Enumerate AD ACLs

# import PowerView
Import-Module ..\PowerView.ps1

# GPO misconfiguration enumeration
Get-DomainObjectAcl -Domain 'domain.com' -LDAPFilter '(objectCategory=groupPolicyContainer)' -ResolveGUIDs | ? {
    ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and `
    ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')
} | % {
    $PrincipalDN = Convert-ADName $_.SecurityIdentifier -OutputType DN
    New-Object PSObject -Property @{'ObjectDN'=$_.ObjectDN ; 'PrincipalSID'=$_.SecurityIdentifier; 'PrincipalDN'=$PrincipalDN }
} | fl


# other misconfigurations
Get-DomainObjectAcl "DC=domain,DC=com" -ResolveGUIDs | ? {($_.ObjectAceType -match 'replication-get') -and ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$')} | %{ConvertFrom-SID $_.SecurityIdentifier}

$User = Get-DomainObjectAcl -LDAPFilter '(objectclass=group)' -ResolveGUIDs | ? {($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
$User
ConvertFrom-SID $User.SecurityIdentifier

Get-DomainObjectACL -ResolveGUIDs | ? {$_.ObjectAceType -match 'User-Force-Change-Password'}
Get-DomainObjectACL "CN=AdminSDHolder,CN=System,DC=domain,DC=com" -ResolveGUIDs | ? {$_.ObjectAceType -match 'User-Force-Change-Password'}

# use ConvertFrom-SID again
Get-DomainObjectAcl "DC=domain,DC=com" -ResolveGUIDs  | ? {($_.ObjectAceType -match 'replication-get') -and ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$')} | %{ConvertFrom-SID $_.SecurityIdentifier}

Reference:

• Interfacing with AD

• DACLs Enumeration