The importance of managing Active Directory access rights with great care is undisputed. Whereas the built-in GUI tools are particularly suitable for granting and revoking rights, PowerShell is more flexible when it comes to analyzing Access Control Lists (ACLs).

Delegating administrative tasks to standard users or inconsistently assigning user rights can result in users or groups having an unnecessarily powerful rights set. This enables them to damage the directory with improper or malicious activities and might give them unauthorized access to sensitive corporate data.

For this reason, it is recommended to regularly examine the AD rights structure. Various third-party tools exist for this purpose, and many allow you to monitor the directory in real time.

If you have fewer demands, you can use the free AD ACL Scanner, which uses the built-in PowerShell cmdlets. Of course, you can also directly work with PowerShell to query rights on AD objects.

Accessing AD as a drive

In many cases, you won’t need a script, and a few commands are sufficient to give you the desired results. It’s helpful that you can mount the Active Directory as a drive and simply navigate through its structure. Several AD cmdlets exist that allow you to reveal detailed information by accessing the AD drive.

The following examples demonstrate how you can display who has specific rights on an OU. First, you have to load the ActiveDirectory module. You can then navigate to the desired domain in the PowerShell AD drive:

Import-Module ActiveDirectorycd 'AD:\DC=contoso,DC=com'

For instance, if you want to find the users who have write access on the domain controllers OU, you can use the next command:

(Get-Acl -Path "OU=Domain Controllers").Access | ? ActiveDirectoryRights -like *Write*

Displaying write access rights on the domain controllers OU

Displaying write access rights on the domain controllers OU

In this case, you can omit the domain for the -Path parameter because the domain controllers OU is located directly below the current directory and it is therefore sufficient to use a relative path. Otherwise, you would have to specify the complete distinguished name in the format "OU=Domain Controllers,DC=contoso,DC=com."

The question mark is the alias for Where-Object and ensures in the above example that only entries with rights containing the string “write” are displayed.

If the output is complex, you can pipe it to the Out-GridView cmdlet to display a table of AD attributes for better readability.

(Get-Acl -Path "OU=Domain Controllers").Access | ? ActiveDirectoryRights -like *Write* | Out-GridView

Displaying a table of AD attributes with Out-GridView

Displaying a table of AD attributes with Out-GridView

Recursive analysis of OUs

If you don’t just want to analyze a single OU, you can work with Get-ChildItem to recursively read the OUs of an entire domain. A filter allows you to restrict the output to objects of a certain type.

With the help of the function Get-OURights (see below), you can then read the access rights in a similar way as with the above command. The nested foreach loops iterate through the OUs and their ACLs.

function Get-OURights{

    $OUs = Get-ChildItem -Recurse | where ObjectClass -eq organizationalUnit
    foreach($OU in $OUs){
        $ARs = (Get-ACL -Path $OU.PSpath).Access
        foreach($AR in $ARs){
            if($AR.ActiveDirectoryRights -like "$Right"){
                $ + ";" + $AR.IdentityReference  + ";" + `
                $AR.ActiveDirectoryRights + ";" + $AR.IsInherited

When you call the function, you have to pass the name of the privilege that you want to retrieve to the parameter $Right. You can also work with the wildcard “*” here. The output uses the CSV format, which allows you to import the data to Excel.

For instance, the following command finds the users who have one of the write access rights in the domain.


Finding the users who have write access rights in the domain

Finding the users who have write access rights in the domain

Before you execute the command, you have to navigate to the domain’s AD drive. This MSDN page

  1. Curtiss 3 years ago

    how do i get the security on the root of the domain instead of an OU inside the domain. 

    • Carsten Ringgaard 2 weeks ago

      Set-Location AD:

  2. Khush 3 years ago

    I should imagine this will give you a domain ACL



Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account