Solved

Find Active Directory accounts that are not inheriting permissions

Posted on 2016-08-18
3
44 Views
Last Modified: 2016-08-20
HI EE

Does anyone have a Powershell script they can share that will search a list of SamAccountnames and report of which ones
are not inheriting permissions? There is a lot of old accounts we are running into that have this option unchecked .
perms.png
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 500 total points
ID: 41762039
HI.

I think this is what You'r lookung for:

$Containers = @()
$UserStatuses = @()

"Reading OU List ..."
$Containers = Get-ADOrganizationalUnit -Filter * -Properties * | sort canonicalname | select distinguishedname, canonicalname

"Reading Container List ..."
$Containers += Get-ADObject -SearchBase (Get-ADDomain).distinguishedname -SearchScope OneLevel -LDAPFilter '(objectClass=container)' -Properties * | sort canonicalname | select distinguishedname, canonicalname

foreach($Cntr in $Containers)
{
"Evaluating - " + $Cntr.distinguishedname + " ..."

$UserStatuses += Get-ADUser -Filter * -SearchBase $Cntr.distinguishedname -SearchScope OneLevel -Properties * | where {($_.nTSecurityDescriptor.AreAccessRulesProtected -eq $true) -and ($_.enabled -eq $true)} | select @{n='OU';e={$Cntr.distinguishedname}}, displayname, userprincipalname,samAccountName, @{n='Inheritance Broken';e={$_.nTSecurityDescriptor.AreAccessRulesProtected}}
}

$UserStatuses | export-csv -path UsersWithInheritanceBroken.csv

Open in new window


https://www.linkedin.com/pulse/20140706222606-77590110-powershell-script-to-list-ad-users-with-blocked-inheritnace
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 41763239
Thank you Benjamin , that was exactly what I was looking for .
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41763419
Hi Ben,

From which domain controller I can run that script for better result ?

Is the script read the AD only ? Nothing dangerous ?
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question