Public/Get-ALHADOUPermission.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
<#PSScriptInfo
 
.VERSION 1.0.0
 
.GUID c731d7d1-bf89-441a-8b85-47b435ac1492
 
.AUTHOR Dieter Koch
 
.COMPANYNAME
 
.COPYRIGHT (c) 2021-2023 Dieter Koch
 
.TAGS
 
.LICENSEURI https://github.com/admins-little-helper/ALH/blob/main/LICENSE
 
.PROJECTURI https://github.com/admins-little-helper/ALH
 
.ICONURI
 
.EXTERNALMODULEDEPENDENCIES
 
.REQUIREDSCRIPTS
 
.EXTERNALSCRIPTDEPENDENCIES
 
.RELEASENOTES
1.0.0
- Initial release
 
1.1.0
- Made script accept values for paramter ComputerName from pipeline.
 
#>



<#
 
.DESCRIPTION
 Contains a function to query the securtiy event log for event id 4740 which is logged in case a user account gets locked out.
 
#>



function Get-ALHADOUPermission {
    <#
    .SYNOPSIS
    Function to query AD OU permissions.
 
    .DESCRIPTION
    Function to query permissions on an Active Directory (AD) Organizational Unit (OU).
 
    .PARAMETER -OrganizationalUnit
    One or more distinguished Names of OUs to query permissions for.
 
    .EXAMPLE
    Get-ALHADOUPermission
 
    Get permissions for all OUs in current domain.
 
    .EXAMPLE
    Get-ALHADOUPermission -OrganizationalUnit "OU=DepartmentX;DC=company,DC=tld"
 
    Get permissions for a specific OU in current domain.
 
    .INPUTS
    Nothing
 
    .OUTPUTS
    Nothing
 
    .NOTES
    Author: Dieter Koch
    Email: diko@admins-little-helper.de
 
    .LINK
    https://github.com/admins-little-helper/ALH/blob/main/Help/Get-ALHADOUPermission.txt
    #>


    [CmdletBinding()]
    param (
        [Parameter(ValueFromPipeline, HelpMessage = 'Enter one or more organizational unit DNs')]
        [ValidateNotNullOrEmpty()]
        [string[]]$OrganizationalUnit
    )

    begin {
        $RequiredModules = "ActiveDirectory"

        foreach ($RequiredModule in $RequiredModules) {
            if (-not [bool](Get-Module -Name $RequiredModule)) {
                if (-not [bool](Get-Module -Name $RequiredModule -ListAvailable)) {
                    Write-Warning -Message "Module $RequiredModule not found. Stopping function."
                    break
                }

                Write-Verbose -Message "Importing $RequiredModule Module"
                Import-Module ActiveDirectory
            }
        }

        if (-Not (Test-Path -Path "AD:")) {
            New-PSDrive -Name "AD" -PSProvider ActiveDirectory -Root "//RootDSE/" -Scope Global
        }
        $schemaIDGUID = @{}

        #ignore duplicate errors if any#
        $ErrorActionPreference = 'SilentlyContinue'

        Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID | `
                ForEach-Object {
                $schemaIDGUID.add([System.GUID]$_.schemaIDGUID, $_.name)
            }

        Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID | `
                ForEach-Object {
                $schemaIDGUID.add([System.GUID]$_.rightsGUID, $_.name)
            }

        $ErrorActionPreference = 'Continue'
    }

    process {
        if ( $OrganizationalUnit -eq "*" ) {
            Write-Verbose -Message "Getting all OUs in current domain..."
            $OUs = Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName
        }
        else {
            Write-Verbose -Message "Using OU(s) specified in parameter..."
            $OUs = $OrganizationalUnit
        }

        Write-Verbose -Message "Getting OU permissions..."
        foreach ($OU in $OUs) {
            $entry = Get-Acl -Path "AD:\$OU" | `
                    Select-Object -ExpandProperty Access | `
                        Select-Object @{Name = 'organizationalUnit'; Expression = { $OU } }, `
                    @{Name = 'objectTypeName'; Expression = { if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') { 'All' } else { $schemaIDGUID.Item($_.objectType) } } }, `
                    @{Name = 'inheritedObjectTypeName'; Expression = { $schemaIDGUID.Item($_.inheritedObjectType) } }, `
                        *
            $entry
        }
    }
}

#region EndOfScript
<#
################################################################################
################################################################################
#
# ______ _ __ _____ _ _
# | ____| | | / _| / ____| (_) | |
# | |__ _ __ __| | ___ | |_ | (___ ___ _ __ _ _ __ | |_
# | __| | '_ \ / _` | / _ \| _| \___ \ / __| '__| | '_ \| __|
# | |____| | | | (_| | | (_) | | ____) | (__| | | | |_) | |_
# |______|_| |_|\__,_| \___/|_| |_____/ \___|_| |_| .__/ \__|
# | |
# |_|
################################################################################
################################################################################
# created with help of http://patorjk.com/software/taag/
#>

#endregion