Active Directory OU Permissions Report

In Active Directory we need to know who has the keys to our organizational units (OUs), the place where our users and computers live. Over the years OUs have grown to meet needs. Different teams may have been delegated access for managing users, groups, and computers. Then you come along as the new administrator. You probably have no idea where permissions have been granted to your OUs. And the scary thing is… neither does anyone else.  I know, because I’ve been there.  I hear the same thing from our customers.

Out-of-the-box we do not have a specific tool to report all of the OU permissions. You have to click each OU and view the security tab one-by-one, and we all know that is entirely impractical.  This script generates a report of this vital information.  The report can be quite large for any size organization.  Perhaps this would be a good report to feed to the Information Security team, if you have one.

I would advise all Active Directory shops to review this report on a quarterly basis to make sure there are no surprise administrators lurking in your domain.

SCRIPT:

Import-Module ActiveDirectory

# This array will hold the report output.
$report = @()

# Build a lookup hash table that holds all of the string names of the
# ObjectType GUIDs referenced in the security descriptors.
# See the Active Directory Technical Specifications:
# 3.1.1.2.3 Attributes
# http://msdn.microsoft.com/en-us/library/cc223202.aspx
# 3.1.1.2.3.3 Property Set
# http://msdn.microsoft.com/en-us/library/cc223204.aspx
# 5.1.3.2.1 Control Access Rights
# http://msdn.microsoft.com/en-us/library/cc223512.aspx
# Working with GUID arrays
# http://blogs.msdn.com/b/adpowershell/archive/2009/09/22/how-to-find-extended-rights-that-apply-to-a-schema-class-object.aspx
# Hide the errors for a couple duplicate hash table keys.
$schemaIDGUID = @{}
### NEED TO RECONCILE THE CONFLICTS ###
$ErrorActionPreference = ‘SilentlyContinue’
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter ‘(schemaIDGUID=*)’ -Properties name, schemaIDGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}
Get-ADObject -SearchBase “CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)” -LDAPFilter ‘(objectClass=controlAccessRight)’ -Properties name, rightsGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}
$ErrorActionPreference = ‘Continue’

# Get a list of all OUs. Add in the root containers for good measure (users, computers, etc.).
$OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName)
$OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName
$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -SearchScope OneLevel -LDAPFilter ‘(objectClass=container)’ | Select-Object -ExpandProperty DistinguishedName

# Loop through each of the OUs and retrieve their permissions.
# Add report columns to contain the OU path and string names of the ObjectTypes.
ForEach ($OU in $OUs) {
$report += Get-Acl -Path “AD:\$OU” |
Select-Object -ExpandProperty Access |
Select-Object @{name=’organizationalUnit’;expression={$OU}}, `
@{name=’objectTypeName’;expression={if ($_.objectType.ToString() -eq ‘00000000-0000-0000-0000-000000000000’) {‘All’} Else {$schemaIDGUID.Item($_.objectType)}}}, `
@{name=’inheritedObjectTypeName’;expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `
*
}

# Dump the raw report out to a CSV file for analysis in Excel.
$report | Export-Csv -Path “.\OU_Permissions.csv” -NoTypeInformation
Start-Process “.\OU_Permissions.csv”

###############################################################################
# Various reports of interest
###############################################################################
break

# Show only explicitly assigned permissions by Group and OU
$report |
Where-Object {-not $_.IsInherited} |
Select-Object IdentityReference, OrganizationalUnit -Unique |
Sort-Object IdentityReference

# Show explicitly assigned permissions for a user or group
$filter = Read-Host “Enter the user or group name to search in OU permissions”
$report |
Where-Object {$_.IdentityReference -like “*$filter*”} |
Select-Object IdentityReference, OrganizationalUnit, IsInherited -Unique |
Sort-Object IdentityReference

Be the first to comment

Leave a Reply

Your email address will not be published.


*