How to pull a list of all groups I do not have permission to modify in Active Directory?

Joseph Campbell 0 Reputation points
2023-01-26T21:22:59.76+00:00

I am a newer desktop admin trying to determine what groups I don't have permission to modify in Active Directory so I can send a list to get permission to access them. Is there a script I can run in PowerShell or a way otherwise to pull a list of such? I appreciate any help. Thank you!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,556 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,857 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 27,826 Reputation points Microsoft Vendor
    2023-01-30T03:35:41.4866667+00:00

    Hi,

    If you mean the permission to write all properties by "permission to modify", you can get the groups like below.

    $account = 'Domain\Username'
    Get-ADGroup -filter * | Where-Object {(Get-Acl "AD:\$($_.DistinguishedName)").Access | Where-Object {($_.IdentityReference -eq $account) -and ($_.ObjectType -eq '00000000-0000-0000-0000-000000000000') -and ($_.AccessControlType -eq 'Allow') -and ('WriteProperty' -in $_.ActiveDirectoryRights)}}
    
    

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Gary Reynolds 9,376 Reputation points
    2023-01-31T08:13:42.28+00:00

    You can use the AD Permissions Reporter option in NetTools to list all the groups your admin account doesn't have permissions to change the group membership.

    Below is the filter to return groups that you, either don't have any permissions assigned to your account or you don't write permissions to update the group details. Use this post to import and use the filter in NetTools, https://nettools.net/how-to-import-an-ad-permissions-report-filter

    When you run the report, it will be prompt twice to enter the name of the account you want to check.

    Gary.

    [Groups I don't have permissions to change]
    Count=2
    Options=18496
    Rule1_Enabled=1
    Rule1_Options=3073
    Rule1_SDControl=0
    Rule1_SDNotControl=0
    Rule1_SDNullAcl=0
    Rule1_Prompt=1
    Rule1_Token=0
    Rule1_AuthGroups=0
    Rule1_Scope=140
    Rule1_NotScope=0
    Rule1_ACEType=0
    Rule1_ACEFlags=0
    Rule1_ACENotFlags=0
    Rule1_Perms=0
    Rule1_NotPerms=0
    Rule1_MatchRules=546
    Rule2_Enabled=1
    Rule2_Options=1281
    Rule2_SDControl=0
    Rule2_SDNotControl=0
    Rule2_SDNullAcl=0
    Rule2_Prompt=1
    Rule2_Token=0
    Rule2_AuthGroups=0
    Rule2_Scope=12
    Rule2_NotScope=0
    Rule2_ACEType=0
    Rule2_ACEFlags=0
    Rule2_ACENotFlags=0
    Rule2_Perms=32
    Rule2_NotPerms=0
    Rule2_MatchRules=642
    
    
    

  3. Limitless Technology 43,991 Reputation points
    2023-02-01T11:00:27.6133333+00:00

    Hello there,

    The Get-AdUser cmdlet in PowerShell is used to get one or more active directory users.

    Using the Get-Acl cmdlet, it gets an Active Directory users permissions report. Get-Acl cmdlet in PowerShell gets the object which contains an access control list for files or resources.

    Get-ADUser -Filter * | %{(Get-ACL "AD:$($_.distinguishedname)").access} | Export-Csv -Path C:\PowerShell\AdUser_Permissions_Report.csv -NoTypeInformation

    In the above PowerShell script, it gets an active directory user permission report, and using the Export-CSV cmdlet in PowerShell, it exports the active directory users permission report to CSV file.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments