To pull Access Control List for each group

PowerShell Help
1

As in this picture I want to pull detail “Permissions for” i.e. as like Read / Write / Create etc as like Allow / Deny for each Group or User name inside the Security TAB for any particular OU.

Security
Security827×417 102 KB

(Get-ACL “AD:$((Get-ADOrganizationalUnit -Identity ‘OU=Users,OU=xxxx,DC=abc,DC=com’).distinguishedname)”).access | Select IdentityReference,AccessControlType

But this cmdlet returning partial information like for each Group or User name inside the Security TAB.

What to add in this cmdlet, so that it will pull all same information as in this attached picture.

2

First, the bad news. To my knowledge there is no way to from a command line or scripting tool to get a permission “dump” on anything in AD and have it use the same terminology as what you see in ADUC.

Additionally, the two most promising tools do not use the same terms for permissions. But together they give you some good information.

The good news is you can still do what you want, but it is going to take more work than a one liner.

There may be some already written scripts or modules out there that can do what you want, might be worth looking into if you are in a hurry. PowerShell Gallery would a place to start looking. PowerShell Gallery | Home

If you are like me, where is the fun in that verse learning to write it yourself?

The two tools that I have found to be most useful without diving into .Net classes directly will be DSACLS and Get-Acl (which you are already trying to use)

Dsacls | Microsoft Learn

Get-Acl (Microsoft.PowerShell.Security) - PowerShell | Microsoft Learn

Here is a blog that will help you get more out of Get-Acl related to your specific use case.

As for your shared code, couple things to help you get started.

First, the screen shot from ADUC looks to be from the Users container. Which is NOT an OU and your code will fail if you try and get the ACLs on it.

Not everything holding something in AD is an OU, if you simplify your code to the following it will be more flexible.

(Get-Acl -Path "AD:DN of container or OU goes here").Access

The output isn’t spectacular. But it is usable. You could very likely use custom ps objects to turn the output into something easier to read quickly.

sample output using the simplifed one liner, works on any DN in AD

ActiveDirectoryRights : ReadProperty, WriteProperty
InheritanceType       : Descendents
ObjectType            : 28630ebf-41d5-11d1-a9c1-0000f80367c1 
InheritedObjectType   : bf967aba-0de6-11d0-a285-00aa003049e2 
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : contoso\user or group name shows up here
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

The blog I mentioned earlier has some code that will help you translate the GUIDs

ObjectType            : 28630ebf-41d5-11d1-a9c1-0000f80367c1 = Lockout-Time 
InheritedObjectType   : bf967aba-0de6-11d0-a285-00aa003049e2 = User

What all that says is someone or a group has the permissions to unlock an AD User object if they enter their password wrong too many times.

Hopefully this gives you some starting places.

3

image
I am looking something this type