Active Directory OU Permissions Report: Free PowerShell Script Download

Who owns your OUs?

Have you ever lost your keys? It is a scary feeling. Someone out there could have keys to your house and your car. Your personal safety could be at risk. The same is true in Active Directory.  Do you know who has the keys to all of your accounts?

The Problem

In Active Directory we need to know who has the keys to our organizational units (OUs), the place where our users and computers live. Over the years OUs have grown to meet needs. Different teams may have been delegated access for managing users, groups, and computers. Then you come along as the new administrator. You probably have no idea where permissions have been granted to your OUs. And the scary thing is… neither does anyone else.  I know, because I’ve been there.  I hear the same thing from our customers.

Out-of-the-box we do not have a specific tool to report all of the OU permissions. You have to click each OU and view the security tab one-by-one, and we all know that is entirely impractical.  Today’s post contains a script download to generate a report of this vital information.

OU Permissions

OU permissions are multi-faceted. In other words… it’s complicated. They have a number of properties:

  • Principal
  • Allow/Deny
  • Scope
  • Applies To
  • Permissions

You’ll see the following dialog when you add a permission. This is enough to explain the complexity of the group access notation:


Now look how many Applies to: options there are.  Notice that this box scrolls a long way.


What we need is a report that lists the contents of the Advanced permissions GUI like this for every OU:


The matrix of potential permission configurations is mind-blogging.

The Solution: PowerShell

I had wondered if a report like this could be as simple as:

Import-Module ActiveDirectory
cd AD:
dir –recurse –directory | Get-ACL

Of course what works in our imaginations is rarely as simple in real life.  No, that code would not do it.  However, the concept is the same:

  • Get a list of all OUs
  • Loop through the OUs to retrieve their permissions
  • Export all data to a CSV file

Our good friend Get-ACL reports on more than file system permissions.  We can use this same cmdlet to query OU permissions as well.  Notice that we preface the OU distinguished name with AD:\.  Any time you query permissions with Get-ACL you need to expand the Access property to see the list of permission entries (ACEs):

Get-Acl -Path "AD:\OU=Domain Controllers,DC=wingtiptoys,DC=local" |
  Select-Object -ExpandProperty Access

Here is an example of an ActiveDirectoryAccessRule object that is returned for an OU:


We get an entry like this for every permission assigned to the OU.  My first instinct was to simply dump a list of these to CSV and be done with it.  But then I noticed the ObjectType and InheritedObjectType properties.  Hmmmm.  These are ugly GUIDs… not what we need for the report.  We need to translate these to the names of the objects that receive the permissions.  These names are what we see in that long drop-down list in the screenshot above.

To make a long story short I stayed up until 3AM researching this and traced it all down in the Active Directory Technical Specifications (MS-ADTS) here:

You are welcome to read these pages for yourself to understand the relationships.  Essentially these GUID values are stored on attributes of selected objects in the schema and configuration partitions of the AD database.  You can query these to build a list of names that will make the report readable.  So that’s what I did and put them into a hash table for quick look-ups when we generate the report.

The Big Finish

When we script it all out we get a report that looks something like this:


Obviously there are too many columns to read in the screenshot, but it is quite thorough.  Now you can use filters and pivot tables in Excel to analyze the data and produce reports showing exactly which OUs have delegated permissions, what kind of permissions, and who has them.  Likewise you can pivot the report by group to see a list of all OUs that a group can control.  You may want to filter the output by the IsInherited property.  By filtering for FALSE you will find everywhere that permissions are explicitly delegated in the OU tree.


I would advise all Active Directory shops to run and review this report on a quarterly basis to make sure there are no surprise administrators lurking in your domain. The report can be quite large for any size organization.  Perhaps this would be a good report to feed to the Information Security team, if you have one.  Now you know who holds the keys.


Download the full script from the TechNet Script Gallery.

