Active Directory Permissions and PowerShell

  • Article

So what about Active Directory Permissions on an Object using PowerShell?  There are a number of options and methods to manage Active Directory permissions, but here are some common tasks that I might perform using PowerShell.

NOTE: This blog uses PowerShell with the Active Directory Module (Import-Module ActiveDirectory)
To use Get-ACL, you may want to set the location to Active Directory ( Set-Location AD: ), otherwise you may have to call AD: within the command.

FIND IF USER ACCOUNT HAS ANY DENY PERMISSIONS SET
Using DSACLS:
Get-ADUser UserName | ForEach { DSACLS $_.DistinguishedName } | Where {$_.Contains("Deny")}

Using Get-ACL:
Set-Location AD:
(Get-Acl (Get-ADUser UserName)).access | Where {$_.AccessControlType -eq 'Deny'} | FT IdentityReference, AccessControlType, IsInherited -Autosize

FIND ALL USERS WHO HAVE NON-INHERITED DENY RIGHTS ASSIGNED
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {($_.AccessControlType -eq 'Deny') -AND ($_.IsInherited -eq $FALSE)}| Select {$X}, IdentityReference, AccessControlType, IsInherited}

FIND ALL USERS WHO HAVE NON-INHERITED DENY WRITEPROPERTY SET
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {($_.AccessControlType -eq 'Deny') -AND ($_.IsInherited -eq $FALSE) -AND ($_.ActiveDirectoryRights -eq "WriteProperty")}| Select {$X}, IdentityReference, AccessControlType, IsInherited}

FIND ALL USERS WHO HAVE SPECIFIC GROUP/USER LISTED WITH PERMISSIONS
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {$_.IdentityReference -like "DOMAIN\USERNAME"}| Select {$X}, IdentityReference, AccessControlType, IsInherited -Unique}

VIEW PERMISSIONS OF NON-INHERITED USERS ON SPECIFIC ORGANIZATIONAL UNIT (OU)
(Get-ACL "AD:CN=Joe User,OU=Users,DC=Contoso,DC=com").Access | Where {$_.IsInherited -eq $FALSE}| Select IdentityReference, AccessControlType, IsInherited

 
VIEW ACCESS RIGHTS ON GROUP OBJECT
(Get-ACL (Get-ADGroup GroupName)).Access

RESTRICT GROUPX USERS FROM MODIFYING AD ATTRIBUTE ON ALL USERS
Get-ADUser –Filter * | ForEach { DSACLS $_.DistinguishedName /D 'Contoso\GroupX:WP;employeeID'}

There are many other items that you can do with Active Directory permissions but I’d thought that I would start with the above items.  If you want something more, try another blog Smile

Thanks!

Da