Check AdminCount and "Allow inheritable permissions"

by Pat Richard at 2012-10-03 12:20:21

Greetings - Looking into writing something that will accept a user name, and check for AdminCount and “Allow inheritable permissions from the parent to propagte to this object and all child objects” settings. This will be a troubleshooting tool. It only needs to report on the current values.

Has anyone done something already? I’m not finding much…
by Pat Richard at 2012-10-03 13:44:58
Okay, so I’ve come up with this: $user = "test"
if (! (Get-Module -name “ActiveDirectory” -ea 0)){import-module activedirectory}
$userinfo = Get-AdUser $user -Properties AdminCount
$dn = $userinfo.DistinguishedName
$user = [ADSI]“LDAP://$dn”
$acl = $user.objectSecurity
# the following indicates whether inherited rights checkbox is cleared
$inherited = $acl.AreAccessRulesProtected
# the following indicates whether AdminCount is set
$admincount = $userinfo.admincount -ne $null
Write-Host "Inherited: $inherited"
Write-Host "AdminCount: $admincount"

Seems to work well for users within the same domain. Need to expand to include users in any domain in the forest. But that’s for another day.
by coderaven at 2012-10-03 14:44:17
That is a much needed test. It can cause some major confusion. I will see if I can expand it to check for protected group SIDs, since the count and security do not undo itself more issues arise when AdminCount got set once and needs to be undone. All of the known protected group SIDs would be able to do a full forest.