Given the SamAcountName and the Attribute name, is there a way to get the effective permissions that the running user context has for the Attribute on that specific AD account? A bonus would be to show where those permissions are assigned if they are inherited.
I thought System.DirectoryServices.ActiveDirectoryRights might get me somewhere, but no luck there so far. There are a couple articles by Richard like http://blogs.msmvps.com/richardsiddaway/2012/03/12/display-ad-object-s-security-settings-by-identity/ that will show the permissions on the AD account. Again, I am not able to get to the attribute permissions.
I have created an object the would look like the following:
$update=New-Objectpsobject @{
ADProperty="Division"
NewADValue="Power"
OldADValue=""
SamAccountName="someADuser"
}
and I update AD with something like:
Set-ADUser$update.SamAccountName -Replace @{$update.ADProperty="$($update.NewADValue)"}
When I get a permissions error coming back from AD, I want to display the existing permissions on which the error is based and help the user fix it.