Comments (53)
  1. Hi Krishna,

    Great question. Here are a couple options for the current user:

    whoami /priv
    GPRESULT or Get-GPResultantSetOfPolicy

    For default group privileges:

    For tracking down user and group privileges in the directory:

    Hope this helps,

  2. Patris_70 says:

    You are Great guy

    Can use this PS script for other AD objects permission, such as user or group?

    Thank you so much

  3. Patris_70 says:

    Please check script. OU_permissions.p-s-1.txt is empty!


  4. Hello Patris_70,

    I'm not sure what happened to the script file.  I have fixed it now by linking to the copy posted at the TechNet Script Gallery.

    As for permissions on other object types they should work the same way.  You can modify the script accordingly.

    Thanks for the feedback,


  5. Patris_70 says:

    Hello Ashely,

    Thank you for your immediate answer and support.

    Best regards

  6. Ken Brumfield's CheckDSAcls.exe on Codeplex also does this, which had been the only way I knew to produce this type of "who has permissions on my OU" report (using /SearchForAcct switch). It is nice to see PowerShell can be leveraged to produce similar reports. Your investigation of the GUIDs in MS-ADTS is particularly helpful. Thanks for this script.

  7. anonymouscommenter says:


    How would you go about running this against another domain in the forest or a domain you have a trust with?

  8. Hi Neil,

    Great question!  To scale this script across forests, domains, and trusts I can think of two methods:

    1.  You could parameterize the script in a function.  The parameters could reference the target server name and a credentials object that you capture.  Then you could modify all of the calls in the script to use these parameters.  This would be thorough, but a bit more time-consuming.

    2.  The easiest way would be to use Invoke-Command against the remote server and pass credentials like this:

    Invoke-Command -ComputerName -Credential (Get-Credential) -FilePath .OU_permissions.ps1 |

    Export-CSV .Remote-OUs.csv -NoTypeInformation

    In order for this last part to work I took out the final part of the script which exports the CSV.  This way it dumps $report into your local session for exporting locally.

    Hope this helps,


  9. anonymouscommenter says:


    Doyou know this tool created by one of your colleague?…/permissions-in-ad-lost-control.aspx



  10. Dwight M says:

    Guy, this is a great script. How can I export each OU to separate .CSV files? I would like each file to be named OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com. Each file will be named with it's own distinctive OU. How can I go about accomplishing this?


  11. Hello Dwight,

    This should put each OU in its own file:

    $schemaIDGUID = @{}

    $ErrorActionPreference = 'SilentlyContinue'

    Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID |

    ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$}

    Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID |

    ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$}

    $ErrorActionPreference = 'Continue'

    # Get a list of all OUs.  Add in the root containers for good measure (users, computers, etc.).

    $OUs  = Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName

    $OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -SearchScope OneLevel -LDAPFilter '(objectClass=container)' | Select-Object -ExpandProperty DistinguishedName

    # Loop through each of the OUs and retrieve their permissions.

    # Add report columns to contain the OU path and string names of the ObjectTypes.

    ForEach ($OU in $OUs) {

       # This array will hold the report output.

       $report = @()

       $report += Get-Acl -Path "AD:$OU" |

        Select-Object -ExpandProperty Access |

        Select-Object @{name='organizationalUnit';expression={$OU}}, `

                      @{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaIDGUID.Item($_.objectType)}}}, `

                      @{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `


       # Dump the raw report out to a CSV file for analysis in Excel.

       $report | Export-Csv ".$OU.csv" -NoTypeInformation


  12. anonymouscommenter says:

    Thanks for this script. It is extremely useful!

    Smita C

  13. anonymouscommenter says:

    If anyone wants an easy to use GUI alternative to the Powershell options, I made a tool recently for reporting AD permissions. More info and a download link for the free edition (which is not time limited) here for anyone interested:

  14. anonymouscommenter says:

    Today's post gives you a script to crawl your file shares and document the AD users and groups referenced in NTFS permissions. I’m sure others have published similar scripts, but I want to approach it from the angle of Active Directory group

  15. anonymouscommenter says:

    Gr8 Gui Tool Chris

  16. anonymouscommenter says:

    Great script, thanks very much!

