PowerShell script to list top 3 nested OU rights in domain

Biju Thankappan 0 Reputation points
2024-04-12T06:19:28.4433333+00:00

Hi,

I'm very new to scripting and been tasked with this task: A powershell script that can list top 3 nested OU's rights(acl) in domain and save it in a csv file with the below format:

Object ObjectClass IdentityReference Trustee Access Inherited Apply To Permission
Object ObjectClass IdentityReference Trustee Access Inherited Apply To Permission
DC=xxx,DC=corp domainDNS S-1-1-0 Everyone Deny FALSE This Object Only Delete Child
DC=xxx,DC=corp domainDNS S-1-5-9 NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow FALSE This Object Only Read Permissions,List Contents,Read All Properties,List
DC=xxx,DC=corp domainDNS S-1-5-11 NT AUTHORITY\Authenticated Users Allow FALSE This Object Only Read Permissions,List Contents,Read All Properties,List
DC=xxx,DC=corp domainDNS S-1-5-18 NT AUTHORITY\SYSTEM Allow FALSE This Object Only Full Control
DC=xxx,DC=corp domainDNS S-1-5-32-544 BUILTIN\Administrators Allow FALSE This object and all child objects CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
DC=xxx,DC=corp domainDNS S-1-5-32-554 BUILTIN\Pre-Windows 2000 Compatible Access Allow FALSE This Object Only ReadProperty, ReadControl

I have this script, however, it doesn't show the correct permissions/rights

# Import the Active Directory module

Import-Module ActiveDirectory

# Specify the domain name

$domain = "xxx.corp"

# Create an array to store OU ACL data

$ouAcls = @()

# Get the top-level OUs in the domain

$topLevelOUs = Get-ADOrganizationalUnit -Filter * -SearchBase "DC=$($domain.Replace('.',',DC='))" -SearchScope OneLevel

# Loop through the top-level OUs

foreach ($ou in $topLevelOUs) {

    $ouDistinguishedName = $ou.DistinguishedName

   

    # Get the ACLs (Access Control Lists) for the OU

    $acl = Get-Acl -Path "AD:$ouDistinguishedName"

    # Process ACLs for the OU

    foreach ($ace in $acl.Access) {

        $ouAcls += [PSCustomObject]@{

            "Object" = $ouDistinguishedName

            "ObjectClass" = "organizationalUnit"

            "IdentityReference" = $ace.IdentityReference

            "Trustee" = $ace.IdentityReference

            "Access" = $ace.FileSystemRights

            "Inherited" = $ace.IsInherited

            "Apply To" = "This Object Only"  # For OU ACLs, apply to is always "This Object Only"

            "Permission" = $ace.AccessControlType

        }

    }

}

# Export OU ACLs to CSV file

$ouAcls | Export-Csv -Path "OU_ACLs.csv" -NoTypeInformation

Please see what I'm missing to achieve the above output format?

Thank you and Best of luck!

BT

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,538 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,524 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue 36,936 Reputation points Microsoft Vendor
    2024-04-12T07:39:49.6833333+00:00

    Hi Biju Thankappan,

    Please try this.

    $top3LevelOUs = @()
    Get-ADOrganizationalUnit -Filter * -SearchBase "DC=$($domain.Replace('.',',DC='))" -SearchScope OneLevel | ForEach-Object {
        $top3LevelOUs += $_
        Get-ADOrganizationalUnit -Filter * -SearchBase $_ -SearchScope OneLevel | ForEach-Object{
            $top3LevelOUs += $_
            $top3LevelOUs += Get-ADOrganizationalUnit -Filter * -SearchBase $_ -SearchScope OneLevel
        }
    }
    foreach ($ou in $top3LevelOUs) {...}
    

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.