Get User ACL inheritance settings (SDHolder)

Hello,

I need to find users in specific ou’s and of that users find out if they are protected accounts, where the SDholder groups are present , the “enable inheritance” setting (under security-advanced,enable inheritance ) and if not it needs to be restored to their ACL-Default .

I create a $ for tghe users with the admincount set to 1.
When I try to find out if the NTSecurity settings are Disabled powershell ask me to the property.
I have no clue what kind of property is missing at this point…

Hopefully the answer can help me understand this :

$Ou1 = path....
$Ou2 = path....
$Ou3 = path....

# The different OU's are put together in 1 Variabele
$AdminOus = @()
$AdminOus += $OUpathP01
$AdminOus += $OUpathP02
$AdminOus += $OUpathP03


# 1. Get the users that are in the ou's and place them in a Variable called $Users
$Users = @()
$Users += Get-ADUser -Filter * -SearchBase $OUpathP01
$Users += Get-ADUser -Filter * -SearchBase $OUpathP02 
$Users += Get-ADUser -Filter * -SearchBase $OUpathP03 

#Find Adminaccounts with admincount property = 1, and no SDHolder groups in ACL
Foreach($user in $Users){
get-aduser $user -properties * |Where -Property admincount -EQ 1 |select -Property samaccountname, admincount |export-csv $exportpath -Append
         } 

#Find protected accounts in searchscope with inheritance disabled
$Admincount = import-csv $exportpath.sa

Foreach ($sam in $Admincount.samaccountname){
Get-aduser -searchbase $Sam -filter * -properties ntsecuritydescriptor | where
{($_.ntsecuritydescriptor.areaccessrulesprotected -eq $true) } |export-csv "D:\inheritance.csv"
    }

Powershell returns a “error”:

     get-aduser -searchbase $Sam -filter * -properties ntsecuritydescriptor | where
 {($_.ntsecuritydescriptor.areaccessrulesprotected -eq $true) } |export-csv "D:\Users\adpiebak1d\Documents\PS-script\Output\inheritance.csv"
    }
cmdlet Where-Object at command pipeline position 2
Supply values for the following parameters:
Property: 

thanx in advance

Recommend a different approach. You’re getting the users 3 times from the same place with different properties. Here is something to try:

$adminOus = 'OU=Path1,DC=mydomain,DC=com',
            'OU=Path1,DC=mydomain,DC=com',
            'OU=Path1,DC=mydomain,DC=com'

$users = foreach ($ou in $adminOus) {
    Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor |
    Select-Object -Property *,
                            @{Name='AreaAccessRulesProtected';Expression={$_.ntsecuritydescriptor.areaccessrulesprotected}}
}


$users | Where-Object -FilterScript {$_.AdminCount -eq 1 -and $_.AreaAccessRulesProtected -eq $true}

Don’t have AD handy to test the parse of ntsecuritydesciptor, but even if the calculated expression doesn’t get you a boolean true\false, you still have it for the user and can attempt to re-parse it.

Edit: Actually looking at it, most likely the issue you is the query for the ntsecuritydescriptor is returning null and you are piping it to Export, but it’s NULL, hence no properties to export.

[quote quote=281576]Recommend a different approach. You’re getting the users 3 times from the same place with different properties. Here is something to try:

<link rel=“stylesheet” type=“text/css” href=“https://powershell.org/wp-content/plugins/urvanov-syntax-highlighter/themes/powershell-ise/powershell-ise.css”>
<link rel=“stylesheet” type=“text/css” href=“https://powershell.org/wp-content/plugins/urvanov-syntax-highlighter/fonts/liberation-mono.css”>

PowerShell
<textarea class="urvanov-syntax-highlighter-plain print-no" data-settings="dblclick" readonly="" style="tab-size: 4; font-size: 14px !important; line-height: 18px !important; z-index: 0; opacity: 0;">$adminOus = 'OU=Path1,DC=mydomain,DC=com', 'OU=Path1,DC=mydomain,DC=com', 'OU=Path1,DC=mydomain,DC=com'

$users = foreach ($ou in $adminOus) {
Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor |
Select-Object -Property *,
@{Name=‘AreaAccessRulesProtected’;Expression={$_.ntsecuritydescriptor.areaccessrulesprotected}}
}

$users | Where-Object -FilterScript {$.AdminCount -eq 1 -and $.AreaAccessRulesProtected -eq $true}</textarea>

1
2
3
4
5
6
7
8
9
10
11
12
$adminOus = 'OU=Path1,DC=mydomain,DC=com',
'OU=Path1,DC=mydomain,DC=com',
'OU=Path1,DC=mydomain,DC=com'
$users = foreach ($ou in $adminOus) {
Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor |
Select-Object -Property *,
@{Name='AreaAccessRulesProtected';Expression={$_.ntsecuritydescriptor.areaccessrulesprotected}}
}
$users | Where-Object -FilterScript {$_.AdminCount -eq 1 -and $_.AreaAccessRulesProtected -eq $true}

Don’t have AD handy to test the parse of ntsecuritydesciptor, but even if the calculated expression doesn’t get you a boolean true\false, you still have it for the user and can attempt to re-parse it.

Edit: Actually looking at it, most likely the issue you is the query for the ntsecuritydescriptor is returning null and you are piping it to Export, but it’s NULL, hence no properties to export.[/quote]

@Rob Simmers,
Thanks a lot…
It worked really well.

Maybe you also have a good idea, how I get just the SDholder groups as a output…?
I use :

ACL =(Get-ACL "AD:$((Get-ADUser adpiebak1d).distinguishedname)").access 

to find the ACL groups, however I struggle by getting just the 4 SDholder groups.

grtz

Pieter

It should be a simple where clause. This example is filtering out identities like ‘admin’:

PS C:\Users\rasim> c:\Users\rasim\Desktop\temp.ps1

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : None
PS C:\Users\rasim> (Get-ACL -Path C:\Scripts\file1.txt).Access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM        
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None


PS C:\Users\rasim> (Get-ACL -Path C:\Scripts\file1.txt).Access | Where{$_.IdentityReference -like '*admin*'}

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None