You know when you open a user’s properties in Active Directory and there is a security tab. It is my understanding that this is a user’s ACL and it shows security groups that have been applied to a user via methods such as manual assignment, delegation, and GPOs for example. I am looking for a way to check to see if there is a security group applied to all my users. So I’m looking for a PS command that will output all users with a specific ACL applied to them and all users that are missing a specific ACL. I think I could get all my users and their ACLs and then filter this list for a specific applied security group (present or not present). Thanks for your time and assistance.
This should get you started. You’ll need to get a list of all users and then run this against each of them to figure out who has the ACL you’re looking for.
PS E:\> (get-acl -path "AD:CN=User1,OU=People,DC=MyDomain,DC=com").access | Where IdentityReference -eq "MyDomain\domain admins" ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner InheritanceType : None ObjectType : 00000000-0000-0000-0000-000000000000 InheritedObjectType : 00000000-0000-0000-0000-000000000000 ObjectFlags : None AccessControlType : Allow IdentityReference : MyDomain\Domain Admins IsInherited : False InheritanceFlags : None PropagationFlags : None
Thank you Charles for this code. Can you tell me how to get a list of users WITH their acl properties?