question

MW-2365 avatar image
0 Votes"
MW-2365 asked AndreasBaumgarten answered

Automated Powershell check Active Directory ACL

I've got 48 System Accounts, 48 Domain Local groups and 48 Global groups.
Every Domain Local group has Full Access rights on only one specific OU to create, modify and delete Users in that OU.

I want to create a powershell script that checks if al groups still exist, that they still have the right permissions on the right OU, and if the right users are still member of the right group. Every time I run this script I want to have a response (in a file or mail) with the results if anything has changed in the ACL or not.

How can I best do this?

windows-server-powershellwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @MW-2365 ,

maybe this helps to start with:
https://www.reddit.com/r/PowerShell/comments/9h8ib6/report_of_permissions_for_ad_organizational_units/

One approach could be to query the OUs and OU ACLs and then work through the nested groups. Finally, determine the group membership of the users.

If you post your script here it is easier to help.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.