more progress

santisq · santisq · commit bb75d8976d7c · 2025-10-13T16:30:16.000-07:00
diff --git a/docs/en-US/Get-ADEffectiveAccess.md b/docs/en-US/Get-ADEffectiveAccess.md
@@ -1,7 +1,7 @@
 ---
 external help file: ADEffectiveAccess.dll-Help.xml
 Module Name: ADEffectiveAccess
-online version:
+online version: https://github.com/santisq/ADEffectiveAccess/blob/main/docs/en-US/Get-ADEffectiveAccess.md
 schema: 2.0.0
 ---
 
diff --git a/module/ADEffectiveAccess.psd1 b/module/ADEffectiveAccess.psd1
@@ -30,7 +30,7 @@
     Copyright         = '(c) Santiago Squarzon. All rights reserved.'
 
     # Description of the functionality provided by this module
-    # Description = ''
+    Description       = 'Active Directory friendly ACLs'
 
     # Minimum version of the PowerShell engine required by this module
     PowerShellVersion = '5.1'
@@ -123,7 +123,7 @@
     } # End of PrivateData hashtable
 
     # HelpInfo URI of this module
-    HelpInfoURI = ''
+    HelpInfoURI       = 'https://github.com/santisq/ADEffectiveAccess/blob/main/docs/en-US/Get-ADEffectiveAccess.md'
 
     # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
     # DefaultCommandPrefix = ''
diff --git a/src/ADEffectiveAccess/Extensions.cs b/src/ADEffectiveAccess/Extensions.cs
@@ -0,0 +1,19 @@
+using System.Collections.Generic;
+
+namespace ADEffectiveAccess;
+
+internal static class Extensions
+{
+    internal static bool TryAdd<TKey, TValue>(
+        this IDictionary<TKey, TValue> dictionary,
+        TKey key,
+        TValue value)
+    {
+        bool result;
+        if (result = !dictionary.ContainsKey(key))
+        {
+            dictionary.Add(key, value);
+        }
+        return !result;
+    }
+}
diff --git a/src/ADEffectiveAccess/GetADEffectiveAccessComand.cs b/src/ADEffectiveAccess/GetADEffectiveAccessComand.cs
@@ -4,21 +4,30 @@
 
 namespace ADEffectiveAccess;
 
-[Cmdlet(VerbsCommon.Get, "ADEffectiveAccess")]
+[Cmdlet(VerbsCommon.Get, "ADEffectiveAccess", DefaultParameterSetName = FilterSet)]
+[OutputType(typeof(EffectiveAccessRule), typeof(EffectiveAuditRule))]
 [Alias("gea", "gacl")]
 public sealed class GetADEffectiveAccessComand : PSCmdlet
 {
     private const string SecurityDescriptor = "nTSecurityDescriptor";
 
+    private const string FilterSet = "Filter";
+
+    private const string IdentitySet = "Identity";
+
     private SchemaMap? _map;
 
-    [Parameter(Position = 0)]
+    [Parameter(Position = 0, ParameterSetName = FilterSet)]
+    [ValidateNotNullOrEmpty]
     public string? LdapFilter { get; set; }
 
+    [Parameter(Position = 0, Mandatory = true, ParameterSetName = IdentitySet)]
+    public string? Identity { get; set; }
+
     [Parameter]
     public SwitchParameter Audit { get; set; }
 
-    [Parameter]
+    [Parameter(ParameterSetName = FilterSet)]
     [ValidateRange(0, int.MaxValue)]
     public int Top { get; set; } = 0;
 
@@ -28,13 +37,20 @@ public sealed class GetADEffectiveAccessComand : PSCmdlet
     [Parameter]
     public SearchScope SearchScope { get; set; } = SearchScope.Subtree;
 
+    [Parameter]
+    [ValidateNotNullOrEmpty]
+    public string? SearchBase { get; set; } = string.Empty;
+
     [Parameter]
     [Credential]
     public PSCredential? Credential { get; set; }
 
     [Parameter]
     public string? Server { get; set; }
 
+    [Parameter]
+    public int PageSize { get; set; } = 1000;
+
     protected override void BeginProcessing()
     {
         try
@@ -53,11 +69,13 @@ protected override void BeginProcessing()
 
     protected override void EndProcessing()
     {
-        using DirectorySearcher searcher = new(LdapFilter, [SecurityDescriptor])
+        using DirectoryEntry root = new(SearchBase);
+        using DirectorySearcher searcher = new(root, LdapFilter, [SecurityDescriptor])
         {
             SizeLimit = Top,
             Tombstone = IncludeDeletedObjects,
             SearchScope = SearchScope,
+            PageSize = PageSize,
             SecurityMasks = SecurityMasks.Group |
                 SecurityMasks.Dacl |
                 SecurityMasks.Owner
diff --git a/src/ADEffectiveAccess/SchemaMap.cs b/src/ADEffectiveAccess/SchemaMap.cs
@@ -12,8 +12,10 @@ internal SchemaMap(string? server = null)
     {
         string path = server is null ? "LDAP://RootDSE" : $"LDAP://{server}/RootDSE";
         using DirectoryEntry root = new(path);
-        string? ctx = root.Properties["schemaNamingContext"][0]?.ToString();
-        if (ctx is not null) PopulateMap(ctx, _schemaMap);
+        string? ctxSchema = root.Properties["schemaNamingContext"][0]?.ToString();
+        string? ctxConfig = root.Properties["configurationNamingContext"][0]?.ToString();
+        if (ctxSchema is not null) PopulateSchema(ctxSchema, _schemaMap);
+        if (ctxConfig is not null) PopulateExtendedRights(ctxConfig, _schemaMap);
     }
 
     internal string Translate(Guid guid, string defaultValue)
@@ -26,20 +28,44 @@ internal string Translate(Guid guid, string defaultValue)
         return guid.ToString();
     }
 
-    private static void PopulateMap(
+    private static void PopulateSchema(
         string schemaNamingContext,
         Dictionary<Guid, string> map)
     {
         using DirectoryEntry root = new($"LDAP://{schemaNamingContext}");
         using DirectorySearcher searcher = new(
             searchRoot: root,
-            filter: "(schemaIDGUID=*)",
-            propertiesToLoad: ["cn", "schemaIDGuid"]);
+            filter: "(&(schemaIdGuid=*)(|(objectClass=attributeSchema)(objectClass=classSchema)))",
+            propertiesToLoad: ["cn", "schemaIdGuid"])
+        {
+            PageSize = 1000
+        };
+
+        foreach (SearchResult result in searcher.FindAll())
+        {
+            map.TryAdd(
+                new Guid((byte[])result.Properties["schemaIdGuid"][0]),
+                result.Properties["cn"][0].ToString());
+        }
+    }
+
+    private static void PopulateExtendedRights(
+        string configurationNamingContext,
+        Dictionary<Guid, string> map)
+    {
+        using DirectoryEntry root = new($"LDAP://CN=Extended-Rights,{configurationNamingContext}");
+        using DirectorySearcher searcher = new(
+            searchRoot: root,
+            filter: "(objectClass=controlAccessRight)",
+            propertiesToLoad: ["cn", "rightsGuid"])
+        {
+            PageSize = 1000
+        };
 
         foreach (SearchResult result in searcher.FindAll())
         {
-            map.Add(
-                new Guid((byte[])result.Properties["schemaIDGUID"][0]),
+            map.TryAdd(
+                Guid.Parse(result.Properties["rightsGuid"][0].ToString()),
                 result.Properties["cn"][0].ToString());
         }
     }
