://gist.github.com/santisq/a84af707780b1168f1fa390632096a5a).
+
+ADEffectiveAccess is a PowerShell module that provides the `Get-ADEffectiveAccess` cmdlet, an enhanced alternative to `Get-Acl` for Active Directory. This cmdlet retrieves access control lists (ACLs) for AD objects, returning effective access and audit rules. It translates `ObjectType` and `InheritedObjectType` GUIDs into human-readable names using a per-session, per-domain map for improved performance and readability.
+
+Unlike `Get-Acl`, there is no dependency on the Active Directory module and includes built-in LDAP search functionality to locate objects.
+
+## Documentation
+
+Check out [__the documentation__](./docs/en-US/Get-ADEffectiveAccess.md) for cmdlet usage and more examples.
+
+## Installation
+
+### Gallery
+
+The module is available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/ADEffectiveAccess):
+
+```powershell
+Install-Module ADEffectiveAccess -Scope CurrentUser
+```
+
+### Source
 
-PowerShell function that tries to give a friendly translation of [`Get-Acl`](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2) into human readable data. The function is designed exclusively for Active Directory, and requires the [__ActiveDirectory Module__](https://docs.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps).
+```powershell
+git clone 'https://github.com/santisq/ADEffectiveAccess.git'
+Set-Location ./ADEffectiveAccess
+./build.ps1
+```
+
+## Requirements
+
+This module requires __Windows OS__ and is compatible with __Windows PowerShell v5.1__ and [__PowerShell 7+__](https://github.com/PowerShell/PowerShell). No Active Directory module is required. Appropriate permissions are needed to read security descriptors.
+
+## Usage
+
+Below are examples demonstrating how to use `Get-ADEffectiveAccess` to retrieve Active Directory ACLs:
 
-## Examples
+### Get ACL for a specific user by sAMAccountName
 
-- Get the _Effective Access_ of the Organizational Unit named `ExampleOU`:
+Retrieves effective access rules for the user `john.galt` in the current domain.
 
 ```powershell
-Get-ADOrganizationalUnit -Filter "Name -eq 'ExampleOU'" |
-    Get-EffectiveAccess | Out-GridView
+PS /> $acl = Get-ADEffectiveAccess john.galt
+PS /> $acl
+
+   Path: LDAP://CN=John Galt,CN=Users,DC=mylab,DC=local
+
+IdentityReference                 ObjectType                      InheritedObjectType  ActiveDirectoryRights
+-----------------                 ----------                      -------------------  ---------------------
+NT AUTHORITY\SELF                 All Objects (Full Control)      Any Inherited Object GenericRead
+NT AUTHORITY\Authenticated Users  All Objects (Full Control)      Any Inherited Object ReadControl
+NT AUTHORITY\SYSTEM               All Objects (Full Control)      Any Inherited Object GenericAll
+BUILTIN\Account Operators         All Objects (Full Control)      Any Inherited Object GenericAll
+mylab\Domain Admins               All Objects (Full Control)      Any Inherited Object GenericAll
+Everyone                          User-Change-Password            Any Inherited Object ExtendedRight
+NT AUTHORITY\SELF                 Email-Information               Any Inherited Object ReadProperty, WriteProperty
+....
+
+PS /> $acl[30] | Format-List
+
+ActiveDirectoryRights       : ReadProperty
+InheritanceType             : Descendents
+ObjectType                  : 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
+InheritedObjectType         : 4828cc14-1437-45bc-9b07-ad6f015e5f28
+ObjectFlags                 : ObjectAceTypePresent, InheritedObjectAceTypePresent
+AccessControlType           : Allow
+Type                        : Access
+Owner                       : mylab\Domain Admins
+Group                       : mylab\Domain Admins
+Path                        : LDAP://CN=John Galt,CN=Users,DC=mylab,DC=local
+IdentityReference           : BUILTIN\Pre-Windows 2000 Compatible Access
+InheritanceFlags            : ContainerInherit
+IsInherited                 : True
+PropagationFlags            : InheritOnly
+ObjectTypeToString          : General-Information
+InheritedObjectTypeToString : inetOrgPerson
 ```
 
-- Same as above but using the OU's `DistinguishedName` attribute:
+### Get ACLs for all users in an OU with audit rules
+
+Fetches access and audit rules for all users in the `Users` OU, including SACL rules.
 
 ```powershell
-Get-EffectiveAccess -Identity 'OU=ExampleOU,DC=domainName,DC=com' | Out-GridView
+PS /> Get-ADEffectiveAccess -LdapFilter "(objectCategory=person)" -SearchBase "OU=Users,DC=mylab,DC=local" -Audit
 ```
 
-- Get the _Effective Access_ of the Organizational Unit named `ExampleOU` on a Trusted Domain:
+### Pipe AD user object to retrieve ACL
+
+Uses pipeline input from `Get-ADUser` to get effective access rules for the user `jdoe`.
 
