Hi,
I'm very new to scripting and been tasked with this task: A powershell script that can list top 3 nested OU's rights(acl) in domain and save it in a csv file with the below format:
Object |
ObjectClass |
IdentityReference |
Trustee |
Access |
Inherited |
Apply To |
Permission |
|
Object |
ObjectClass |
IdentityReference |
Trustee |
Access |
Inherited |
Apply To |
Permission |
|
DC=xxx,DC=corp |
domainDNS |
S-1-1-0 |
Everyone |
Deny |
FALSE |
This Object Only |
Delete Child |
|
DC=xxx,DC=corp |
domainDNS |
S-1-5-9 |
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS |
Allow |
FALSE |
This Object Only |
Read Permissions,List Contents,Read All Properties,List |
|
DC=xxx,DC=corp |
domainDNS |
S-1-5-11 |
NT AUTHORITY\Authenticated Users |
Allow |
FALSE |
This Object Only |
Read Permissions,List Contents,Read All Properties,List |
|
DC=xxx,DC=corp |
domainDNS |
S-1-5-18 |
NT AUTHORITY\SYSTEM |
Allow |
FALSE |
This Object Only |
Full Control |
|
DC=xxx,DC=corp |
domainDNS |
S-1-5-32-544 |
BUILTIN\Administrators |
Allow |
FALSE |
This object and all child objects |
CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner |
|
DC=xxx,DC=corp |
domainDNS |
S-1-5-32-554 |
BUILTIN\Pre-Windows 2000 Compatible Access |
Allow |
FALSE |
This Object Only |
ReadProperty, ReadControl |
|
I have this script, however, it doesn't show the correct permissions/rights
# Import the Active Directory module
Import-Module ActiveDirectory
# Specify the domain name
$domain = "xxx.corp"
# Create an array to store OU ACL data
$ouAcls = @()
# Get the top-level OUs in the domain
$topLevelOUs = Get-ADOrganizationalUnit -Filter * -SearchBase "DC=$($domain.Replace('.',',DC='))" -SearchScope OneLevel
# Loop through the top-level OUs
foreach ($ou in $topLevelOUs) {
$ouDistinguishedName = $ou.DistinguishedName
# Get the ACLs (Access Control Lists) for the OU
$acl = Get-Acl -Path "AD:$ouDistinguishedName"
# Process ACLs for the OU
foreach ($ace in $acl.Access) {
$ouAcls += [PSCustomObject]@{
"Object" = $ouDistinguishedName
"ObjectClass" = "organizationalUnit"
"IdentityReference" = $ace.IdentityReference
"Trustee" = $ace.IdentityReference
"Access" = $ace.FileSystemRights
"Inherited" = $ace.IsInherited
"Apply To" = "This Object Only" # For OU ACLs, apply to is always "This Object Only"
"Permission" = $ace.AccessControlType
}
}
}
# Export OU ACLs to CSV file
$ouAcls | Export-Csv -Path "OU_ACLs.csv" -NoTypeInformation
Please see what I'm missing to achieve the above output format?
Thank you and Best of luck!
BT