Find Active Directory accounts that are not inheriting permissions

Posted on 2016-08-18
Last Modified: 2016-08-20

Does anyone have a Powershell script they can share that will search a list of SamAccountnames and report of which ones
are not inheriting permissions? There is a lot of old accounts we are running into that have this option unchecked .
Question by:MilesLogan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Accepted Solution

Benjamin Voglar earned 500 total points
ID: 41762039

I think this is what You'r lookung for:

$Containers = @()
$UserStatuses = @()

"Reading OU List ..."
$Containers = Get-ADOrganizationalUnit -Filter * -Properties * | sort canonicalname | select distinguishedname, canonicalname

"Reading Container List ..."
$Containers += Get-ADObject -SearchBase (Get-ADDomain).distinguishedname -SearchScope OneLevel -LDAPFilter '(objectClass=container)' -Properties * | sort canonicalname | select distinguishedname, canonicalname

foreach($Cntr in $Containers)
"Evaluating - " + $Cntr.distinguishedname + " ..."

$UserStatuses += Get-ADUser -Filter * -SearchBase $Cntr.distinguishedname -SearchScope OneLevel -Properties * | where {($_.nTSecurityDescriptor.AreAccessRulesProtected -eq $true) -and ($_.enabled -eq $true)} | select @{n='OU';e={$Cntr.distinguishedname}}, displayname, userprincipalname,samAccountName, @{n='Inheritance Broken';e={$_.nTSecurityDescriptor.AreAccessRulesProtected}}

$UserStatuses | export-csv -path UsersWithInheritanceBroken.csv

Open in new window

Author Comment

ID: 41763239
Thank you Benjamin , that was exactly what I was looking for .

Expert Comment

by:Senior IT System Engineer
ID: 41763419
Hi Ben,

From which domain controller I can run that script for better result ?

Is the script read the AD only ? Nothing dangerous ?

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question