PowerShell script to list top 3 nested OU rights in domain

Question

PowerShell script to list top 3 nested OU rights in domain

Biju Thankappan 0

Hi,

I'm very new to scripting and been tasked with this task: A powershell script that can list top 3 nested OU's rights(acl) in domain and save it in a csv file with the below format:

Object	ObjectClass	IdentityReference	Trustee	Access	Inherited	Apply To	Permission
Object	ObjectClass	IdentityReference	Trustee	Access	Inherited	Apply To	Permission
DC=xxx,DC=corp	domainDNS	S-1-1-0	Everyone	Deny	FALSE	This Object Only	Delete Child
DC=xxx,DC=corp	domainDNS	S-1-5-9	NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Allow	FALSE	This Object Only	Read Permissions,List Contents,Read All Properties,List
DC=xxx,DC=corp	domainDNS	S-1-5-11	NT AUTHORITY\Authenticated Users	Allow	FALSE	This Object Only	Read Permissions,List Contents,Read All Properties,List
DC=xxx,DC=corp	domainDNS	S-1-5-18	NT AUTHORITY\SYSTEM	Allow	FALSE	This Object Only	Full Control
DC=xxx,DC=corp	domainDNS	S-1-5-32-544	BUILTIN\Administrators	Allow	FALSE	This object and all child objects	CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
DC=xxx,DC=corp	domainDNS	S-1-5-32-554	BUILTIN\Pre-Windows 2000 Compatible Access	Allow	FALSE	This Object Only	ReadProperty, ReadControl

I have this script, however, it doesn't show the correct permissions/rights

# Import the Active Directory module

Import-Module ActiveDirectory

# Specify the domain name

$domain = "xxx.corp"

# Create an array to store OU ACL data

$ouAcls = @()

# Get the top-level OUs in the domain

$topLevelOUs = Get-ADOrganizationalUnit -Filter * -SearchBase "DC=$($domain.Replace('.',',DC='))" -SearchScope OneLevel

# Loop through the top-level OUs

foreach ($ou in $topLevelOUs) {

$ouDistinguishedName = $ou.DistinguishedName

# Get the ACLs (Access Control Lists) for the OU

$acl = Get-Acl -Path "AD:$ouDistinguishedName"

# Process ACLs for the OU

foreach ($ace in $acl.Access) {

$ouAcls += [PSCustomObject]@{

"Object" = $ouDistinguishedName

"ObjectClass" = "organizationalUnit"

"IdentityReference" = $ace.IdentityReference

"Trustee" = $ace.IdentityReference

"Access" = $ace.FileSystemRights

"Inherited" = $ace.IsInherited

"Apply To" = "This Object Only" # For OU ACLs, apply to is always "This Object Only"

"Permission" = $ace.AccessControlType

}

# Export OU ACLs to CSV file

$ouAcls | Export-Csv -Path "OU_ACLs.csv" -NoTypeInformation

Please see what I'm missing to achieve the above output format?

Thank you and Best of luck!

BT

Rich Matheisen 47,901 Reputation points

2024-04-12T15:45:44.04+00:00
The first thing that caught my eye was your regex: "DC=$($domain.Replace('.',',DC='))"

The "." will match any character, but only the first character in the string.

You've already supplied the name of the domain, and it has two parts separated by a ".". This regex should give you the string you seem to want:

$domain= "xxx.corp" $domain -replace "([^.]+?)\.(.+)", 'DC=$1,DC=$2'

Rich Matheisen 47,901

When you say "top three nested OU's" to you mean the first three OU's below the root domain? Or the OU's that have the most child OU's?

OU = xxx.domain
  OU = 1.xxx.domain
     OU = 1.1.xxx.domain
     OU = 2.1.xxx.domain
     OU = 3.1.xxx.domain
     OU = 4.1.xxx.domain
  OU = 2.xxx.domain
     OU = 1.2.xxx.domain
     OU = 2.2.xxx.domain
     OU = 3.3.xxx.domain
  OU = 3.xxx.domain
     OU = 1.3.xxx.domain
     OU = 2.3.xxx.domain
     OU = 3.3.xxx.domain
     OU = 4.3.xxx.domain
     OU = 5.3.xxx.domain
  OU = 4.xxx.domain
     OU = 1.4.xxx.domain
     OU = 2.4.xxx.domain
     OU = 3.4.xxx.domain
     OU = 4.4.xxx.domain
     OU = 4.4.xxx.domain

If you want the top three domains, they'd be 1, 2, and 3.