  17. anonymouscommenter says:

    How can I get the owner on AD OU’s?

  18. Hello John,

    This one-liner will list all of your OUs and their owners:

    Get-ADOrganizationalUnit -filter * -Properties nTSecurityDescriptor | Select-Object DistinguishedName, @{name=’Owner’;Expression={$_.nTSecurityDescriptor.Owner}}

    Hope this helps,

    1. TJ says:

      What I wish is that I knew how to get the information to construct such a complicated command as:
      Get-ADOrganizationalUnit -filter * -Properties nTSecurityDescriptor | Select-Object DistinguishedName, @{name=’Owner’;Expression={$_.nTSecurityDescriptor.Owner}}. I get it all the way to “select-object distinguishedname. But the next part could be written in Greek. Where did you get that information and the knowledge to construct the query like that? What do I need to read?

  19. anonymouscommenter says:

    Great Script, it will be helpful to know how to get permissions from Domain root also

  20. anonymouscommenter says:

    Hmm simply use Get-ADPermission from Exchange admin tools ? Never understood why such a critical cmdlet belonged exclusively to the Exchange group, when AD admins have so much use of it, and must struggle with Get-ACL instead…

  21. anonymouscommenter says:

    We tried as below

    Get-ADPermission -Identity | ft user, Identity, deny, Accessrights, IsInherited, Properties, ChildobjectTypes, InheritedObjecttype, Inheritancetype -wrap > rrr.txt

    Also exported to csv with notypeinfo. But the output not contains all the fields or it’s getting to the next line. Even we tried to mention the width as following ($fileds = @{Expression={$_.user};Label="User";width=25}, etc ), but still failed to achieve a
    perfect report.

    Expect your support


  22. anonymouscommenter says:

    The script to check permissions at domain root is as below

    Get-ADPermission -Identity | select-object user, Identity, deny, @{n="AccessRights";e={($_ | select -expandproperty AccessRights) -join ‘|’ }},@{n="ExtendedRights";e={($_ | select -expandproperty ExtendedRights) -join ‘|’ }}, IsInherited, @{label
    = "Properties ";expression = {[string]$_.Properties }}, @{label = "ChildobjectTypes";expression = {[string]$_.ChildobjectTypes }}, InheritedObjecttype, Inheritancetype | export-csv C:get-adpermission.csv


  23. @LMS,
    I have updated the script download to now include the root of the domain in the permissions report. I don’t know why I didn’t do that to begin with. Thanks for the feedback.
    Ashley McGlone

  24. anonymouscommenter says:

    It’s Great, Thank You…

  25. anonymouscommenter says:

    Welcome! Today’s post includes demo scripts and links from the Microsoft Virtual Academy event: Using PowerShell for Active Directory . We had a great time creating this for you, and I hope you will share it with anyone needing to ramp up their

  26. anonymouscommenter says:

    how do I know the privileges of a particular user/Group?

  27. anonymouscommenter says:

    Great script, extremely helpful! Thank you very much for sharing

  28. anonymouscommenter says:

    This script does nothing it appears to run for me but I never see any output

  29. Hi Emily,
    Can you find the file OU_Permissions.csv in your working directory?

  30. anonymouscommenter says:

    Thank you Ashley! your videos on AD powershell are great. And yes you are powershellAD_master

  31. anonymouscommenter says:

    What if I don’t want to search the entire domain, but instead, want to search through the entire OU structure of a single OU in a domain? Also, what about do this in different domains (run script on domain B from domain A)?

  32. anonymouscommenter says:

    Do the new LAPS attributes have their own unique GUID? I er, binged the schemaIDGUID value in my schema for one of the new properties with no result, so is it randomly created?

  33. anonymouscommenter says:

    How can find if a user ABC has delegation for any OU or not.

