Get current SDDL from AD Administrator

active-directory powershell

Get-Acl has an Sddl property on the output and you can use it against AD objects like this:

$dn = (Get-ADUser administrator).distinguishedName
(Get-Acl "AD:$dn").Sddl

From there you could convert it with ConvertFrom-SddlString as well. But were I in your shoes, I'd just compare the raw Sddl strings first and only bother converting if they're different (assuming you know your backup value is "good").


Thanks for the hint Ryan!

Based on this I was able to compare the objects with something like:

$oldSddl = "backupSDDLStringHere"
$oldSddlObject = ConvertFrom-SddlString -Type ActiveDirectoryRights $oldSddl
$dn = (Get-ADUser administrator).distinguishedName
$newSddl = (Get-Acl "AD:$dn").Sddl
$newSddlObject = ConvertFrom-SddlString -Type ActiveDirectoryRights $newSddl
Compare-Object -ReferenceObject $oldSddlObject.DiscretionaryAcl -DifferenceObject $newSddlObject.DiscretionaryAcl

That seems to work and shows me the difference. And Ryan yes, the Sddl is different but it might be caused by the CU update.

Related

Monitoring internal Kubernetes certificates
How can I see if a Perl hash already has a certain key?
Difference between block and &block in Ruby
Disable TLS cipher suites
Can we have multiple IP addresses with different Net IDs on an interface? [closed]
ZFS: Does anyone know how to roll a zvol back in time?
Opening an email client on clicking a button
Why doesn't nginx wait until my connection during graceful shutdown?
Date and Time incorrect on compute engine
Cloud definition met? [closed]
Debian server unable to run Certbot
What does `if __FILE__ == $0` mean in Ruby