Solved

Find Active Directory accounts that are not inheriting permissions

Posted on 2016-08-18
3
30 Views
Last Modified: 2016-08-20
HI EE

Does anyone have a Powershell script they can share that will search a list of SamAccountnames and report of which ones
are not inheriting permissions? There is a lot of old accounts we are running into that have this option unchecked .
perms.png
0
Comment
Question by:MilesLogan
3 Comments
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 500 total points
ID: 41762039
HI.

I think this is what You'r lookung for:

$Containers = @()
$UserStatuses = @()

"Reading OU List ..."
$Containers = Get-ADOrganizationalUnit -Filter * -Properties * | sort canonicalname | select distinguishedname, canonicalname

"Reading Container List ..."
$Containers += Get-ADObject -SearchBase (Get-ADDomain).distinguishedname -SearchScope OneLevel -LDAPFilter '(objectClass=container)' -Properties * | sort canonicalname | select distinguishedname, canonicalname

foreach($Cntr in $Containers)
{
"Evaluating - " + $Cntr.distinguishedname + " ..."

$UserStatuses += Get-ADUser -Filter * -SearchBase $Cntr.distinguishedname -SearchScope OneLevel -Properties * | where {($_.nTSecurityDescriptor.AreAccessRulesProtected -eq $true) -and ($_.enabled -eq $true)} | select @{n='OU';e={$Cntr.distinguishedname}}, displayname, userprincipalname,samAccountName, @{n='Inheritance Broken';e={$_.nTSecurityDescriptor.AreAccessRulesProtected}}
}

$UserStatuses | export-csv -path UsersWithInheritanceBroken.csv

Open in new window


https://www.linkedin.com/pulse/20140706222606-77590110-powershell-script-to-list-ad-users-with-blocked-inheritnace
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 41763239
Thank you Benjamin , that was exactly what I was looking for .
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41763419
Hi Ben,

From which domain controller I can run that script for better result ?

Is the script read the AD only ? Nothing dangerous ?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now