  34. Paul Bendall says:


    Another great script and I like the tight method for creating the hash-table for the GUIDID from the schema. I’m using this to check or apply the necessary delegation of privileges for Azure AD Connect service account so it can only write-back to attributes we want (least privilege) but I can also monitor after setting using your approach. Thanks for sharing


  35. Avi says:

    Hi, can you help me with extracting report with the help of Powershell for entire domain? Like how many active AD groups their description and all..



  36. Anup Singh says:

    Is there any PS command to find out who is moving users from one OU to another in windows 2008 R2 domain.

  37. BradBird says:

    How do I run this? Do I run it as is with a parameter? Or do I take pieces of it?

  38. Gasper says:

    Great script! Ty

  39. Matthias Thiel says:

    Hello Ashley,

    thank you for your great article. I got here while looking for a way to get a list of all possible inheritance-options (see your “Applies to”-screenshot). As far as I know this uses the “ActiveDirectoryAccessRule.InheritanceType” .Net-class with the “appliesto”-property but unfortunately I can’t find any way to get a list or an export of this above mentioned dropdown-list. Do you have, by any chance, an idea how to realise this via powershell ?

    Thanks in advance and kind regards


    1. Jake says:

      I would like to bump this question

  40. steve tretakis says:

    Great and many , many thanks but.. i give up… how do i target for child domains? Thanks for this, this is a huge help for a serious issue i have been trying to get a handle on for yrs

    1. Hi Steve,
      To target child domains you have two options: 1. Run the code locally in the other domain. 2. Improve this code to take parameters for domain name and domain credential. Both are viable alternatives.

  41. Tara says:

    Hi, I am wondering if you could tell me how to modify the report to see any user with any delegated permission? But exclude any “read only” or “view only” type permissions? We have some delegation granted by groups, but we also have before my time as an administrator users that were granted permissions directly to their user account. Such as “change password” or other delegated permissions.

    1. Hi Tara,
      Hmm. To see specific users you would need to expand group memberships and add that to the report. To exclude certain types of permissions you could filter the output using Where-Object against the ActiveDirectoryRights property. You could probably do something like “Where-Object {$_.ActiveDirectoryRights -notlike “*read*”}”. Hope this helps.

  42. C.M. Ramos says:

    Excellent! Saved me some legwork, but I have one suggestion… In addition to the DN, add the Canonical Name to the report for Sortability when imported into a spreadsheet. In organizations with like operating OU structures that “should” have like permissions, its easier to sort, compare and pivot by something that’s easier to read than a DN.

  43. Ernest Brant says:

    Hello Ashley

    Thanks very much for this excellent Blog 🙂

    Whilst looking at the output of the above script I noticed something which appears odd in relation to the LDAP Display Name of the ObjectType when rights are granted to a Property Set for example.

    For anyone else reading this reply, info on Property Sets here

    If I give Fred the Write right to the Public Information property Set on an Object and look at the results it states.

    ObjectType : registeredAddress

    I was expecting it so say something like Public-Information rather than registeredAddress

    So taking inspiration for your good self, I wrote the following script

    $HT = @{
    ‘Domain-Password-Information’ = [guid]’c7407360-20bf-11d0-a768-00aa006e0529′

    ‘Email-Information’ = [guid]’E45795B2-9455-11d1-AEBD-0000F80367C1′

    ‘General-Inforamtion’ = [guid]’59ba2f42-79a2-11d0-9020-00c04fc2d3cf’

    ‘Membership’ = [guid]’bc0ac240-79a9-11d0-9020-00c04fc2d4cf’

    ‘User-Account-Restrictions’ = [guid]’4c164200-20c0-11d0-a768-00aa006e0529′

    ‘Personal-Information’ = [guid]’77B5B886-944A-11d1-AEBD-0000F80367C1′

    ‘Public-Information’ = [guid]’e48d0154-bcf8-11d1-8702-00c04fb96050′

    ‘RAS-Information’ = [guid]’037088f8-0ae1-11d2-b422-00a0c968f939′

    ‘User-Logon’ = [guid]’5f202010-79a5-11d0-9020-00c04fc2d4cf’

