GpoAclExposureRecord

Domain containing the GPO.

Display name of the GPO.

Resolved identity (distinguished name or SID).

Friendly account label when available.

SID that received the permission.

Granted Active Directory rights.

Indicates whether the ACE is inherited.

Indicates whether the ACE grants the Apply Group Policy extended right.

Resolved identity type when available.

Coarse-grained operation classification derived from the ACE (write vs apply-only etc.).

True when the underlying ACE conveys any write-like capability.

Optional objectType GUID (schema attribute or extended right) targeted by the ACE.

Friendly name for ObjectTypeGuid when resolvable from schema/extended rights.

Write-only subset of rights for clearer display (excludes GenericRead/ReadProperty/Apply-only).

GPMC-style permission label synthesized from the ACE (e.g., "Edit settings", "Edit settings, delete", "Edit settings, delete, modify security", or "Read"/"Read (from Security Filtering)" for Apply-only/read-only cases).

Administrative classification of the trustee identity (e.g., WellKnownAdministrative, Administrative, NotAdministrative).

True when the trustee is a privileged/builtin identity (e.g., Domain Admins, Enterprise Admins, BUILTIN\\Administrators, Enterprise Domain Controllers).

Risk level classification for this ACE.

Short explanation for RiskLevel.

True when the trustee SID is CREATOR OWNER (S-1-3-0).

GPO distinguished name.

Owner SID of the GPO object.

Owner friendly name of the GPO object.

True when the owner is trusted/expected (Domain Admins/GPCO/Administrators).