- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
Delegating administrative tasks to standard users or inconsistently assigning user rights can result in users or groups having an unnecessarily powerful rights set. This enables them to damage the directory with improper or malicious activities and might give them unauthorized access to sensitive corporate data.
For this reason, it is recommended to regularly examine the AD rights structure. Various third-party tools exist for this purpose, and many allow you to monitor the directory in real time.
If you have fewer demands, you can use the free AD ACL Scanner, which uses the built-in PowerShell cmdlets. Of course, you can also directly work with PowerShell to query rights on AD objects.
Accessing AD as a drive
In many cases, you won’t need a script, and a few commands are sufficient to give you the desired results. It’s helpful that you can mount the Active Directory as a drive and simply navigate through its structure. Several AD cmdlets exist that allow you to reveal detailed information by accessing the AD drive.
The following examples demonstrate how you can display who has specific rights on an OU. First, you have to load the ActiveDirectory module. You can then navigate to the desired domain in the PowerShell AD drive:
Import-Module ActiveDirectorycd 'AD:\DC=contoso,DC=com'
For instance, if you want to find the users who have write access on the domain controllers OU, you can use the next command:
(Get-Acl -Path "OU=Domain Controllers").Access | ? ActiveDirectoryRights -like *Write*
Displaying write access rights on the domain controllers OU
In this case, you can omit the domain for the -Path parameter because the domain controllers OU is located directly below the current directory and it is therefore sufficient to use a relative path. Otherwise, you would have to specify the complete distinguished name in the format "OU=Domain Controllers,DC=contoso,DC=com."
The question mark is the alias for Where-Object and ensures in the above example that only entries with rights containing the string “write” are displayed.
If the output is complex, you can pipe it to the Out-GridView cmdlet to display a table of AD attributes for better readability.
(Get-Acl -Path "OU=Domain Controllers").Access | ? ActiveDirectoryRights -like *Write* | Out-GridView
Displaying a table of AD attributes with Out-GridView
Recursive analysis of OUs
If you don’t just want to analyze a single OU, you can work with Get-ChildItem to recursively read the OUs of an entire domain. A filter allows you to restrict the output to objects of a certain type.
With the help of the function Get-OURights (see below), you can then read the access rights in a similar way as with the above command. The nested foreach loops iterate through the OUs and their ACLs.
function Get-OURights{
Param(
[parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
$Right
)
$OUs = Get-ChildItem -Recurse | where ObjectClass -eq organizationalUnit
foreach($OU in $OUs){
$ARs = (Get-ACL -Path $OU.PSpath).Access
foreach($AR in $ARs){
if($AR.ActiveDirectoryRights -like "$Right"){
$OU.name + ";" + $AR.IdentityReference + ";" + `
$AR.ActiveDirectoryRights + ";" + $AR.IsInherited
}
}
}
}When you call the function, you have to pass the name of the privilege that you want to retrieve to the parameter $Right. You can also work with the wildcard “*” here. The output uses the CSV format, which allows you to import the data to Excel.
For instance, the following command finds the users who have one of the write access rights in the domain.
Get-OURights("*Write*")
Finding the users who have write access rights in the domain
Before you execute the command, you have to navigate to the domain’s AD drive. This MSDN page
how do i get the security on the root of the domain instead of an OU inside the domain.
Set-Location AD:
I should imagine this will give you a domain ACL
DC=contoso,DC=com