some fixes

Author: santisq

src/ADEffectiveAccess/DirectoryEntryBuilder.cs

@@ -12,11 +12,14 @@ internal sealed class DirectoryEntryBuilder : IDisposable
 
     private readonly AuthenticationTypes _authenticationTypes;
 
-    internal DirectoryEntry RootEntry { get; }
+    internal DirectoryEntry DomainEntry { get; }
 
     internal DirectoryEntry SearchBase { get; }
 
-    internal string? Root { get; }
+    internal string? DomainDistinguishedName
+    {
+        get => DomainEntry.Properties["distinguishedName"][0]?.ToString();
+    }
 
     internal DirectoryEntryBuilder(
         PSCredential? credential,
@@ -27,8 +30,8 @@ internal DirectoryEntryBuilder(
         _username = credential?.UserName;
         _password = credential?.GetNetworkCredential().Password;
         _authenticationTypes = authenticationTypes;
-        RootEntry = Create(server: server);
-        SearchBase = Create(searchBase: searchBase);
+        DomainEntry = Create(server: server);
+        SearchBase = searchBase is null ? DomainEntry : Create(searchBase: searchBase);
     }
 
     internal DirectoryEntry Create(string? server = null, string? searchBase = null)
@@ -41,14 +44,12 @@ internal DirectoryEntry Create(string? server = null, string? searchBase = null)
             _ => $"LDAP://{server}/{searchBase}"
         };
 
-        return path is null
-            ? RootEntry
-            : new DirectoryEntry(path, _username, _password, _authenticationTypes);
+        return new DirectoryEntry(path, _username, _password, _authenticationTypes);
     }
 
     public void Dispose()
     {
-        RootEntry.Dispose();
+        DomainEntry.Dispose();
         SearchBase.Dispose();
         GC.SuppressFinalize(this);
     }

src/ADEffectiveAccess/Extensions.cs

@@ -4,6 +4,8 @@
 using System.Management.Automation;
 using System.Security.Principal;
 using System.Text;
+using System.Text.RegularExpressions;
+
 #if !NETCOREAPP
 using System.Collections.Generic;
 #endif
@@ -40,13 +42,19 @@ internal static string ToFilter(this Guid guid)
     internal static string ToFilter(this SecurityIdentifier sid) => $"(objectSid={sid})";
 
     internal static string ToFilter(this string identity)
-#if NETCOREAPP
-        => identity.Contains('=')
-#else
-        => identity.Contains("=")
-#endif
-            ? $"(distinguishedName={identity})"
-            : $"(samAccountName={identity})";
+    {
+        if (!identity.Contains("="))
+        {
+            return $"(samAccountName={identity})";
+        }
+
+        if (!identity.Contains("DEL:"))
+        {
+            return $"(distinguishedName={identity})";
+        }
+
+        return $"(&(isDeleted=TRUE)({Regex.Replace(identity, @"(?<!\\),.+", "")}))";
+    }
 
     internal static T GetProperty<T>(this SearchResult search, string property)
         => LanguagePrimitives.ConvertTo<T>(search.Properties[property][0]);

src/ADEffectiveAccess/GetADEffectiveAccessComand.cs

@@ -20,7 +20,7 @@ public sealed class GetADEffectiveAccessComand : PSCmdlet, IDisposable
 
     private SecurityMasks _masks = SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Owner;
 
-    private DirectoryEntryBuilder? _entryBuilder;
+    private DirectoryEntryBuilder? _builder;
 
     private GuidResolver? _map;
 
@@ -77,14 +77,14 @@ protected override void BeginProcessing()
 
         try
         {
-            _entryBuilder = new DirectoryEntryBuilder(
+            _builder = new DirectoryEntryBuilder(
                 credential: Credential,
                 authenticationTypes: AuthenticationTypes,
                 server: Server,
                 searchBase: SearchBase);
 
             _map = GuidResolver.GetFromTLS();
-            _map.SetContext(Server, _entryBuilder);
+            _map.SetContext(Server, _builder);
         }
         catch (Exception exception)
         {
@@ -94,19 +94,19 @@ protected override void BeginProcessing()
 
     protected override void ProcessRecord()
     {
-        Assert(_entryBuilder is not null);
+        Assert(_builder is not null);
         Assert(_map is not null);
 
         try
         {
             if (Identity is not null)
             {
-                GetByIdentity(_entryBuilder, Identity);
+                GetByIdentity(_builder, Identity);
                 return;
             }
 
             using DirectorySearcher searcher = new(
-                searchRoot: _entryBuilder.SearchBase,
+                searchRoot: _builder.SearchBase,
                 filter: LdapFilter,
                 propertiesToLoad: [SecurityDescriptor])
             {
@@ -162,7 +162,7 @@ _ when LanguagePrimitives.TryConvertTo(identity, out SecurityIdentifier sid) =>
         };
 
         using DirectorySearcher searcher = new(
-            searchRoot: builder.RootEntry,
+            searchRoot: builder.DomainEntry,
             filter: ldapFilter,
             propertiesToLoad: [SecurityDescriptor])
         {
@@ -171,7 +171,7 @@ _ when LanguagePrimitives.TryConvertTo(identity, out SecurityIdentifier sid) =>
         };
 
         SearchResult result = searcher.FindOne()
-            ?? throw identity.ToIdentityNotFoundException(builder.Root);
+            ?? throw identity.ToIdentityNotFoundException(builder.DomainDistinguishedName);
 
         WriteRules(result);
     }
@@ -182,7 +182,7 @@ private static void Assert([DoesNotReturnIf(false)] bool condition, string? mess
 
     public void Dispose()
     {
-        _entryBuilder?.Dispose();
+        _builder?.Dispose();
         GC.SuppressFinalize(this);
     }
 }