    ‘Web-Information’ = [guid]’E45795B3-9455-11d1-AEBD-0000F80367C1′

    ‘DNS-Host-Name-Attributes’ = [guid]’72e39547-7b18-11d1-adef-00c04fd8d5cd’

    ‘Domain-Other-Parameters’ = [guid]’B8119fd0-04f6-4762-ab7a-4986c76b3f9a’

    $Array = New-object -TypeName System.Collections.ArrayList

    foreach ($item in $HT.GetEnumerator()) {

    $guidval = $item.Value

    $bytearr = $guidval.tobytearray()
    $bytestr = “”

    foreach ($byte in $bytearr) {
    $str = “\” + “{0:x}” -f $byte
    $bytestr += $str

    $DirectoryEntry = [adsi]”LDAP://$(([adsi]”LDAP://RootDSE”).SchemaNamingContext)”
    $DirectorySearcher = [adsisearcher]$DirectoryEntry
    $DirectorySearcher.filter = “(attributesecurityguid=$bytestr)”

    $result = $DirectorySearcher.findone()

    [void]$Array.Add([pscustomobject]@{‘name’=$;’GUID’=$guidval;’LDAP-DisplayName’=$($result.Properties.ldapdisplayname | % {$_})})


    Write-Output $Array

    the output returned

    name GUID LDAP-DisplayName
    —- —- —————-
    Personal-Information 77b5b886-944a-11d1-aebd-0000f80367c1 registeredAddress
    DNS-Host-Name-Attributes 72e39547-7b18-11d1-adef-00c04fd8d5cd msDS-AdditionalDnsHostName
    Domain-Other-Parameters b8119fd0-04f6-4762-ab7a-4986c76b3f9a serverRole
    Membership bc0ac240-79a9-11d0-9020-00c04fc2d4cf memberOf
    RAS-Information 037088f8-0ae1-11d2-b422-00a0c968f939 tokenGroups
    Public-Information e48d0154-bcf8-11d1-8702-00c04fb96050 msDS-PhoneticFirstName
    User-Account-Restrictions 4c164200-20c0-11d0-a768-00aa006e0529 pwdLastSet
    Domain-Password-Information c7407360-20bf-11d0-a768-00aa006e0529 pwdProperties
    General-Inforamtion 59ba2f42-79a2-11d0-9020-00c04fc2d3cf sAMAccountName
    Web-Information e45795b3-9455-11d1-aebd-0000f80367c1 wWWHomePage
    User-Logon 5f202010-79a5-11d0-9020-00c04fc2d4cf homeDirectory
    Email-Information e45795b2-9455-11d1-aebd-0000f80367c1

    For example General Information is returning sAMAccountName this is not what I would expect

    I would be grateful for your feed back,

    Thanks Ashley
    Ernest Brant

  44. Thanks for this useful script. I modified the script a bit to fit my needs. I am trying to filter out the principals which are default.
    Currently I am doing this
    “Where-Object {$_.IdentityReference -notmatch “BUILTIN|NT AUTHORITY|EVERYONE|CREATOR OWNER|DOMAIN ADMINS|Domain Controllers|EXCHANGE|Organization Management|Enterprise Admins|Public Folder|S-1-5-32-554|S-1-5-32-548|S-1-5-32-557|S-1-5-32-561|S-1-5-32-550″} |”
    I want to so have a variable with all SIDs and principals. and the script should look into that array and select objects which doesnt match from the array.

  45. Max says:

    Updating the Manager attribute of a user with an Object Type ‘Contacts’ is successful via AD but fails using Powershell. It seems that PS can update the Manager field by Object Type ‘Users’

    Can there be any special permission setting to fix this or another way?

  46. MASIT says:

    Hello Ashely,
    How do you query only one OU? I have something like: ou=Groups,,ou=Americas,ou=Exchange,dc=local,dc=com
    I have hundreds of OUs I’m not interested about, so I’d like to just query particular OUs. I’d appreciate your response very much.

    P.S. Thank you for putting this script together. It definitely is a great life saver.

Comments are closed.

Skip to main content