ALH

2.3.0

Public/Get-ALHADOUPermission.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
                                <#PSScriptInfo

.VERSION 1.0.0

.GUID c731d7d1-bf89-441a-8b85-47b435ac1492

.AUTHOR Dieter Koch

.COMPANYNAME

.COPYRIGHT (c) 2021-2023 Dieter Koch

.TAGS

.LICENSEURI https://github.com/admins-little-helper/ALH/blob/main/LICENSE

.PROJECTURI https://github.com/admins-little-helper/ALH

.ICONURI

.EXTERNALMODULEDEPENDENCIES

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

1.0.0

- Initial release

1.1.0

- Made script accept values for paramter ComputerName from pipeline.

#>

<#

.DESCRIPTION

 Contains a function to query the securtiy event log for event id 4740 which is logged in case a user account gets locked out.

#>

function Get-ALHADOUPermission {

    <#

    .SYNOPSIS

    Function to query AD OU permissions.

    .DESCRIPTION

    Function to query permissions on an Active Directory (AD) Organizational Unit (OU).

    .PARAMETER -OrganizationalUnit

    One or more distinguished Names of OUs to query permissions for.

    .EXAMPLE

    Get-ALHADOUPermission

    Get permissions for all OUs in current domain.

    .EXAMPLE

    Get-ALHADOUPermission -OrganizationalUnit "OU=DepartmentX;DC=company,DC=tld"

    Get permissions for a specific OU in current domain.

    .INPUTS

    Nothing

    .OUTPUTS

    Nothing

    .NOTES

    Author:     Dieter Koch

    Email:      diko@admins-little-helper.de

    .LINK

    https://github.com/admins-little-helper/ALH/blob/main/Help/Get-ALHADOUPermission.txt

    #>

    [CmdletBinding()]

    param (

        [Parameter(ValueFromPipeline, HelpMessage = 'Enter one or more organizational unit DNs')]

        [ValidateNotNullOrEmpty()]

        [string[]]$OrganizationalUnit

    )

    begin {

        $RequiredModules = "ActiveDirectory"

        foreach ($RequiredModule in $RequiredModules) {

            if (-not [bool](Get-Module -Name $RequiredModule)) {

                if (-not [bool](Get-Module -Name $RequiredModule -ListAvailable)) {

                    Write-Warning -Message "Module $RequiredModule not found. Stopping function."

                    break

                }

                Write-Verbose -Message "Importing $RequiredModule Module"

                Import-Module ActiveDirectory

            }

        }

        if (-Not (Test-Path -Path "AD:")) {

            New-PSDrive -Name "AD" -PSProvider ActiveDirectory -Root "//RootDSE/" -Scope Global

        }

        $schemaIDGUID = @{}

        #ignore duplicate errors if any#

        $ErrorActionPreference = 'SilentlyContinue'

        Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID | `

                ForEach-Object {

                $schemaIDGUID.add([System.GUID]$_.schemaIDGUID, $_.name)

            }

        Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID | `

                ForEach-Object {

                $schemaIDGUID.add([System.GUID]$_.rightsGUID, $_.name)

            }

        $ErrorActionPreference = 'Continue'

    }

    process {

        if ( $OrganizationalUnit -eq "*" ) {

            Write-Verbose -Message "Getting all OUs in current domain..."

            $OUs = Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName

        }

        else {

            Write-Verbose -Message "Using OU(s) specified in parameter..."

            $OUs = $OrganizationalUnit

        }

        Write-Verbose -Message "Getting OU permissions..."

        foreach ($OU in $OUs) {

            $entry = Get-Acl -Path "AD:\$OU" | `

                    Select-Object -ExpandProperty Access | `

                        Select-Object @{Name = 'organizationalUnit'; Expression = { $OU } }, `

                    @{Name = 'objectTypeName'; Expression = { if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') { 'All' } else { $schemaIDGUID.Item($_.objectType) } } }, `

                    @{Name = 'inheritedObjectTypeName'; Expression = { $schemaIDGUID.Item($_.inheritedObjectType) } }, `

                        *

            $entry

        }

    }

}

#region EndOfScript

<#

################################################################################

################################################################################

#

#        ______           _          __    _____           _       _

#       |  ____|         | |        / _|  / ____|         (_)     | |

#       | |__   _ __   __| |   ___ | |_  | (___   ___ _ __ _ _ __ | |_

#       |  __| | '_ \ / _` |  / _ \|  _|  \___ \ / __| '__| | '_ \| __|

#       | |____| | | | (_| | | (_) | |    ____) | (__| |  | | |_) | |_

#       |______|_| |_|\__,_|  \___/|_|   |_____/ \___|_|  |_| .__/ \__|

#                                                           | |

#                                                           |_|

################################################################################

################################################################################

# created with help of http://patorjk.com/software/taag/

#>

#endregion