Display AD Object’s security settings by identity

In the last post we looked at displaying the security settings of an AD Object – the display was grouped by Rights.

The alternative is to group by identity holding those rights.  Before we looked at how had a particular right – now we look at what rights does a particular identity hold

## read the AD permissions set on an object            
## order by identity holding the right            
            
$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
$dn = "cn=$name,$ou"            
Get-ADObject -Identity $dn -Properties * |              
select -ExpandProperty nTSecurityDescriptor |            
select -ExpandProperty Access |             
sort IdentityReference, ActiveDirectoryRights, AccessControlType  -Descending |             
Format-Table -GroupBy IdentityReference -Property ActiveDirectoryRights, AccessControlType -AutoSize            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Get-Acl -Path ad:\$dn  |              
select -ExpandProperty Access |             
sort IdentityReference, ActiveDirectoryRights, AccessControlType  -Descending |             
Format-Table -GroupBy IdentityReference -Property ActiveDirectoryRights, AccessControlType -AutoSize            
            
"`nQuest"            
$name = "UserC"            
Get-QADPermission -Identity $name -Inherited -SchemaDefault |             
select Account, AccessControlType, Rights |            
sort Account, Rights, AccessControlType  |            
Format-Table -GroupBy Account -Property Rights, AccessControlType -AutoSize            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$obj = [adsi]"LDAP://$dn"            
$obj.ObjectSecurity |            
select -ExpandProperty Access |             
sort IdentityReference, ActiveDirectoryRights, AccessControlType  -Descending |             
Format-Table -GroupBy IdentityReference -Property ActiveDirectoryRights, AccessControlType -AutoSize

Pretty much as before – only this time we sort by identity first (Quest call it Account) and group by that as well

Advertisements
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s