MALCOLMPIRNIEIT
asked on
I need a way to query DACL of the User Objects in AD
So bascially what I'd like to do is create a query.
That query will look at the DACL of all the user objects in my AD, for a specific account. (MIG)
If the user object does NOT have this specific account in the DACL return the DN/CN etc.
In other words, search AD to make sure that the MIG account is listed in the DACL. It would be better to make sure the MIG account has Full Control too and return user objects that it does not.
Server 2003 Native Domain. No preps above it
We've got Server 2008 R2 servers if PowerShell is needed.
I looked at Quest's software to solve this problem but I can't figure out the command I need to build that will examine the DACL.
That query will look at the DACL of all the user objects in my AD, for a specific account. (MIG)
If the user object does NOT have this specific account in the DACL return the DN/CN etc.
In other words, search AD to make sure that the MIG account is listed in the DACL. It would be better to make sure the MIG account has Full Control too and return user objects that it does not.
Server 2003 Native Domain. No preps above it
We've got Server 2008 R2 servers if PowerShell is needed.
I looked at Quest's software to solve this problem but I can't figure out the command I need to build that will examine the DACL.
To see the entire DACL, remove the trailing :FC
ADFIND: http://joeware.net/freetools/tools/adfind/index.htm
ADFIND: http://joeware.net/freetools/tools/adfind/index.htm
adfind -default -f samaccountname=jsmith -sc sdfilterns
DSACLS example:
It will list permissions on an object. I don't know of a way off-hand to query a specific permission.
It will list permissions on an object. I don't know of a way off-hand to query a specific permission.
DSACLS "CN=Joe Smith,OU=Finance,DC=domain,DC=com"
ASKER
Good examples tmassa99, but that's not what I'm looking for.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forgot to insert link to the original code:
http://www.cb-net.co.uk/index.php?option=com_content&view=article&id=43:vbscript-list-exchange-mailbox-dacl-ace-acl-&catid=12:domain-migration&Itemid=3
http://www.cb-net.co.uk/index.php?option=com_content&view=article&id=43:vbscript-list-exchange-mailbox-dacl-ace-acl-&catid=12:domain-migration&Itemid=3
Hi, to add to tmassa's code the ability to check a specific user, under this line:
mystring = ace.Trustee
You can add a check against that trustee name:
If UCase(mystring) = "YOURDOMAIN\MIG" Then
Regards,
Rob.
mystring = ace.Trustee
You can add a check against that trustee name:
If UCase(mystring) = "YOURDOMAIN\MIG" Then
Regards,
Rob.
ASKER
When running tmassa's code I'm getting an error on line 73 char 25 expected statement. Debugging, but I can't see why the End If is causing that.
That looks to be an extra END IF statement on line 72. You can try commenting out that line.
For example, this finds all objects that have FULL CONTROL over JSMITH
Open in new window