Active Directory User Properties Security Information

You know when you open a user’s properties in Active Directory and there is a security tab. It is my understanding that this is a user’s ACL and it shows security groups that have been applied to a user via methods such as manual assignment, delegation, and GPOs for example. I am looking for a way to check to see if there is a security group applied to all my users. So I’m looking for a PS command that will output all users with a specific ACL applied to them and all users that are missing a specific ACL. I think I could get all my users and their ACLs and then filter this list for a specific applied security group (present or not present). Thanks for your time and assistance.

This should get you started. You’ll need to get a list of all users and then run this against each of them to figure out who has the ACL you’re looking for.

PS E:\> (get-acl -path "AD:CN=User1,OU=People,DC=MyDomain,DC=com").access | Where IdentityReference -eq "MyDomain\domain admins"


ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl,
                        WriteOwner
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : MyDomain\Domain Admins
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

Thank you Charles for this code. Can you tell me how to get a list of users WITH their acl properties?