diff --git a/ADSec/ADSec.psd1 b/ADSec/ADSec.psd1 index bf562f0..9165490 100644 --- a/ADSec/ADSec.psd1 +++ b/ADSec/ADSec.psd1 @@ -3,7 +3,7 @@ RootModule = 'ADSec.psm1' # Version number of this module. - ModuleVersion = '1.0.1' + ModuleVersion = '1.0.4' # ID used to uniquely identify this module GUID = '1cfaca0a-3c7d-47dd-bb9f-9711310a0b9d' @@ -26,7 +26,7 @@ # Modules that must be imported into the global environment prior to importing # this module RequiredModules = @( - @{ ModuleName='PSFramework'; ModuleVersion='1.0.35' } + @{ ModuleName='PSFramework'; ModuleVersion='1.12.346' } ) # Assemblies that must be loaded prior to importing this module diff --git a/ADSec/changelog.md b/ADSec/changelog.md index 81186ef..f461c96 100644 --- a/ADSec/changelog.md +++ b/ADSec/changelog.md @@ -1,5 +1,11 @@ # Changelog +## 1.0.4 (2025-01-22) + +- Upd: Raised PSFramework Dependency Version to 1.12.346 +- Upd: Get-AdsAcl - Enabled retrieving ACL from deleted objects +- Upd: Get-AdsAcl - Detect insufficient access rights to retrieve security information + ## 1.0.1 (2022-04-04) - New: Configuration setting to disable connection verification diff --git a/ADSec/en-us/strings.psd1 b/ADSec/en-us/strings.psd1 index dd1665c..55eb60f 100644 --- a/ADSec/en-us/strings.psd1 +++ b/ADSec/en-us/strings.psd1 @@ -13,6 +13,7 @@ 'Enable-AdsInheritance.Processing' = 'Starting process to enable inheritance on {0}' # $pathItem 'Enable-AdsInheritance.ReadAcl.Failed' = 'Failed to access acl on {0}' # $pathItem 'Enable-AdsInheritance.Updating.Acl' = 'Enabling inheritance' # + 'Get-AdsAcl.NoSecurityProperty' = 'No security information found on {0}. Ensure you have sufficient access.' # $pathItem 'Get-AdsAcl.ObjectError' = 'Error accessing item: {0}' # $pathItem 'Get-AdsAcl.Processing' = 'Retrieving Acl from {0}' # $pathItem 'Get-AdsOrphanAce.Read.Failed' = 'Failed to access {0}' # $pathItem diff --git a/ADSec/functions/acl/Get-AdsAcl.ps1 b/ADSec/functions/acl/Get-AdsAcl.ps1 index aecdb16..d8797bf 100644 --- a/ADSec/functions/acl/Get-AdsAcl.ps1 +++ b/ADSec/functions/acl/Get-AdsAcl.ps1 @@ -1,6 +1,5 @@ -function Get-AdsAcl -{ -<# +function Get-AdsAcl { + <# .SYNOPSIS Reads the ACL from an AD object. @@ -44,23 +43,24 @@ $EnableException ) - begin - { + begin { $adParameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential Assert-ADConnection @adParameters -Cmdlet $PSCmdlet } - process - { + process { if (Test-PSFFunctionInterrupt) { return } - foreach ($pathItem in $Path) - { + foreach ($pathItem in $Path) { if (-not $pathItem) { continue } Write-PSFMessage -String 'Get-AdsAcl.Processing' -StringValues $pathItem - try { $adObject = Get-ADObject @adParameters -Identity $pathItem -Properties ntSecurityDescriptor } + try { $adObject = Get-ADObject @adParameters -Identity $pathItem -Properties ntSecurityDescriptor -IncludeDeletedObjects } catch { Stop-PSFFunction -String 'Get-AdsAcl.ObjectError' -StringValues $pathItem -Target $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -ErrorRecord $_ -Continue } $aclObject = $adObject.ntSecurityDescriptor + if (-not $aclObject) { + Stop-PSFFunction -String 'Get-AdsAcl.NoSecurityProperty' -StringValues $pathItem -Target $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -Category PermissionDenied -Continue + } + Add-Member -InputObject $aclObject -MemberType NoteProperty -Name DistinguishedName -Value $adObject.DistinguishedName -Force $aclObject }