Share via

Powershell Script to export permissions on entire Domain or OU

raj a 316 Reputation points
2024-05-19T16:33:46.2633333+00:00

Hello,

I'm seeking assistance with a PowerShell script to export permissions within Active Directory, either for the entire domain or for a specific Organizational Unit (OU), and save the output in CSV format.

Could someone kindly provide such a script?

Thank you in advance.

Regards,

Raj

Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server User experience PowerShell
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 49,640 Reputation points MVP Volunteer Moderator
    2024-05-19T18:04:58.97+00:00

    Try the following 

    Import-Module ActiveDirectory

function Get-ADPermissions {
    param (
        [string]$TargetDN
    )
    $acl = Get-ACL -Path "AD:$TargetDN"
    $permissions = $acl.Access | ForEach-Object {
        [PSCustomObject]@{
            IdentityReference = $_.IdentityReference
            ActiveDirectoryRights = $_.ActiveDirectoryRights
            AccessControlType = $_.AccessControlType
            ObjectType = $_.ObjectType
            InheritanceType = $_.InheritanceType
            InheritedObjectType = $_.InheritedObjectType
        }
    }
    return $permissions
}

$targetDN = "DC=yourdomain,DC=com" # For the entire domain
# $targetDN = "OU=YourOU,DC=yourdomain,DC=com" # For a specific OU

if ($targetDN -match "^DC=") {
    $ouList = Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName
} else {
    $ouList = @($targetDN)
}

foreach ($ou in $ouList) {
    $permissions = Get-ADPermissions -TargetDN $ou
    foreach ($perm in $permissions) {
        $result += [PSCustomObject]@{
            OU = $ou
            IdentityReference = $perm.IdentityReference
            ActiveDirectoryRights = $perm.ActiveDirectoryRights
            AccessControlType = $perm.AccessControlType
            ObjectType = $perm.ObjectType
            InheritanceType = $perm.InheritanceType
            InheritedObjectType = $perm.InheritedObjectType
        }
    }
}

$result | Export-Csv -Path "C:\ADPermissions.csv" -NoTypeInformation

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.