Contains
edge has had a challenging past. It provides necessary structural information for the structure of the AD graph, however it has always left the critical, “can I exploit this path” unanswered explicitly. With this release, Contains
is no longer a traversable edge, and it will no longer appear in pathfinding. In its place, we’re introducing several edges to answer that question and to replace the previous logic utilized within Privilege Zone Management for tagging OUs and GPOs:
PropagatesACEsTo
: From parent object to direct child if child inherits ACEs from parentGPOAppliesTo
: From GPO to the users/computers it applies toCanApplyGPO
: From principals to target users/computers where the principals can link GPOs such that the GPOs apply on the targetsContainsIdentity
: From Domain to all users and computers