-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathGet-LAPSPermissions.ps1
37 lines (30 loc) · 2.31 KB
/
Get-LAPSPermissions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#Requires -Modules ActiveDirectory
# If you do not have AD module, you can refer to the following link.
# https://github.com/samratashok/ADModule
# From https://blogs.technet.microsoft.com/ashleymcglone/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download/
$schemaIDGUID = @{}
### NEED TO RECONCILE THE CONFLICTS ###
$ErrorActionPreference = 'SilentlyContinue'
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}
$ErrorActionPreference = 'Continue'
# Get a list of all OUs. Add in the root containers for good measure (users, computers, etc.).
$OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName)
$OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName
$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -SearchScope OneLevel -LDAPFilter '(objectClass=container)' | Select-Object -ExpandProperty DistinguishedName
# Loop through each of the OUs and retrieve their permissions.
# Add report columns to contain the OU path and string names of the ObjectTypes.
ForEach ($OU in $OUs) {
$report += Get-Acl -Path "AD:\$OU" |
Select-Object -ExpandProperty Access |
Select-Object @{name='organizationalUnit';expression={$OU}}, `
@{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaIDGUID.Item($_.objectType)}}}, `
@{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, *
}
# Filter out ms-Mcs-AdmPwd
Write-Output "`nRead Rights"
$report | ?{($schemaIDGUID.Item($_.objectType) -eq "ms-Mcs-AdmPwd") -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | select organizationalUnit, IdentityReference
Write-Output "`nWrite Rights`n"
$report | ?{($schemaIDGUID.Item($_.objectType) -eq "ms-Mcs-AdmPwd") -and ($_.ActiveDirectoryRights -match 'WriteProperty')} | select organizationalUnit, IdentityReference