added insufficient access scenario

FriedrichWeinmann · FriedrichWeinmann · commit 84dffe34e499 · 2025-01-22T08:49:35.000+01:00
diff --git a/ADSec/ADSec.psd1 b/ADSec/ADSec.psd1
@@ -3,7 +3,7 @@
 	RootModule = 'ADSec.psm1'
 	
 	# Version number of this module.
-	ModuleVersion = '1.0.3'
+	ModuleVersion = '1.0.4'
 	
 	# ID used to uniquely identify this module
 	GUID = '1cfaca0a-3c7d-47dd-bb9f-9711310a0b9d'
diff --git a/ADSec/changelog.md b/ADSec/changelog.md
@@ -1,9 +1,10 @@
 ﻿# Changelog
 
-## 1.0.3 (2025-01-22)
+## 1.0.4 (2025-01-22)
 
 - Upd: Raised PSFramework Dependency Version to 1.12.346
 - Upd: Get-AdsAcl - Enabled retrieving ACL from deleted objects
+- Upd: Get-AdsAcl - Detect insufficient access rights to retrieve security information
 
 ## 1.0.1 (2022-04-04)
 
diff --git a/ADSec/en-us/strings.psd1 b/ADSec/en-us/strings.psd1
@@ -13,6 +13,7 @@
 	'Enable-AdsInheritance.Processing'         = 'Starting process to enable inheritance on {0}' # $pathItem
 	'Enable-AdsInheritance.ReadAcl.Failed'     = 'Failed to access acl on {0}' # $pathItem
 	'Enable-AdsInheritance.Updating.Acl'       = 'Enabling inheritance' # 
+	'Get-AdsAcl.NoSecurityProperty'            = 'No security information found on {0}. Ensure you have sufficient access.' # $pathItem
 	'Get-AdsAcl.ObjectError'                   = 'Error accessing item: {0}' # $pathItem
 	'Get-AdsAcl.Processing'                    = 'Retrieving Acl from {0}' # $pathItem
 	'Get-AdsOrphanAce.Read.Failed'             = 'Failed to access {0}' # $pathItem
diff --git a/ADSec/functions/acl/Get-AdsAcl.ps1 b/ADSec/functions/acl/Get-AdsAcl.ps1
@@ -57,6 +57,10 @@
 			try { $adObject = Get-ADObject @adParameters -Identity $pathItem -Properties ntSecurityDescriptor -IncludeDeletedObjects }
 			catch { Stop-PSFFunction -String 'Get-AdsAcl.ObjectError' -StringValues $pathItem -Target $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -ErrorRecord $_ -Continue }
 			$aclObject = $adObject.ntSecurityDescriptor
+			if (-not $aclObject) {
+				Stop-PSFFunction -String 'Get-AdsAcl.NoSecurityProperty' -StringValues $pathItem -Target $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -Category PermissionDenied -Continue
+			}
+
 			Add-Member -InputObject $aclObject -MemberType NoteProperty -Name DistinguishedName -Value $adObject.DistinguishedName -Force
 			$aclObject
 		}
