Reading the security settings on an AD Object

Ed Wilson, the Microsoft Scripting Guy, is one of the people in the PowerShell community that I most respect. Today he posted something on reading the security settings on an AD object.

http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx

I had vaguely thought about doing something on object security for my AD series but hadn’t got round to it. Ed’s post gave me the base to work from. So, in the best traditions of the PowerShell community, I’ll take Ed’s post which showed how to use the Microsoft AD provider and cmdlets to access the security settings – change it round a bit and add the Quest cmdlets and script options.

## read the AD permissions set on an object            
## order by Right            
            
$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
$dn = "cn=$name,$ou"            
Get-ADObject -Identity $dn -Properties * |             
select -ExpandProperty nTSecurityDescriptor |            
select -ExpandProperty Access |             
sort ActiveDirectoryRights, AccessControlType, IdentityReference -Descending |             
Format-Table -GroupBy ActiveDirectoryRights -Property IdentityReference, AccessControlType -AutoSize            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Get-Acl -Path ad:\$dn  |             
select -ExpandProperty Access |             
sort ActiveDirectoryRights, AccessControlType, IdentityReference -Descending |             
Format-Table -GroupBy ActiveDirectoryRights -Property IdentityReference, AccessControlType -AutoSize            
            
"`nQuest"            
$name = "UserC"            
Get-QADPermission -Identity $name -Inherited -SchemaDefault |             
select Account, AccessControlType, Rights |            
sort Rights, AccessControlType, Account |            
Format-Table -GroupBy Rights -Property Account, AccessControlType -AutoSize            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$obj = [adsi]"LDAP://$dn"            
$obj.ObjectSecurity |            
select -ExpandProperty Access |             
sort ActiveDirectoryRights, AccessControlType, IdentityReference -Descending |             
Format-Table -GroupBy ActiveDirectoryRights -Property IdentityReference, AccessControlType -AutoSize

The Quest cmdlet is the stand out because we have a Get-QADPermission cmdlet.  We also have Add- & Remove-QADPermission but they are for another day. We need to use the –Inherited and –SchemaDefault parameters otherwise all we get is what is set directly on the object – which is often nothing. I’ve seelct the properties I want, sorted by the Rights that are set and displayed using –GroupBY to format the report.

The Microsoft cmdlet, script and provider get the object and then work through the Access   property to display the rights. The Microsoft cmdlet needs another step to work through the nTSecurityDescriptor because I’m working with the object cmdlet rather than the user object in Ed’s post.

So thanks to Ed again for making me think about this and enjoy 

Advertisements
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s