OUs and ACLs

Condition: Extract only non-inherited ACLs excluding all built-in accounts and groups

Just publishing the script for now, will write more about the journey later in some free time.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Class Perm
{
$OU
$ACType
$identityReference
$ADRights
$IsInhereted
}
Import-Module ActiveDirectory

$OUs = (Get-ADgroup -SearchBase "OU=0-Admin,DC=contoso,DC=com" -Filter *).DistinguishedName
foreach ($OU in $OUs)
{

$CN = $OU.canonicalname
$ACLs = (Get-Acl -Path "ad:\$OU").Access | ? { (($_.AccessControlType -ne "Deny") -and ($_.IdentityReference -ne "Everyone") ) -and (($_.IsInherited -ne "True")) -and ((($_.IdentityReference -notlike "BUILTIN*") -and ($_.IdentityReference -notlike "*NT AUTHORITY*") -and ($_.IdentityReference -notlike "contoso\RTC*") -and ($_.IdentityReference -notlike "*Exchange*") -and ($_.IdentityReference -notlike "*Network Configuration Operators*") -and ($_.IdentityReference -notlike "*Cryptographic Operators*") -and ($_.IdentityReference -notlike "*Certificate Service DCOM Access*") -and ($_.IdentityReference -notlike "*Performance Monitor Users*") -and ($_.IdentityReference -notlike "*Remote Desktop Users*") -and ($_.IdentityReference -notlike "*Backup Operators*") -and ($_.IdentityReference -notlike "*IIS_IUSRS*") -and ($_.IdentityReference -notlike "*Server Operators*") -and ($_.IdentityReference -notlike "*Guests*") -and ($_.IdentityReference -notlike "*Users*") -and ($_.IdentityReference -notlike "*Account Operators*") -and ($_.IdentityReference -notlike "*Windows Authorization Access Group*") -and ($_.IdentityReference -notlike "*Terminal Server License Servers*") -and ($_.IdentityReference -notlike "*Replicator*") -and ($_.IdentityReference -notlike "*Distributed COM Users*") -and ($_.IdentityReference -notlike "*Print Operators*") -and ($_.IdentityReference -notlike "*Pre-Windows 2000 Compatible Access*") -and ($_.IdentityReference -notlike "*Administrators*") -and ($_.IdentityReference -notlike "*RDS Remote Access Servers*") -and ($_.IdentityReference -notlike "*RDS Management Servers*") -and ($_.IdentityReference -notlike "*Hyper-V Administrators*") -and ($_.IdentityReference -notlike "*Access Control Assistance Operators*") -and ($_.IdentityReference -notlike "*Remote Management Users*") -and ($_.IdentityReference -notlike "*Storage Replica Administrators*") -and ($_.IdentityReference -notlike "*System Managed Accounts Group*") -and ($_.IdentityReference -notlike "*Performance Log Users*") -and ($_.IdentityReference -notlike "*Event Log Readers*") -and ($_.IdentityReference -notlike "*RDS Endpoint Servers*") -and ($_.IdentityReference -notlike "*Allowed RODC Password Replication Group*") -and ($_.IdentityReference -notlike "*Domain Guests*") -and ($_.IdentityReference -notlike "*Domain Admins*") -and ($_.IdentityReference -notlike "*DnsAdmins*") -and ($_.IdentityReference -notlike "*Cert Publishers*") -and ($_.IdentityReference -notlike "*Domain Users*") -and ($_.IdentityReference -notlike "*Group Policy Creator Owners*") -and ($_.IdentityReference -notlike "*RAS and IAS Servers*") -and ($_.IdentityReference -notlike "*Denied RODC Password Replication Group*") -and ($_.IdentityReference -notlike "*Cloneable Domain Controllers*") -and ($_.IdentityReference -notlike "*Protected Users*") -and ($_.IdentityReference -notlike "*Key Admins*") -and ($_.IdentityReference -notlike "*DnsUpdateProxy*") -and ($_.IdentityReference -notlike "*Domain Controllers*") -and ($_.IdentityReference -notlike "*DHCP Users*") -and ($_.IdentityReference -notlike "*Read-only Domain Controllers*") -and ($_.IdentityReference -notlike "*DHCP Administrators*") -and ($_.IdentityReference -notlike "*Domain Computers*") -and ($_.IdentityReference -notlike "*Enterprise Read-only Domain Controllers*") -and ($_.IdentityReference -notlike "Creator owner") -and ($_.IdentityReference -notlike "*Organization Management*") -and  ($_.IdentityReference -ne "Contoso\Enterprise Admins") )) } | select *
foreach ($ACL in $ACLs)
{
    $obj = New-Object Perm
    $obj.ou = $OU
    $obj.ACType = $ACL.AccessControlType
    $obj.identityReference = $ACL.IdentityReference
    $obj.ADRights = $ACL.ActiveDirectoryRights
    $obj.IsInhereted = $ACL.IsInherited
   
    $obj | Export-Csv "C:\permissions\Filename.csv" -Append -NoTypeInformation
}
}

Be the first to comment

Leave a Reply

Your email address will not be published.


*