Documentation Index
Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt
Use this file to discover all available pages before exploring further.
get-objectacl retrieves the full access control list from the nTSecurityDescriptor of any Active Directory object, exposing every ACE (Access Control Entry) that governs who can read, write, or control that object. By default the DACL (Discretionary ACL) is returned, but switching to the SACL (System ACL) is also possible for auditing scenarios. The command pairs naturally with --resolve-sids and --resolve-guids to turn raw SID and GUID values into human-readable principal names and right descriptions — a workflow that closely mirrors the output produced by BloodHound’s ACL analysis engine. Filtering by a specific rights type lets you zero in on high-value delegations such as password resets or group membership writes without wading through every ACE.
Synopsis
Parameters
Connection
IP address of the Domain Controller to target.
Name of the domain used for authentication (e.g.
contoso.com).Username to authenticate with against the Domain Controller.
Password associated with the user account.
NTLM hashes for pass-the-hash authentication. Format:
[LMHASH:]NTHASH.Use Kerberos authentication. Credentials are read from the ccache file referenced by the
KRB5CCNAME environment variable. Falls back to command-line credentials if no valid ticket is found.Force a TLS-encrypted connection to the Domain Controller.
Force SIMPLE LDAP authentication instead of the default NTLM/SASL binding.
SChannel (Certificate Authentication)
Path to the certificate file associated with the user account, used for SChannel-based authentication.
Path to the private key file associated with the user certificate.
Object Selection
SID of the object whose ACL you want to retrieve. Wildcards are accepted.
samAccountName of the object to look up. Wildcards are accepted (e.g. svc_*).Display name of the object to look up. Wildcards are accepted (e.g.
Domain*).The domain to query. Defaults to the domain of the authenticated user.
Additional ADS path to restrict the LDAP search base (e.g.
OU=Groups,DC=contoso,DC=com).A raw LDAP filter string appended to the generated query, enabling arbitrary filtering beyond the built-in selectors.
ACL Options
Return the SACL (System ACL) instead of the DACL. The SACL contains auditing entries and typically requires a privileged account to read.
Filter ACEs to a specific delegated right. Accepted values:
| Value | Description |
|---|---|
reset-password | ACEs granting the ability to reset the object’s password |
write-members | ACEs granting write access to the member attribute |
allowed-to-authenticate | ACEs granting the Allowed-To-Authenticate extended right |
all | All ACEs (equivalent to no filter) |
Resolution
Resolve trustee SIDs in the ACL entries to their distinguished names. Without this flag, raw SID strings are returned.
Resolve object-type and inherited-object-type GUIDs to their display names by querying the schema and extended-rights containers on the DC.
Output
Print results as JSON instead of the default human-readable format.
Verbosity of log output written to stderr. Choices:
CRITICAL (default), WARNING, DEBUG, ULTRA.Usage Examples
--sacl requires that the authenticating account holds the SeSecurityPrivilege right (typically granted to Domain Admins or explicitly delegated). Attempting to read the SACL without sufficient privileges will result in an LDAP access error.SChannel Support
Certificate-based SChannel authentication is supported via--cert and --key. Combine with --tls to connect over LDAPS — particularly important when reading nTSecurityDescriptor attributes, as some DC configurations restrict security descriptor reads to encrypted channels.