If you want the top 3 most nested domains they'd be 1, 3, and 4.

Of do you simply want up to the 1st three child ou's beneath 1, 2, 3, and 4.

Biju Thankappan 0 Reputation points

2024-04-14T13:38:50.8366667+00:00

I'm looking for the output shown above to be generated for all OU's including all child OU's. However, there has to be a prarameter to accept at runtime, like ouchildlevels. This ouchildlevels should contain any numeric value to denote the child ou depth that the script should process. For example, top ou name is topou, then it might have immediate childou, then another grandchild ou and this can go on for multiple depths. So, parameter ouchildlevels can be set to a numeric value to denote how many child ou depth the script has to process the output shown above.

Thanks you for your attention.

Regards,

BT

1 answer

Your answer

Rich Matheisen 47,901 Reputation points

2024-04-12T15:45:44.04+00:00

The first thing that caught my eye was your regex: "DC=$($domain.Replace('.',',DC='))"

The "." will match any character, but only the first character in the string.

You've already supplied the name of the domain, and it has two parts separated by a ".". This regex should give you the string you seem to want:

$domain= "xxx.corp" $domain -replace "([^.]+?)\.(.+)", 'DC=$1,DC=$2'
Rich Matheisen 47,901 Reputation points

2024-04-12T16:01:42.3+00:00

When you say "top three nested OU's" to you mean the first three OU's below the root domain? Or the OU's that have the most child OU's?

OU = xxx.domain OU = 1.xxx.domain OU = 1.1.xxx.domain OU = 2.1.xxx.domain OU = 3.1.xxx.domain OU = 4.1.xxx.domain OU = 2.xxx.domain OU = 1.2.xxx.domain OU = 2.2.xxx.domain OU = 3.3.xxx.domain OU = 3.xxx.domain OU = 1.3.xxx.domain OU = 2.3.xxx.domain OU = 3.3.xxx.domain OU = 4.3.xxx.domain OU = 5.3.xxx.domain OU = 4.xxx.domain OU = 1.4.xxx.domain OU = 2.4.xxx.domain OU = 3.4.xxx.domain OU = 4.4.xxx.domain OU = 4.4.xxx.domain

If you want the top three domains, they'd be 1, 2, and 3.

If you want the top 3 most nested domains they'd be 1, 3, and 4.

Of do you simply want up to the 1st three child ou's beneath 1, 2, 3, and 4.
Biju Thankappan 0 Reputation points

2024-04-14T13:38:50.8366667+00:00

I'm looking for the output shown above to be generated for all OU's including all child OU's. However, there has to be a prarameter to accept at runtime, like ouchildlevels. This ouchildlevels should contain any numeric value to denote the child ou depth that the script should process. For example, top ou name is topou, then it might have immediate childou, then another grandchild ou and this can go on for multiple depths. So, parameter ouchildlevels can be set to a numeric value to denote how many child ou depth the script has to process the output shown above.

Thanks you for your attention.

Regards,

BT

Answer 1

Anonymous

Hi Biju Thankappan,

Please try this.

$top3LevelOUs = @()
Get-ADOrganizationalUnit -Filter * -SearchBase "DC=$($domain.Replace('.',',DC='))" -SearchScope OneLevel | ForEach-Object {
    $top3LevelOUs += $_
    Get-ADOrganizationalUnit -Filter * -SearchBase $_ -SearchScope OneLevel | ForEach-Object{
        $top3LevelOUs += $_
        $top3LevelOUs += Get-ADOrganizationalUnit -Filter * -SearchBase $_ -SearchScope OneLevel
    }
}
foreach ($ou in $top3LevelOUs) {...}

Best Regards,

Ian Xue

If the Answer is helpful, please click "Accept Answer" and upvote it.

Biju Thankappan 0 Reputation points

2024-04-12T09:55:09.1466667+00:00

Thanks, Ian,,,however will this code spit out all permissions/rights inclusing exended rights for top level ou and immediate 3 child OU's?

Share via

PowerShell script to list top 3 nested OU rights in domain

1 answer

Your answer