Share via

PowerShell script to list top 3 nested OU rights in domain

Anonymous
2024-04-11T07:35:50+00:00

Hi,

I'm very new to scripting and been tasked with this task: A powershell script that can list top 3 nested OU's rights(acl) in domain and save it in a csv file with the below format:

Object ObjectClass IdentityReference Trustee Access Inherited Apply To Permission
DC=xxx,DC=corp domainDNS S-1-1-0 Everyone Deny FALSE This Object Only Delete Child
DC=xxx,DC=corp domainDNS S-1-5-9 NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow FALSE This Object Only Read Permissions,List Contents,Read All Properties,List
DC=xxx,DC=corp domainDNS S-1-5-11 NT AUTHORITY\Authenticated Users Allow FALSE This Object Only Read Permissions,List Contents,Read All Properties,List
DC=xxx,DC=corp domainDNS S-1-5-18 NT AUTHORITY\SYSTEM Allow FALSE This Object Only Full Control
DC=xxx,DC=corp domainDNS S-1-5-32-544 BUILTIN\Administrators Allow FALSE This object and all child objects CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
DC=xxx,DC=corp domainDNS S-1-5-32-554 BUILTIN\Pre-Windows 2000 Compatible Access Allow FALSE This Object Only ReadProperty, ReadControl

I have this script, however, it doesn't show the correct permissions/rights

# Import the Active Directory module

Import-Module ActiveDirectory

# Specify the domain name

$domain = "xxx.corp"

# Create an array to store OU ACL data

$ouAcls = @()

# Get the top-level OUs in the domain

$topLevelOUs = Get-ADOrganizationalUnit -Filter * -SearchBase "DC=$($domain.Replace('.',',DC='))" -SearchScope OneLevel

# Loop through the top-level OUs

foreach ($ou in $topLevelOUs) {

    $ouDistinguishedName = $ou.DistinguishedName

    # Get the ACLs (Access Control Lists) for the OU

    $acl = Get-Acl -Path "AD:$ouDistinguishedName"

    # Process ACLs for the OU

    foreach ($ace in $acl.Access) {

        $ouAcls += [PSCustomObject]@{

            "Object" = $ouDistinguishedName

            "ObjectClass" = "organizationalUnit"

            "IdentityReference" = $ace.IdentityReference

            "Trustee" = $ace.IdentityReference

            "Access" = $ace.FileSystemRights

            "Inherited" = $ace.IsInherited

            "Apply To" = "This Object Only"  # For OU ACLs, apply to is always "This Object Only"

            "Permission" = $ace.AccessControlType

        }

    }

}

# Export OU ACLs to CSV file

$ouAcls | Export-Csv -Path "OU_ACLs.csv" -NoTypeInformation

Please see what I'm missing to achieve the above output format?

Thank you and Best of luck!

BT

Windows for business Windows Server Directory services Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-04-12T06:02:47+00:00

    Hi Ali.Bi,

    Thank you for posting on the Microsoft Community Forum.

    From the description above, I understand that your question is about PowerShell.

    Since there are no developers working with PowerShell on this forum. For quick and efficient handling of your problem, I recommend asking your question again in the Q&A forum, where a dedicated technician will give you a professional and efficient answer.

    Here is the link to the Q&A forum.
    Q&A - Microsoft Q&A

    Click the "Ask a question" button at upper right corner to ask your question, and select "PowerShell" tag and other tags related to your productions.

    I hope the above information is helpful.

    If you have any questions or concerns, please feel free to let us know.

    All the best
    Neuvi Jiang

    0 comments