Powershell: Permissions

Hello experts,

I need help with a script  to identify users that have explicit permissions to modify objects in AD. It is a 2012 domain.

Your assistance is much appreciated.

Thanks.
Parity123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical Specialist/DeveloperCommented:
Does it have to be Powershell?
I would use DSACLS or CheckDSAcls
CheckDSAcls.exe /ExplicitOnly /ShowChildren

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Parity123Author Commented:
I can’t seem to find checkdsacls.exe. The above switches do not work for DSACLS.
0
Sara TeasdaleCommented:
Here is the real way to get it to work!

Import-Module ActiveDirectory
(Get-Acl 'CN=Twon.of.An,OU=Users,DC=Contoso,DC=local').access | select identityreference, accesscontroltype | Out-File C:\Perms.txt

Or something like:
Powershell

(Get-Acl (Get-ADUser Twon.of.An).distinguishedname).access | select identityreference, accesscontroltype | Out-File C:\Perms.txt

http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx

Have you looked at Active Directory Effective Permissions - http://www.paramountdefenses.com/goldfinger-editions-006-active-directory-true-effective-permissions-tool.html

 http://www.cjwdev.co.uk/Software/NtfsReports/Info.html
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Parity123Author Commented:
I don’t want to pass a username, instead get all users that have explicit permissions.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Get CheckDSAcls.exe here. It is not part of OS
https://archive.codeplex.com/?p=activedirectoryutils
0
Parity123Author Commented:
Shaun- I downloaded the archive, I only see the source code (CS file), but no .exe.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
0
Parity123Author Commented:
Shaun - It creates a huge file as we have a large domain with thousands of groups. I am interested in just the user accounts that have been granted explicit permissions.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
This only shows explicit permissions
CheckDSAcls.exe /ExplicitOnly /ShowChildren

Open in new window

0
Parity123Author Commented:
That's what I ran.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Then you have explicit permissions all over
0
Parity123Author Commented:
It lists all the thousands of groups, one line for each right. I may have only 50+ users, so I just needed the user list.
0
Parity123Author Commented:
I may have only 50+ users with explicit permissions set, and I want to just get this list.
0
AlanConsultantCommented:
Hi Parity123,

I would import the output of the CheckDSAcls command into, say, Excel, and sort it there to show you only the fifty or so users.

You could fiddle with this for ages, but sometimes a quick and dirty is the easiest answer, especially if this is a one-off thing.


Hope that helps,

Alan.
0
Parity123Author Commented:
Is there a better way to get this info using powershell. I need to automate this and send a report weekly.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
It lists all the thousands of groups, one line for each right. I may have only 50+ users, so I just needed the user list.
Yes, because you have thousands of explicit permissions. If you want users only, filter list after running export with Excel etc.
0
Parity123Author Commented:
I need to find a way to automate this. Manual method will not work in this case.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Simply parse the result with Powershell then, it is a CSV.

Post a segment if you need help
0
AlanConsultantCommented:
Hi,

Still sounds like you would be best to automate it with Excel (say).

After you've done it once, then you just run the report, let Excel do its thing automatically, and you have your report with no additional effort.

You could even run it all out of Excel including the PS if you wanted to, and then have Excel drop the report into a network folder or wherever you need to file it.

I think Shaun has answered the question though - we are going in circles now.

Alan.
1
AlanConsultantCommented:
Solutions provided.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.