Convert SchemaGUID and / or RightsGUID function

When working with AD Permissions you already stumbled over ObjectType and InheritedObjectType. Both stored as a GUID. This GUID might either be a reference to an attribute (permissions on attribute level), an Object (permissions on Object level) or a special right.

These GUIDs are stored in the Schema of AD. As they may correspond to a right or to an object / attribute, there are stored in two different places, rights in the configuration container, objects and attributes in the schema. Searching for extended rights is straight forward. Simply search for the GUID as such. Search-AD is described in my previous post “Active Directory – Search”. You can get the lastest version of the Search-AD function here:

[PS] Scripts:> $RootDSE = [DirectoryServices.DirectoryEntry]”LDAP://RootDSE”
[PS] Scripts:> $guid = “014bf69c-7b3b-11d1-85f6-08002be74fab”
[PS] Scripts:> $Filter = “(&(objectcategory=controlAccessRight)(rightsGuid=$guid))”
[PS] Scripts:> $object = Search-AD `
-Searchbase ($RootDSE.Properties.configurationNamingContext) `
-scope subtree `
-filter $Filter `
-attr (“displayname”)
[PS] Scripts:> $object.Properties.displayname[0]
Change Domain Master

Unfortunately MS does not make it equally easy to retrieve the Schema GUID. To search using the schemaGUID, you need to escape it. After some internet searches I found this the easiest way to do this:
“” + ((([GUID]$guid).ToByteArray() |%{“{0:x}” -f $_}) -join “)

Its taking the guid and splits it to a byte array. Each byte will then be converted into its hex representation. By joining it using the they are then properly escaped except of the first one, which is the first on the line.

A guid will therefore be changed from



After that hurdle, it’s again easy.

[PS] Scripts:> $RootDSE = [DirectoryServices.DirectoryEntry]”LDAP://RootDSE”
[PS] Scripts:> $guid = “014bf69c-7b3b-11d1-85f6-08002be74fab”
[PS] Scripts:> $Filter = “(&(|(objectcategory=classschema)(objectcategory=attributeschema))(schemaIdGuid=$escapedGuid))”
[PS] Scripts:> $object = Search-AD `
-Searchbase ($RootDSE.Properties.SchemaNamingContext) `
-scope subtree `
-filter $Filter `
-attr (“ldapdisplayname”)
[PS] Scripts:> $object.Properties.ldapdisplayname[0]
[PS] Scripts:>

With this knowledge is not so difficult to create a simple function to convert the rights and the schema guids.

Btw. it appeared that not all rights guids are defined in the configuration context of AD. For more details see:
I therefore add some directly in the code.

# List of Guids not properly defined in AD but used
# Used to initialize GuidCache.
New-Variable -Name GuidCache -Force -Option AllScope `
-Scope Script -Description “Cached GUIDs from AD. :: [redtoo]”

$Script:GuidCache = @{
“a05b8cc2-17bc-4802-a710-e7c15ab866a2” = “Autoenroll”
“00000000-0000-0000-0000-000000000000” = “All”
$Script:GuidObjects = @{}

function Convert-SchemaGUIDtoLDAPDisplayName {
Convert-SchemaGUIDtoLDAPDisplayName converts a schema GUId to the LDAP Display Name
Convert-SchemaGUIDtoLDAPDisplayName converts a schema GUId to the LDAP Display Name
The schema guid to lookup
PS C:> Convert-SchemaGUIDtoLDAPDisplayName “bf96793f-0de6-11d0-a285-00aa003049e2”
NAME: Convert-SchemaGUIDtoLDAPDisplayName
AUTHOR: Patrick Sczepanski
VERSION 20120105
#Requires -Version 2.0
$ThisFunctionName = $MyInvocation.MyCommand.Name
if ( $GuidCache.Contains($guid.Tostring()) ) {
Write-Verbose “[$ThisFunctionName] :: Found in script cache.”
return $GuidCache.($guid.Tostring())
$RootDSE = [DirectoryServices.DirectoryEntry]”LDAP://RootDSE”
$escapedGuid = “” + ((([GUID]$guid).ToByteArray() |% {“{0:x}” -f $_}) -join “)
$Filter = “(&(|(objectcategory=classschema)(objectcategory=attributeschema)objectcategory=controlAccessRight))” +
Write-Verbose “[$ThisFunctionName] :: Query Schema and configuration”
Write-Verbose “[$ThisFunctionName] :: Base $($RootDSE.configurationNamingContext)”
Write-Verbose “[$ThisFunctionName] :: Filter $Filter”
Write-Verbose “[$ThisFunctionName] :: Attr ldapdisplayname”
$SearchResult = Search-AD -Searchbase $RootDSE.configurationNamingContext `
-Filter $Filter `
-Attributes (“distinguishedname”,”name”,”ldapdisplayname”,”displayname”) `
-Scope Subtree `
-FindOne `
-ReferralChasing Subordinate `
-PageSize 0
if ( $[0] -like “*Schema*” ) {
$GuidCache.($guid.Tostring()) = $[0]
Write-Verbose “[$ThisFunctionName] :: Found in schema, added to cache.”
Write-Output $[0]
} elseif ( $[0] -like “*Configuration*” ) {
$GuidCache.($guid.Tostring()) = $[0]
Write-Verbose “[$ThisFunctionName] :: Found in configuration context, added to cache.”
Write-Output $[0]
} else {
Write-Verbose “[$ThisFunctionName] :: Not found return GUID, added ‘unknown’.”
Write-Output $guid.ToString()
#endregion Convert-Schema

Also this code can be found on poshcode:


Patrick Sczepanski ist seit 11 Jahren im Bann der IT Industrie. Er hat schon für Kunden verschiedenster Grössen gearbeitet (von unter 200 bis über 200.000 Mitarbeitern). Bei der redtoo ist er, als Senior Consultant, Experte für den Bereich Infrastructure Services.