-```sh
-Get-ADOrganizationalUnit -Filter "Name -eq 'ExampleOU'" -Server trustedDomain |
-    Get-EffectiveAccess -Server trustedDomain | Out-GridView
+```powershell
+PS /> Get-ADUser -Identity "jdoe" | Get-ADEffectiveAccess
 ```
 
-- Store the _Effective Access_ of the group named `exampleGroup` in a variable:
+### Get ACLs for deleted groups with a limit
+
+Retrieves access rules for up to 10 deleted group objects.
 
 ```powershell
-$effectiveAccess = Get-ADGroup exampleGroup | Get-EffectiveAccess
+PS /> Get-ADEffectiveAccess -LdapFilter "(&(isDeleted=TRUE)(objectClass=group))" -IncludeDeletedObjects -Top 10
 ```
 
-- Get the _Effective Access_ of the first 10 OUs found in the Domain:
+### Query ACLs with specific credentials
+
+Retrieves access rules for a user using specified credentials.
 
 ```powershell
-Get-ADOrganizationalUnit -Filter * | Select -First 10 |
-    Get-EffectiveAccess | Out-GridView
+PS /> Get-ADEffectiveAccess -Identity "john.galt" -Credential (Get-Credential)
 ```
 
-## Sample output with `Out-GridView`
+## Changelog
 
-![exampleoutput](/Screenshot/effectiveAccess.png?raw=true)
+- [CHANGELOG.md](./CHANGELOG.md)
+- [Releases](https://github.com/santisq/ADEffectiveAccess/releases)
 
-## Requirements
+## Contributing
 
-- PowerShell v5.1+
-- ActiveDirectory PS Module
+Contributions are welcome, if you wish to contribute, fork this repository and submit a pull request with the changes.
diff --git a/docs/en-US/Get-ADEffectiveAccess.md b/docs/en-US/Get-ADEffectiveAccess.md
@@ -54,10 +54,10 @@ Unlike `Get-Acl`, there is no dependency on the Active Directory module and incl
 ### Example 1: Get ACL for a specific user by sAMAccountName
 
 ```powershell
-PS \> Get-ADEffectiveAccess -Identity John.Doe
+PS \> Get-ADEffectiveAccess -Identity john.galt
 ```
 
-Retrieves the effective access rules for the user `John.Doe` in the current domain.
+Retrieves the effective access rules for the user `john.galt` in the current domain.
 
 ### Example 2: Get ACLs for all users in an OU with audit rules
 
@@ -91,6 +91,14 @@ PS \> Get-ADEffectiveAccess -LdapFilter "(objectClass=computer)" -Server "myChil
 
 Retrieves access rules for all `computer` objects in a child domain with secure authentication and fast bind.
 
+### Example 6: Query ACLs with specific credentials
+
+Retrieves access rules for a user using specified credentials.
+
+```powershell
+PS /> Get-ADEffectiveAccess -Identity "john.galt" -Credential (Get-Credential)
+```
+
 ## PARAMETERS
 
 ### -Audit
@@ -191,7 +199,7 @@ Specifies the AD DS instance to connect to. Accepts:
 - Fully qualified domain name
 - NetBIOS name
 - Directory server name (with optional port, e.g. `myDC01:636`)
-- Global Catalog (e.g. `GC://myDomain`)
+- Global Catalog (e.g. `GC://myCatalogServer`)
 
 Defaults to the current domain if not specified.
 
diff --git a/module/ADEffectiveAccess.psd1 b/module/ADEffectiveAccess.psd1
@@ -32,7 +32,7 @@
     Copyright         = '(c) Santiago Squarzon. All rights reserved.'
 
     # Description of the functionality provided by this module
-    Description       = 'Active Directory friendly ACLs'
+    Description       = 'AD ACLs with readable rights, flexible LDAP and no AD module needed.'
 
     # Minimum version of the PowerShell engine required by this module
     PowerShellVersion = '5.1'
@@ -97,7 +97,21 @@
         PSData = @{
 
             # Tags applied to this module. These help with module discovery in online galleries.
-            # Tags = @()
+            Tags       = @(
+                'powershell',
+                'csharp',
+                'activedirectory',
+                'acl',
+                'accesscontrol',
+                'security',
+                'permissions',
+                'ldap',
+                'audit',
+                'directoryservices',
+                'ad',
+                'guidtranslation',
+                'tombstone'
+            )
 
             # A URL to the license for this module.
             LicenseUri = 'https://github.com/santisq/ADEffectiveAccess/blob/main/LICENSE'
diff --git a/src/ADEffectiveAccess/GuidResolver.cs b/src/ADEffectiveAccess/GuidResolver.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.DirectoryServices;
+using System.Text.RegularExpressions;
 
 namespace ADEffectiveAccess;
 
@@ -26,6 +27,7 @@ private GuidResolver() { }
 
     internal void SetContext(string? server, DirectoryEntryBuilder builder)
     {
+        if (server is not null) server = Regex.Replace(server, "(?i)GC://", "LDAP://");
         using DirectoryEntry rootDSE = builder.Create(server, "RootDSE");
         string context = rootDSE.GetRootProperty(DefaultContext);
 
