Powershell: Permissions

Hello experts,

I need help with a script  to identify users that have explicit permissions to modify objects in AD. It is a 2012 domain.

Your assistance is much appreciated.

Thanks.
Parity123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
Does it have to be Powershell?
I would use DSACLS or CheckDSAcls
CheckDSAcls.exe /ExplicitOnly /ShowChildren

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Parity123Author Commented:
I can’t seem to find checkdsacls.exe. The above switches do not work for DSACLS.
Sara TeasdaleCommented:
Here is the real way to get it to work!

Import-Module ActiveDirectory
(Get-Acl 'CN=Twon.of.An,OU=Users,DC=Contoso,DC=local').access | select identityreference, accesscontroltype | Out-File C:\Perms.txt

Or something like:
Powershell

(Get-Acl (Get-ADUser Twon.of.An).distinguishedname).access | select identityreference, accesscontroltype | Out-File C:\Perms.txt

http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx

Have you looked at Active Directory Effective Permissions - http://www.paramountdefenses.com/goldfinger-editions-006-active-directory-true-effective-permissions-tool.html

 http://www.cjwdev.co.uk/Software/NtfsReports/Info.html
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Parity123Author Commented:
I don’t want to pass a username, instead get all users that have explicit permissions.
Shaun VermaakTechnical SpecialistCommented:
Get CheckDSAcls.exe here. It is not part of OS
https://archive.codeplex.com/?p=activedirectoryutils
Parity123Author Commented:
Shaun- I downloaded the archive, I only see the source code (CS file), but no .exe.
Shaun VermaakTechnical SpecialistCommented:
Parity123Author Commented:
Shaun - It creates a huge file as we have a large domain with thousands of groups. I am interested in just the user accounts that have been granted explicit permissions.
Shaun VermaakTechnical SpecialistCommented:
This only shows explicit permissions
CheckDSAcls.exe /ExplicitOnly /ShowChildren

Open in new window

Parity123Author Commented:
That's what I ran.
Shaun VermaakTechnical SpecialistCommented:
Then you have explicit permissions all over
Parity123Author Commented:
It lists all the thousands of groups, one line for each right. I may have only 50+ users, so I just needed the user list.
Parity123Author Commented:
I may have only 50+ users with explicit permissions set, and I want to just get this list.
AlanConsultantCommented:
Hi Parity123,

I would import the output of the CheckDSAcls command into, say, Excel, and sort it there to show you only the fifty or so users.

You could fiddle with this for ages, but sometimes a quick and dirty is the easiest answer, especially if this is a one-off thing.


Hope that helps,

Alan.
Parity123Author Commented:
Is there a better way to get this info using powershell. I need to automate this and send a report weekly.
Shaun VermaakTechnical SpecialistCommented:
It lists all the thousands of groups, one line for each right. I may have only 50+ users, so I just needed the user list.
Yes, because you have thousands of explicit permissions. If you want users only, filter list after running export with Excel etc.
Parity123Author Commented:
I need to find a way to automate this. Manual method will not work in this case.
Shaun VermaakTechnical SpecialistCommented:
Simply parse the result with Powershell then, it is a CSV.

Post a segment if you need help
AlanConsultantCommented:
Hi,

Still sounds like you would be best to automate it with Excel (say).

After you've done it once, then you just run the report, let Excel do its thing automatically, and you have your report with no additional effort.

You could even run it all out of Excel including the PS if you wanted to, and then have Excel drop the report into a network folder or wherever you need to file it.

I think Shaun has answered the question though - we are going in circles now.

Alan.
AlanConsultantCommented:
Solutions provided.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.