ALH

2.3.0

Public/Get-ALHADOUPermission.ps1

                                <#PSScriptInfo

.VERSION 1.0.0

.GUID c731d7d1-bf89-441a-8b85-47b435ac1492

.AUTHOR Dieter Koch

.COMPANYNAME

.COPYRIGHT (c) 2021-2023 Dieter Koch

.TAGS

.LICENSEURI https://github.com/admins-little-helper/ALH/blob/main/LICENSE

.PROJECTURI https://github.com/admins-little-helper/ALH

.ICONURI

.EXTERNALMODULEDEPENDENCIES

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

1.0.0

- Initial release

1.1.0

- Made script accept values for paramter ComputerName from pipeline.

#>

<#

.DESCRIPTION

 Contains a function to query the securtiy event log for event id 4740 which is logged in case a user account gets locked out.

#>

function Get-ALHADOUPermission {

    <#

    .SYNOPSIS

    Function to query AD OU permissions.

    .DESCRIPTION

    Function to query permissions on an Active Directory (AD) Organizational Unit (OU).

    .PARAMETER -OrganizationalUnit

    One or more distinguished Names of OUs to query permissions for.

    .EXAMPLE

    Get-ALHADOUPermission

    Get permissions for all OUs in current domain.

    .EXAMPLE

    Get-ALHADOUPermission -OrganizationalUnit "OU=DepartmentX;DC=company,DC=tld"

    Get permissions for a specific OU in current domain.

    .INPUTS

    Nothing

    .OUTPUTS

    Nothing

    .NOTES

    Author:     Dieter Koch

    Email:      diko@admins-little-helper.de

    .LINK

    https://github.com/admins-little-helper/ALH/blob/main/Help/Get-ALHADOUPermission.txt

    #>

    [CmdletBinding()]

    param (

        [Parameter(ValueFromPipeline, HelpMessage = 'Enter one or more organizational unit DNs')]

        [ValidateNotNullOrEmpty()]

        [string[]]$OrganizationalUnit

    )

    begin {

        $RequiredModules = "ActiveDirectory"

        foreach ($RequiredModule in $RequiredModules) {

            if (-not [bool](Get-Module -Name $RequiredModule)) {

                if (-not [bool](Get-Module -Name $RequiredModule -ListAvailable)) {

                    Write-Warning -Message "Module $RequiredModule not found. Stopping function."

                    break

                }

                Write-Verbose -Message "Importing $RequiredModule Module"

                Import-Module ActiveDirectory

            }

        }

        if (-Not (Test-Path -Path "AD:")) {

            New-PSDrive -Name "AD" -PSProvider ActiveDirectory -Root "//RootDSE/" -Scope Global

        }

        $schemaIDGUID = @{}

        #ignore duplicate errors if any#

        $ErrorActionPreference = 'SilentlyContinue'

        Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID | `

                ForEach-Object {

                $schemaIDGUID.add([System.GUID]$_.schemaIDGUID, $_.name)

            }

        Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID | `

                ForEach-Object {

                $schemaIDGUID.add([System.GUID]$_.rightsGUID, $_.name)

            }

        $ErrorActionPreference = 'Continue'

    }

    process {

        if ( $OrganizationalUnit -eq "*" ) {

            Write-Verbose -Message "Getting all OUs in current domain..."

            $OUs = Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName

        }

        else {

            Write-Verbose -Message "Using OU(s) specified in parameter..."

            $OUs = $OrganizationalUnit

        }

        Write-Verbose -Message "Getting OU permissions..."

        foreach ($OU in $OUs) {

            $entry = Get-Acl -Path "AD:\$OU" | `

                    Select-Object -ExpandProperty Access | `

                        Select-Object @{Name = 'organizationalUnit'; Expression = { $OU } }, `

                    @{Name = 'objectTypeName'; Expression = { if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') { 'All' } else { $schemaIDGUID.Item($_.objectType) } } }, `

                    @{Name = 'inheritedObjectTypeName'; Expression = { $schemaIDGUID.Item($_.inheritedObjectType) } }, `

                        *

            $entry

        }

    }

}

#region EndOfScript

<#

################################################################################

################################################################################

#

#        ______           _          __    _____           _       _

#       |  ____|         | |        / _|  / ____|         (_)     | |

#       | |__   _ __   __| |   ___ | |_  | (___   ___ _ __ _ _ __ | |_

#       |  __| | '_ \ / _` |  / _ \|  _|  \___ \ / __| '__| | '_ \| __|

#       | |____| | | | (_| | | (_) | |    ____) | (__| |  | | |_) | |_

#       |______|_| |_|\__,_|  \___/|_|   |_____/ \___|_|  |_| .__/ \__|

#                                                           | |

#                                                           |_|

################################################################################

################################################################################

# created with help of http://patorjk.com/software/taag/

#>

#endregion