PowerShell script to list top 3 nested OU rights in domain

Biju Thankappan 0 Reputation points
2024-04-12T06:19:28.4433333+00:00

Hi,

I'm very new to scripting and been tasked with this task: A powershell script that can list top 3 nested OU's rights(acl) in domain and save it in a csv file with the below format:

Object ObjectClass IdentityReference Trustee Access Inherited Apply To Permission
Object ObjectClass IdentityReference Trustee Access Inherited Apply To Permission
DC=xxx,DC=corp domainDNS S-1-1-0 Everyone Deny FALSE This Object Only Delete Child
DC=xxx,DC=corp domainDNS S-1-5-9 NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow FALSE This Object Only Read Permissions,List Contents,Read All Properties,List
DC=xxx,DC=corp domainDNS S-1-5-11 NT AUTHORITY\Authenticated Users Allow FALSE This Object Only Read Permissions,List Contents,Read All Properties,List
DC=xxx,DC=corp domainDNS S-1-5-18 NT AUTHORITY\SYSTEM Allow FALSE This Object Only Full Control
DC=xxx,DC=corp domainDNS S-1-5-32-544 BUILTIN\Administrators Allow FALSE This object and all child objects CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
DC=xxx,DC=corp domainDNS S-1-5-32-554 BUILTIN\Pre-Windows 2000 Compatible Access Allow FALSE This Object Only ReadProperty, ReadControl

I have this script, however, it doesn't show the correct permissions/rights

# Import the Active Directory module

Import-Module ActiveDirectory

# Specify the domain name

$domain = "xxx.corp"

# Create an array to store OU ACL data

$ouAcls = @()

# Get the top-level OUs in the domain

$topLevelOUs = Get-ADOrganizationalUnit -Filter * -SearchBase "DC=$($domain.Replace('.',',DC='))" -SearchScope OneLevel

# Loop through the top-level OUs

foreach ($ou in $topLevelOUs) {

    $ouDistinguishedName = $ou.DistinguishedName

   

    # Get the ACLs (Access Control Lists) for the OU

    $acl = Get-Acl -Path "AD:$ouDistinguishedName"

    # Process ACLs for the OU

    foreach ($ace in $acl.Access) {

        $ouAcls += [PSCustomObject]@{

            "Object" = $ouDistinguishedName

            "ObjectClass" = "organizationalUnit"

            "IdentityReference" = $ace.IdentityReference

            "Trustee" = $ace.IdentityReference

            "Access" = $ace.FileSystemRights

            "Inherited" = $ace.IsInherited

            "Apply To" = "This Object Only"  # For OU ACLs, apply to is always "This Object Only"

            "Permission" = $ace.AccessControlType

        }

    }

}

# Export OU ACLs to CSV file

$ouAcls | Export-Csv -Path "OU_ACLs.csv" -NoTypeInformation

Please see what I'm missing to achieve the above output format?

Thank you and Best of luck!

BT

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,895 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,382 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 29,891 Reputation points Microsoft Vendor
    2024-04-12T07:39:49.6833333+00:00

    Hi Biju Thankappan,

    Please try this.

    $top3LevelOUs = @()
Get-ADOrganizationalUnit -Filter * -SearchBase "DC=$($domain.Replace('.',',DC='))" -SearchScope OneLevel | ForEach-Object {
    $top3LevelOUs += $_
    Get-ADOrganizationalUnit -Filter * -SearchBase $_ -SearchScope OneLevel | ForEach-Object{
        $top3LevelOUs += $_
        $top3LevelOUs += Get-ADOrganizationalUnit -Filter * -SearchBase $_ -SearchScope OneLevel
    }
}
foreach ($ou in $top3LevelOUs) {...}

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.