Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
So what about Active Directory Permissions on an Object using PowerShell? There are a number of options and methods to manage Active Directory permissions, but here are some common tasks that I might perform using PowerShell.
NOTE: This blog uses PowerShell with the Active Directory Module (Import-Module ActiveDirectory)
To use Get-ACL, you may want to set the ___location to Active Directory ( Set-Location AD: ), otherwise you may have to call AD: within the command.
FIND IF USER ACCOUNT HAS ANY DENY PERMISSIONS SET
Using DSACLS:
Get-ADUser UserName | ForEach { DSACLS $_.DistinguishedName } | Where {$_.Contains("Deny")}
Using Get-ACL:
Set-Location AD:
(Get-Acl (Get-ADUser UserName)).access | Where {$_.AccessControlType -eq 'Deny'} | FT IdentityReference, AccessControlType, IsInherited -Autosize
FIND ALL USERS WHO HAVE NON-INHERITED DENY RIGHTS ASSIGNED
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {($_.AccessControlType -eq 'Deny') -AND ($_.IsInherited -eq $FALSE)}| Select {$X}, IdentityReference, AccessControlType, IsInherited}
FIND ALL USERS WHO HAVE NON-INHERITED DENY WRITEPROPERTY SET
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {($_.AccessControlType -eq 'Deny') -AND ($_.IsInherited -eq $FALSE) -AND ($_.ActiveDirectoryRights -eq "WriteProperty")}| Select {$X}, IdentityReference, AccessControlType, IsInherited}
FIND ALL USERS WHO HAVE SPECIFIC GROUP/USER LISTED WITH PERMISSIONS
Get-ADUser -Filter * | ForEach {$X = $_.Name ; (Get-ACL $_.DistinguishedName).Access | Where {$_.IdentityReference -like "DOMAIN\USERNAME"}| Select {$X}, IdentityReference, AccessControlType, IsInherited -Unique}
VIEW PERMISSIONS OF NON-INHERITED USERS ON SPECIFIC ORGANIZATIONAL UNIT (OU)
(Get-ACL "AD:CN=Joe User,OU=Users,DC=Contoso,DC=com").Access | Where {$_.IsInherited -eq $FALSE}| Select IdentityReference, AccessControlType, IsInherited
VIEW ACCESS RIGHTS ON GROUP OBJECT
(Get-ACL (Get-ADGroup GroupName)).Access
RESTRICT GROUPX USERS FROM MODIFYING AD ATTRIBUTE ON ALL USERS
Get-ADUser –Filter * | ForEach { DSACLS $_.DistinguishedName /D 'Contoso\GroupX:WP;employeeID'}
There are many other items that you can do with Active Directory permissions but I’d thought that I would start with the above items. If you want something more, try another blog 
Thanks!
Da