Categories

Display AD Object’s security settings by identity

In the last post we looked at displaying the security settings of an AD Object – the display was grouped by Rights.

The alternative is to group by identity holding those rights.  Before we looked at how had a particular right – now we look at what rights does a particular identity hold

## read the AD permissions set on an object            
## order by identity holding the right            
            
$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
$dn = "cn=$name,$ou"            
Get-ADObject -Identity $dn -Properties * |              
select -ExpandProperty nTSecurityDescriptor |            
select -ExpandProperty Access |             
sort IdentityReference, ActiveDirectoryRights, AccessControlType  -Descending |             
Format-Table -GroupBy IdentityReference -Property ActiveDirectoryRights, AccessControlType -AutoSize            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Get-Acl -Path ad:\$dn  |              
select -ExpandProperty Access |             
sort IdentityReference, ActiveDirectoryRights, AccessControlType  -Descending |             
Format-Table -GroupBy IdentityReference -Property ActiveDirectoryRights, AccessControlType -AutoSize            
            
"`nQuest"            
$name = "UserC"            
Get-QADPermission -Identity $name -Inherited -SchemaDefault |             
select Account, AccessControlType, Rights |            
sort Account, Rights, AccessControlType  |            
Format-Table -GroupBy Account -Property Rights, AccessControlType -AutoSize            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$obj = [adsi]"LDAP://$dn"            
$obj.ObjectSecurity |            
select -ExpandProperty Access |             
sort IdentityReference, ActiveDirectoryRights, AccessControlType  -Descending |             
Format-Table -GroupBy IdentityReference -Property ActiveDirectoryRights, AccessControlType -AutoSize


Pretty much as before – only this time we sort by identity first (Quest call it Account) and group by that as well

Leave a Reply