The following code gets a list of all users in an OU (specified by the variable $OU
) on which the account (specified by $account
) does not have any rights. There’s probably better ways to do this (and also check for specific rights) but I wanted something quick and dirty and this is what I came up with today:
1 2 3 4 5 6 7 8 9 10 11 12 |
import-module ActiveDirectory $OU = "CHANGE ME: format is OU=blah,OU=bluh,DC=bleh,DC=blee" $account = "CHANGE ME: format is DOMAIN\<user|group>" Get-ADUser -SearchBase $OU -Filter * | %{ # need to expand IdentityReference as it's a hashtable $aclList = (get-acl "AD:\$($_.DistinguishedName)").access | select -expand IdentityReference -Unique if ($aclList -notcontains $account) { $_.Name } } |