Public/Get-ALHADOUPermission.ps1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
<#PSScriptInfo
.VERSION 1.0.0 .GUID c731d7d1-bf89-441a-8b85-47b435ac1492 .AUTHOR Dieter Koch .COMPANYNAME .COPYRIGHT (c) 2021-2023 Dieter Koch .TAGS .LICENSEURI https://github.com/admins-little-helper/ALH/blob/main/LICENSE .PROJECTURI https://github.com/admins-little-helper/ALH .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES 1.0.0 - Initial release 1.1.0 - Made script accept values for paramter ComputerName from pipeline. #> <# .DESCRIPTION Contains a function to query the securtiy event log for event id 4740 which is logged in case a user account gets locked out. #> function Get-ALHADOUPermission { <# .SYNOPSIS Function to query AD OU permissions. .DESCRIPTION Function to query permissions on an Active Directory (AD) Organizational Unit (OU). .PARAMETER -OrganizationalUnit One or more distinguished Names of OUs to query permissions for. .EXAMPLE Get-ALHADOUPermission Get permissions for all OUs in current domain. .EXAMPLE Get-ALHADOUPermission -OrganizationalUnit "OU=DepartmentX;DC=company,DC=tld" Get permissions for a specific OU in current domain. .INPUTS Nothing .OUTPUTS Nothing .NOTES Author: Dieter Koch Email: diko@admins-little-helper.de .LINK https://github.com/admins-little-helper/ALH/blob/main/Help/Get-ALHADOUPermission.txt #> [CmdletBinding()] param ( [Parameter(ValueFromPipeline, HelpMessage = 'Enter one or more organizational unit DNs')] [ValidateNotNullOrEmpty()] [string[]]$OrganizationalUnit ) begin { $RequiredModules = "ActiveDirectory" foreach ($RequiredModule in $RequiredModules) { if (-not [bool](Get-Module -Name $RequiredModule)) { if (-not [bool](Get-Module -Name $RequiredModule -ListAvailable)) { Write-Warning -Message "Module $RequiredModule not found. Stopping function." break } Write-Verbose -Message "Importing $RequiredModule Module" Import-Module ActiveDirectory } } if (-Not (Test-Path -Path "AD:")) { New-PSDrive -Name "AD" -PSProvider ActiveDirectory -Root "//RootDSE/" -Scope Global } $schemaIDGUID = @{} #ignore duplicate errors if any# $ErrorActionPreference = 'SilentlyContinue' Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID | ` ForEach-Object { $schemaIDGUID.add([System.GUID]$_.schemaIDGUID, $_.name) } Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID | ` ForEach-Object { $schemaIDGUID.add([System.GUID]$_.rightsGUID, $_.name) } $ErrorActionPreference = 'Continue' } process { if ( $OrganizationalUnit -eq "*" ) { Write-Verbose -Message "Getting all OUs in current domain..." $OUs = Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName } else { Write-Verbose -Message "Using OU(s) specified in parameter..." $OUs = $OrganizationalUnit } Write-Verbose -Message "Getting OU permissions..." foreach ($OU in $OUs) { $entry = Get-Acl -Path "AD:\$OU" | ` Select-Object -ExpandProperty Access | ` Select-Object @{Name = 'organizationalUnit'; Expression = { $OU } }, ` @{Name = 'objectTypeName'; Expression = { if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') { 'All' } else { $schemaIDGUID.Item($_.objectType) } } }, ` @{Name = 'inheritedObjectTypeName'; Expression = { $schemaIDGUID.Item($_.inheritedObjectType) } }, ` * $entry } } } #region EndOfScript <# ################################################################################ ################################################################################ # # ______ _ __ _____ _ _ # | ____| | | / _| / ____| (_) | | # | |__ _ __ __| | ___ | |_ | (___ ___ _ __ _ _ __ | |_ # | __| | '_ \ / _` | / _ \| _| \___ \ / __| '__| | '_ \| __| # | |____| | | | (_| | | (_) | | ____) | (__| | | | |_) | |_ # |______|_| |_|\__,_| \___/|_| |_____/ \___|_| |_| .__/ \__| # | | # |_| ################################################################################ ################################################################################ # created with help of http://patorjk.com/software/taag/ #> #endregion |