by Pat Richard at 2012-10-03 12:20:21
Greetings - Looking into writing something that will accept a user name, and check for AdminCount and "Allow inheritable permissions from the parent to propagte to this object and all child objects" settings. This will be a troubleshooting tool. It only needs to report on the current values.by Pat Richard at 2012-10-03 13:44:58
Has anyone done something already? I’m not finding much…
Okay, so I’ve come up with this:by coderaven at 2012-10-03 14:44:17$user = "test"
if (! (Get-Module -name "ActiveDirectory" -ea 0)){import-module activedirectory}
$userinfo = Get-AdUser $user -Properties AdminCount
$dn = $userinfo.DistinguishedName
$user = [ADSI]"LDAP://$dn"
$acl = $user.objectSecurity
# the following indicates whether inherited rights checkbox is cleared
$inherited = $acl.AreAccessRulesProtected
# the following indicates whether AdminCount is set
$admincount = $userinfo.admincount -ne $null
Write-Host "Inherited: $inherited"
Write-Host "AdminCount: $admincount"
Seems to work well for users within the same domain. Need to expand to include users in any domain in the forest. But that’s for another day.
That is a much needed test. It can cause some major confusion. I will see if I can expand it to check for protected group SIDs, since the count and security do not undo itself more issues arise when AdminCount got set once and needs to be undone. All of the known protected group SIDs would be able to do a full forest.