header image

Reading the security settings on an AD Object

Posted by: | March 12, 2012 | No Comment |

Ed Wilson, the Microsoft Scripting Guy, is one of the people in the PowerShell community that I most respect. Today he posted something on reading the security settings on an AD object.

http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx

I had vaguely thought about doing something on object security for my AD series but hadn’t got round to it. Ed’s post gave me the base to work from. So, in the best traditions of the PowerShell community, I’ll take Ed’s post which showed how to use the Microsoft AD provider and cmdlets to access the security settings – change it round a bit and add the Quest cmdlets and script options.

## read the AD permissions set on an object            
## order by Right            
            
$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
$dn = "cn=$name,$ou"            
Get-ADObject -Identity $dn -Properties * |             
select -ExpandProperty nTSecurityDescriptor |            
select -ExpandProperty Access |             
sort ActiveDirectoryRights, AccessControlType, IdentityReference -Descending |             
Format-Table -GroupBy ActiveDirectoryRights -Property IdentityReference, AccessControlType -AutoSize            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Get-Acl -Path ad:\$dn  |             
select -ExpandProperty Access |             
sort ActiveDirectoryRights, AccessControlType, IdentityReference -Descending |             
Format-Table -GroupBy ActiveDirectoryRights -Property IdentityReference, AccessControlType -AutoSize            
            
"`nQuest"            
$name = "UserC"            
Get-QADPermission -Identity $name -Inherited -SchemaDefault |             
select Account, AccessControlType, Rights |            
sort Rights, AccessControlType, Account |            
Format-Table -GroupBy Rights -Property Account, AccessControlType -AutoSize            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$obj = [adsi]"LDAP://$dn"            
$obj.ObjectSecurity |            
select -ExpandProperty Access |             
sort ActiveDirectoryRights, AccessControlType, IdentityReference -Descending |             
Format-Table -GroupBy ActiveDirectoryRights -Property IdentityReference, AccessControlType -AutoSize

The Quest cmdlet is the stand out because we have a Get-QADPermission cmdlet.  We also have Add- & Remove-QADPermission but they are for another day. We need to use the –Inherited and –SchemaDefault parameters otherwise all we get is what is set directly on the object – which is often nothing. I’ve seelct the properties I want, sorted by the Rights that are set and displayed using –GroupBY to format the report.

The Microsoft cmdlet, script and provider get the object and then work through the Access   property to display the rights. The Microsoft cmdlet needs another step to work through the nTSecurityDescriptor because I’m working with the object cmdlet rather than the user object in Ed’s post.

So thanks to Ed again for making me think about this and enjoy 

under: PowerShell and Active Directory