top of page
Search
Writer's pictureUzair Ansari
Apr 24, 20212 min read

Get access control permissions of Active Directory objects

Updated: Nov 5, 2021

Need to review access of your Active Directory environment? Use this powershell script to see who has what permissions in Active Directory. Having timely access review lets you have a better control of your AD environment and can foster you with clean and desirable AD access reports you need to present during audits. More importantly, it can save you from potential threats arising out of internal misdeeds.

This script requires at least powershell version 5. This also requires RSAT tool installed on the system from where you are running the script.


You need to provide distinguished name of the object of which you want to export the permissions. In this script, we are exporting permissions only for base DN i.e "DC=company,DC=pri", Domain controllers OU and Test OU. You can further extend the scope by including all the Organization units or AD objects.


Class Perm
{
$name
$OU
$ACType
$identityReference
$ADRights
$IsInhereted
}

Import-Module ActiveDirectory
Set-Location AD:
$OUs = @("DC=company,DC=pri","OU=Domain Controllers,DC=company,DC=pri","OU=Test OU,DC=company,DC=pri")
foreach ($OU in $OUs)
{
$OU -match "\w\w="
$Name = (($OU -split ",")[0]).replace($Matches.values,"")

$ACLs = ((get-acl (Get-ADObject "$OU").distinguishedname).access) | select *
foreach ($ACL in $ACLs)
{
    $obj = New-Object Perm
    $obj.name = $Name
    $obj.ou = $OU
    $obj.ACType = $ACL.AccessControlType
    $obj.identityReference = $ACL.IdentityReference
    $obj.ADRights = $ACL.ActiveDirectoryRights
    $obj.IsInhereted = $ACL.IsInherited
    
    $obj | Export-Csv C:\temp\Access.csv -Append -NoTypeInformation
}
}

This will export permissions in a csv file that will look like this:






This script provides a base to export AD access control for AD objects in a csv file. You can further customize this script according to your needs. Hope this post helped you in assessing your Active Directory environment.



If you liked this post, remember to like it and subscribe to my blog to get notified whenever there's a new blog post. Thank you!


6,718 views1 comment

1 Comment

Nasir Mulla
Nasir Mulla
Apr 25, 2021

Thanks Uzair. this would surely help in security audits.

Like
bottom of page