
Condition: Extract only non-inherited ACLs excluding all built-in accounts and groups
Just publishing the script for now, will write more about the journey later in some free time.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | Class Perm { $OU $ACType $identityReference $ADRights $IsInhereted } Import-Module ActiveDirectory $OUs = (Get-ADOrganizationalUnit -SearchBase "OU=0-Admin,DC=contoso,DC=com" -Filter *).DistinguishedName foreach ($OU in $OUs) { $CN = $OU.canonicalname $ACLs = (Get-Acl -Path "ad:\$OU").Access | ? { (($_.AccessControlType -ne "Deny") -and ($_.IdentityReference -ne "Everyone") ) -and (($_.IsInherited -ne "True")) -and ((($_.IdentityReference -notlike "BUILTIN*") -and ($_.IdentityReference -notlike "*NT AUTHORITY*") -and ($_.IdentityReference -notlike "contoso\RTC*") -and ($_.IdentityReference -notlike "*Exchange*") -and ($_.IdentityReference -notlike "*Network Configuration Operators*") -and ($_.IdentityReference -notlike "*Cryptographic Operators*") -and ($_.IdentityReference -notlike "*Certificate Service DCOM Access*") -and ($_.IdentityReference -notlike "*Performance Monitor Users*") -and ($_.IdentityReference -notlike "*Remote Desktop Users*") -and ($_.IdentityReference -notlike "*Backup Operators*") -and ($_.IdentityReference -notlike "*IIS_IUSRS*") -and ($_.IdentityReference -notlike "*Server Operators*") -and ($_.IdentityReference -notlike "*Guests*") -and ($_.IdentityReference -notlike "*Users*") -and ($_.IdentityReference -notlike "*Account Operators*") -and ($_.IdentityReference -notlike "*Windows Authorization Access Group*") -and ($_.IdentityReference -notlike "*Terminal Server License Servers*") -and ($_.IdentityReference -notlike "*Replicator*") -and ($_.IdentityReference -notlike "*Distributed COM Users*") -and ($_.IdentityReference -notlike "*Print Operators*") -and ($_.IdentityReference -notlike "*Pre-Windows 2000 Compatible Access*") -and ($_.IdentityReference -notlike "*Administrators*") -and ($_.IdentityReference -notlike "*RDS Remote Access Servers*") -and ($_.IdentityReference -notlike "*RDS Management Servers*") -and ($_.IdentityReference -notlike "*Hyper-V Administrators*") -and ($_.IdentityReference -notlike "*Access Control Assistance Operators*") -and ($_.IdentityReference -notlike "*Remote Management Users*") -and ($_.IdentityReference -notlike "*Storage Replica Administrators*") -and ($_.IdentityReference -notlike "*System Managed Accounts Group*") -and ($_.IdentityReference -notlike "*Performance Log Users*") -and ($_.IdentityReference -notlike "*Event Log Readers*") -and ($_.IdentityReference -notlike "*RDS Endpoint Servers*") -and ($_.IdentityReference -notlike "*Allowed RODC Password Replication Group*") -and ($_.IdentityReference -notlike "*Domain Guests*") -and ($_.IdentityReference -notlike "*Domain Admins*") -and ($_.IdentityReference -notlike "*DnsAdmins*") -and ($_.IdentityReference -notlike "*Cert Publishers*") -and ($_.IdentityReference -notlike "*Domain Users*") -and ($_.IdentityReference -notlike "*Group Policy Creator Owners*") -and ($_.IdentityReference -notlike "*RAS and IAS Servers*") -and ($_.IdentityReference -notlike "*Denied RODC Password Replication Group*") -and ($_.IdentityReference -notlike "*Cloneable Domain Controllers*") -and ($_.IdentityReference -notlike "*Protected Users*") -and ($_.IdentityReference -notlike "*Key Admins*") -and ($_.IdentityReference -notlike "*DnsUpdateProxy*") -and ($_.IdentityReference -notlike "*Domain Controllers*") -and ($_.IdentityReference -notlike "*DHCP Users*") -and ($_.IdentityReference -notlike "*Read-only Domain Controllers*") -and ($_.IdentityReference -notlike "*DHCP Administrators*") -and ($_.IdentityReference -notlike "*Domain Computers*") -and ($_.IdentityReference -notlike "*Enterprise Read-only Domain Controllers*") -and ($_.IdentityReference -notlike "Creator owner") -and ($_.IdentityReference -notlike "*Organization Management*") -and ($_.IdentityReference -ne "Contoso\Enterprise Admins") )) } | select * foreach ($ACL in $ACLs) { $obj = New-Object Perm $obj.ou = $OU $obj.ACType = $ACL.AccessControlType $obj.identityReference = $ACL.IdentityReference $obj.ADRights = $ACL.ActiveDirectoryRights $obj.IsInhereted = $ACL.IsInherited $obj | Export-Csv "C:\permissions\Filename.csv" -Append -NoTypeInformation } } |
Leave a Reply