diff --git a/ActiveDirectory/Get-ADPermissionsReport.ps1 b/ActiveDirectory/Get-ADPermissionsReport.ps1 new file mode 100644 index 0000000..c2436f5 --- /dev/null +++ b/ActiveDirectory/Get-ADPermissionsReport.ps1 @@ -0,0 +1,65 @@ +##requires -version 5.1 +##requires -modules activedirectory + +<# + .SYNOPSIS + Get CSV Report about all Permisions in Active Directory + .DESCRIPTION + Get CSV Report about all Permisions in Active Directory + .PARAMETER showresult + Shows permissions as Shell output - not recommended + .PARAMETER Export + Activate CSV Export + .PARAMETER Exportpath + Path to CSV file for Export, default: "C:\Temp\$(Get-Date -Format "yyyyMMdd-HHmm")-ADPermissionReport.csv" + .EXAMPLE + Shows permissions as Shell output - not recommended + get-ADPermisionReport.ps1 -showresult + .EXAMPLE + Export report as CSV to c:\temp\ifhpermissionreport.csv + get-ADPermisionReport.ps1 -export -ExportFile c:\temp\ifhpermissionreport.csv + .INPUTS + Keine. + .OUTPUTS + Keine. + .NOTES + Author : Fabian Niesen + Filename : get-ADPermisionReport.ps1 + Requires : PowerShell Version 5.1 + + Version : 0.2 + History : 0.2 FN 28.04.2024 Add Parameters + 0.1 FN 27.04.2024 initial version + + .LINK + https://www.infrastrukturhelden.de +#> +[CmdletBinding(DefaultParameterSetName='showresult')] +Param( + [Parameter(ParameterSetName = "export" ,Mandatory=$false)] + [Parameter(ParameterSetName = "showresult" ,Mandatory=$false)] + [switch]$export, + [Parameter(ParameterSetName = "export" ,Mandatory=$true)] + [string]$ExportFile = "C:\Temp\$(Get-Date -Format "yyyyMMdd-HHmm")-ADPermissionReport.csv", + [Parameter(ParameterSetName = "export" ,Mandatory=$false)] + [Parameter(ParameterSetName = "showresult" ,Mandatory=$false)] + [switch]$showresult +) +# Array for report. +$report = @() +$schemaIDGUID = @{} +# ignore duplicate errors if any # +$ErrorActionPreference = 'SilentlyContinue' +Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID | ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)} +Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID | ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)} +$ErrorActionPreference = 'Continue' +$OUs = (Get-ADOrganizationalUnit -filter *).DistinguishedName +$i = 0 +foreach($OU in $OUs){ + $i++ + Write-Progress -activity "Query Permissions, please wait." -Status "$i of $($OUs.count): $($OU)" -PercentComplete (($i / $OUs.count)*100) -Id 1 + $report += Get-Acl -Path "AD:\$OU" | Select-Object -ExpandProperty Access | Select-Object @{name='organizationalunit';expression={$OU}}, @{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaIDGUID.Item($_.objectType)}}}, @{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, * +} +Write-Progress -activity "Query Permissions, please wait." -Completed -Id 1 +IF ($showresult) { $report | Format-Table -AutoSize } +IF ($export) { $report | Export-Csv -Path "$ExportFile" -NoTypeInformation -Force } \ No newline at end of file