Public/Get-ALHADOUPermission.ps1
<#PSScriptInfo
.VERSION 1.0.0 .GUID c731d7d1-bf89-441a-8b85-47b435ac1492 .AUTHOR Dieter Koch .COMPANYNAME .COPYRIGHT (c) 2021-2023 Dieter Koch .TAGS .LICENSEURI https://github.com/admins-little-helper/ALH/blob/main/LICENSE .PROJECTURI https://github.com/admins-little-helper/ALH .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES 1.0.0 - Initial release 1.1.0 - Made script accept values for paramter ComputerName from pipeline. #> <# .DESCRIPTION Contains a function to query the securtiy event log for event id 4740 which is logged in case a user account gets locked out. #> function Get-ALHADOUPermission { <# .SYNOPSIS Function to query AD OU permissions. .DESCRIPTION Function to query permissions on an Active Directory (AD) Organizational Unit (OU). .PARAMETER -OrganizationalUnit One or more distinguished Names of OUs to query permissions for. .EXAMPLE Get-ALHADOUPermission Get permissions for all OUs in current domain. .EXAMPLE Get-ALHADOUPermission -OrganizationalUnit "OU=DepartmentX;DC=company,DC=tld" Get permissions for a specific OU in current domain. .INPUTS Nothing .OUTPUTS Nothing .NOTES Author: Dieter Koch Email: diko@admins-little-helper.de .LINK https://github.com/admins-little-helper/ALH/blob/main/Help/Get-ALHADOUPermission.txt #> [CmdletBinding()] param ( [Parameter(ValueFromPipeline, HelpMessage = 'Enter one or more organizational unit DNs')] [ValidateNotNullOrEmpty()] [string[]]$OrganizationalUnit ) begin { $RequiredModules = "ActiveDirectory" foreach ($RequiredModule in $RequiredModules) { if (-not [bool](Get-Module -Name $RequiredModule)) { if (-not [bool](Get-Module -Name $RequiredModule -ListAvailable)) { Write-Warning -Message "Module $RequiredModule not found. Stopping function." break } Write-Verbose -Message "Importing $RequiredModule Module" Import-Module ActiveDirectory } } if (-Not (Test-Path -Path "AD:")) { New-PSDrive -Name "AD" -PSProvider ActiveDirectory -Root "//RootDSE/" -Scope Global } $schemaIDGUID = @{} #ignore duplicate errors if any# $ErrorActionPreference = 'SilentlyContinue' Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID | ` ForEach-Object { $schemaIDGUID.add([System.GUID]$_.schemaIDGUID, $_.name) } Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID | ` ForEach-Object { $schemaIDGUID.add([System.GUID]$_.rightsGUID, $_.name) } $ErrorActionPreference = 'Continue' } process { if ( $OrganizationalUnit -eq "*" ) { Write-Verbose -Message "Getting all OUs in current domain..." $OUs = Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName } else { Write-Verbose -Message "Using OU(s) specified in parameter..." $OUs = $OrganizationalUnit } Write-Verbose -Message "Getting OU permissions..." foreach ($OU in $OUs) { $entry = Get-Acl -Path "AD:\$OU" | ` Select-Object -ExpandProperty Access | ` Select-Object @{Name = 'organizationalUnit'; Expression = { $OU } }, ` @{Name = 'objectTypeName'; Expression = { if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') { 'All' } else { $schemaIDGUID.Item($_.objectType) } } }, ` @{Name = 'inheritedObjectTypeName'; Expression = { $schemaIDGUID.Item($_.inheritedObjectType) } }, ` * $entry } } } #region EndOfScript <# ################################################################################ ################################################################################ # # ______ _ __ _____ _ _ # | ____| | | / _| / ____| (_) | | # | |__ _ __ __| | ___ | |_ | (___ ___ _ __ _ _ __ | |_ # | __| | '_ \ / _` | / _ \| _| \___ \ / __| '__| | '_ \| __| # | |____| | | | (_| | | (_) | | ____) | (__| | | | |_) | |_ # |______|_| |_|\__,_| \___/|_| |_____/ \___|_| |_| .__/ \__| # | | # |_| ################################################################################ ################################################################################ # created with help of http://patorjk.com/software/taag/ #> #endregion |