When viewing the edsaATEList attribute, the value format should be similar to the value noted below:
[A;;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2]
In this example, the permissions can be determined by breaking down this string as noted below:
- First value - Allow or Deny
- Second Value - The permission being given
- In this example, WP for Write Property
- Third Value - The Class and/or Attribute schema GUID
- bf9679c0-0de6-11d0-a285-00aa003049e2 = the attributeSchema for Member
- bf967a9c-0de6-11d0-a285-00aa003049e2 = the classSchema for Group
From these values it can be determined that this access template is providing Allow permissions to Write Group Memberships.
- To determine what the GUIDs shown in the third value translate to, they can be queried via the get-qadobject cmdlet
- Example : get-qadobject guid='bf967950-0de6-11d0-a285-00aa003049e2'
- To determine the permissions being given in the second value, please reference the list below
- SD = Delete
- DT = Delete Tree
- RC = Read Control
- WD = Write Control
- LC = List Contents
- LO = List Object
- CO = Copy
- MF = Move Out
- CR = All Extended rights
- SW = All Validated rights
- RP = Read All Properties
- WP = Write All Properties
- CC = Create All Child Objects
- DC = Delete All Child Objects
- MT = Move all Child into this container
- WO = Write Owner
- CCDCLCSWRPWPDTLOCRCOSDRCWDWO = Full Control