Share via

Automated Powershell check Active Directory ACL

MW 1 Reputation point
2021-04-20T19:51:38.403+00:00

I've got 48 System Accounts, 48 Domain Local groups and 48 Global groups.
Every Domain Local group has Full Access rights on only one specific OU to create, modify and delete Users in that OU.

I want to create a powershell script that checks if al groups still exist, that they still have the right permissions on the right OU, and if the right users are still member of the right group. Every time I run this script I want to have a response (in a file or mail) with the results if anything has changed in the ACL or not.

How can I best do this?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator
    2021-04-20T20:10:54.407+00:00

    Hi @MW ,

    maybe this helps to start with:
    https://www.reddit.com/r/PowerShell/comments/9h8ib6/report_of_permissions_for_ad_organizational_units/

    One approach could be to query the OUs and OU ACLs and then work through the nested groups. Finally, determine the group membership of the users.

    If you post your script here it is easier to help.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.