Quick one-liner to find all AD user objects with ACL inheritance disabled:
1 |
Get-ADUser -SearchBase "DC=myDomain,DC=com" -Filter * | ?{ (Get-Acl $_.DistinguishedName).AreAccessRulesProtected -eq "True" } | ft SamAccountName,Name -AutoSize |
Another one:
1 |
Get-ADUser -SearchBase "DC=myDomain,DC=com" -Filter * -Properties nTSecurityDescriptor | ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True" } |