With help I already come closer to the end, and already know some more …
Somewhere I get stuck by try to filter out the group members of the SDHolder groups.
In this script sofar $Sam show me about 69 Samaccountnames that have a admincount set to 1, also it turns out that the inheritance of the security ACL is Disabled ($True)
With $Sam as a Variabele and the $SDPGroup as the ADGroups , I try to filter the Samaccountnames that are not member of 1 or more of $SDPGroup.
I tried these 2 possibilities to use , without succes
Foreach ($Group in $SDPGroup) { Get-ADGroupMember -identity $Group | select name,samaccountname } #Select the Users not in the $SDProp Groups #Foreach($Account in $Sam.Samaccountname){ $Test = $Sam | Foreach { get-aduser $sam | Where-Object -FilterScript {$_.IdentityReference -notlike $SDPgroup }}
In this case I expected to find all of the users in the Variabele $SDPGroup, from this point I could then find out who are NOT in this SDPGroup.
I am aware that is far from efficient , but then how is the best way to find the users that are member and NOTmember of these groups…?
After this result I need to be able to Reset the Security ACL settings for the selected users and enable Inheritance…
I am cruious how I need to do this in a efficient way…
<# Pieter Bakker 18-12- 2020 Find Protected Accounts in AD (admin accounts) (admincount =1 ) Where AdminSDholder groups are Not in ACL Where security inheritance disabled ($true) When the SDHolder groups are not in the ACL , then add them Enable the inheritance Restore ACL to default #> #Find the DC $DC = (Get-ADDomainController).name #export path to export the $users to a csv file $exportpath = "D:\Users\adpiebak1d\Documents\PS-script\Output\SDProp.csv" #These are the SDholderGroups groups $SDPgroup = "DL_MGT_OU_System_AdminSDholder-del-usr", "DL_MGT_OU_System_AdminSDholder-mod-grp","DL_MGT_OU_System_AdminSDholder-mod-usr","DL_MGT_OU_System_AdminSDholder-sec-usr" # Ou paths for the admin accounts $AdminOus = "OU=P01,OU=ADM,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl", "OU=P02,OU=ADM,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl", "OU=P03,OU=ADM,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl", "OU=Fujitsu,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl", "OU=P01,OU=LSD,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl", "OU=Fujitsu,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl", "OU=ServiceDesk,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl" # Select users im AdminOU's, with Admincount and NTSec. property $users = foreach ($ou in $adminOus) { Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor,memberof | Select-Object -Property *, @{Name='AreaAccessRulesProtected';Expression={$_.ntsecuritydescriptor.areaccessrulesprotected}} } #Find Adminaccounts with admincount property = 1 (protected accounts) and the inheritance is disabled ($True) $Sam = $users | Where-Object -FilterScript {$_.AdminCount -eq 1 -and $_.AreaAccessRulesProtected -eq $true } |select -Property samaccountname,memberof #Find the users that are NOt a member of the ACL Groups of $Sam #set-acl properties to inherited en restore default ##############################