Solved

Find Active Directory accounts that are not inheriting permissions

Posted on 2016-08-18
3
52 Views
Last Modified: 2016-08-20
HI EE

Does anyone have a Powershell script they can share that will search a list of SamAccountnames and report of which ones
are not inheriting permissions? There is a lot of old accounts we are running into that have this option unchecked .
perms.png
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Accepted Solution

by:
Benjamin Voglar earned 500 total points
ID: 41762039
HI.

I think this is what You'r lookung for:

$Containers = @()
$UserStatuses = @()

"Reading OU List ..."
$Containers = Get-ADOrganizationalUnit -Filter * -Properties * | sort canonicalname | select distinguishedname, canonicalname

"Reading Container List ..."
$Containers += Get-ADObject -SearchBase (Get-ADDomain).distinguishedname -SearchScope OneLevel -LDAPFilter '(objectClass=container)' -Properties * | sort canonicalname | select distinguishedname, canonicalname

foreach($Cntr in $Containers)
{
"Evaluating - " + $Cntr.distinguishedname + " ..."

$UserStatuses += Get-ADUser -Filter * -SearchBase $Cntr.distinguishedname -SearchScope OneLevel -Properties * | where {($_.nTSecurityDescriptor.AreAccessRulesProtected -eq $true) -and ($_.enabled -eq $true)} | select @{n='OU';e={$Cntr.distinguishedname}}, displayname, userprincipalname,samAccountName, @{n='Inheritance Broken';e={$_.nTSecurityDescriptor.AreAccessRulesProtected}}
}

$UserStatuses | export-csv -path UsersWithInheritanceBroken.csv

Open in new window


https://www.linkedin.com/pulse/20140706222606-77590110-powershell-script-to-list-ad-users-with-blocked-inheritnace
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 41763239
Thank you Benjamin , that was exactly what I was looking for .
0
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41763419
Hi Ben,

From which domain controller I can run that script for better result ?

Is the script read the AD only ? Nothing dangerous ?
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question