
function Get-AdsAcl {
        Reads the ACL from an AD object.
        Allows specifying the server to ask.
        The DistinguishedName path to the item.
    .PARAMETER Server
        The server / domain to connect to.
    .PARAMETER Credential
        The credentials to use for AD operations.
    .PARAMETER EnableException
        This parameters disables user-friendly warnings and enables the throwing of exceptions.
        This is less user friendly, but allows catching exceptions in calling scripts.
        PS C:\> Get-ADUser -Filter * | Get-AdsAcl
        Returns the ACL of every user in the domain.

    param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
    begin {
        $adParameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        Assert-ADConnection @adParameters -Cmdlet $PSCmdlet
    process {
        if (Test-PSFFunctionInterrupt) { return }
        foreach ($pathItem in $Path) {
            if (-not $pathItem) { continue }
            Write-PSFMessage -String 'Get-AdsAcl.Processing' -StringValues $pathItem
            try { $adObject = Get-ADObject @adParameters -Identity $pathItem -Properties ntSecurityDescriptor -IncludeDeletedObjects }
            catch { Stop-PSFFunction -String 'Get-AdsAcl.ObjectError' -StringValues $pathItem -Target $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -ErrorRecord $_ -Continue }
            $aclObject = $adObject.ntSecurityDescriptor
            if (-not $aclObject) {
                Stop-PSFFunction -String 'Get-AdsAcl.NoSecurityProperty' -StringValues $pathItem -Target $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -Category PermissionDenied -Continue

            Add-Member -InputObject $aclObject -MemberType NoteProperty -Name DistinguishedName -Value $adObject.DistinguishedName -Force