At work we discovered a few accounts yesterday that didn’t have a certain group in its ACL. So I was curious on how to use PowerShell and find other accounts which are similarly missing this group.
To get the ACL of an ActiveDirectory object you must import the ActiveDirectory
module and then use the Get-ACL
cmdlet. Importing the ActiveDirectory
module creates the AD:
PSDrive which is what Get-ACL
will use to access the AD objects.
For example:
1 |
Get-ACL -path "AD:CN=User,OU=SubDomainUsers,OU=DomainUsers,DC=MyDomain,DC=com" |
The output of this cmdlet is the path to the object, the owner of the object, and a list of ACLs. To view these ACLs you must enumerate them:
1 |
Get-ACL -path "AD:CN=User,OU=SubDomainUsers,OU=DomainUsers,DC=MyDomain,DC=com" | select -ExpandProperty Access |
This gives a list of ACLs. Here you can filter out the ACL you are interested. Sometimes (like in my case) the group name isn’t shown but the SID is, so keep that in mind.
1 |
Get-ACL -path "AD:CN=User,OU=SubDomainUsers,OU=DomainUsers,DC=MyDomain,DC=com" | select -ExpandProperty Access | ?{ $_.IdentityReference -eq "S-1-5-32-548" } |
So the simplest test to check whether an ACL is present or not is to see if the ouput of the above is $null
:
1 |
if ( $(Get-ACL -path "AD:CN=User,OU=SubDomainUsers,OU=DomainUsers,DC=MyDomain,DC=com" | select -ExpandProperty Access | ?{ $_.IdentityReference -eq "S-1-5-32-548" }) -eq $null ) { "Not present" } |
Put this together with the Get-ADUser
cmdlet and some formatting one can produce a list of AD users along with whether this group is present in their ACL or not:
1 2 |
Get-ADUser -SearchBase "OU=SubDomainUsers,OU=DomainUsers,DC=MyDomain,DC=com" -Filter * | ft UserPrincipalName, @{Name="Present?"; E={ if ( $(Get-ACL -path "AD:CN=User,OU=SubDomainUsers,OU=DomainUsers,DC=MyDomain,DC=com" | select -ExpandProperty Access | ?{ $_.IdentityReference -eq "S-1-5-32-548" }) -eq $null ) { "N" } else { "Y" } } } |
One can also just produce a list of user objects which don’t have this ACL:
1 2 3 |
Get-ADUser -SearchBase "OU=SubDomainUsers,OU=DomainUsers,DC=MyDomain,DC=com" -Filter * | ?{ $(Get-ACL -Path "AD:$($_.DistinguishedName)" | select -ExpandProperty Access | ?{ $_.IdentityReference -eq "S-1-5-32-548" }) -eq $null } |